How to create multiple chroot (jailed) users accounts in batch

Discussion in 'Suggest HOWTO' started by gregor_gede, Aug 28, 2006.

  1. gregor_gede

    gregor_gede New Member

  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

  3. gregor_gede

    gregor_gede New Member

    ok, i'll give it a try.thx a lot falko, you r the angel of my day...:) btw, i use fedora core,hopefully it would work.i'll let you know when i'm done.
     
  4. gregor_gede

    gregor_gede New Member

    hi Falko,

    With proper adjustment of copying some missing libraries, i finally got it done. testuser is successfully chrooted. There's a minor problem everytime sshd is restarted saying "Unsupported option GSSAPIAuthentication" and "Unsupported option GSSAPICleanupCredentials" but it can be eliminated by commenting those options in the sshd_config.

    But there's one big problem left that i hope you can help me figure out. testuser could not change password :( . I've already added /usr/bin/passwd to the APPS line of your script but everytime testuser issued passwd command, the system respond :

    Changing password for user testuser.
    passwd: unable to start pam


    i've also run ldd passwd to see what libraries might missing and tried to copy them to the proper lib directories and restart sshd but still the user could not change password.

    any suggestions?

    regards,
    gregor
     
  5. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I think you need to copy pam to your chroot jail.
     
  6. gregor_gede

    gregor_gede New Member

    could you be more specific about what pam that should be copied? i've already got the following :

    /home/chroot/lib/libpam.so.0
    /home/chroot/lib/libpam_misc.so.0
    /home/chroot/usr/lib/libpam.so.0
    /home/chroot/usr/lib/libpam_misc.so.0

    in my chroot jail, but it doesn't work.
    If you mean i should add pam's binary in the APPS line, which one is it?
    I tried to locate pam's binary (locate bin/pam) and here's what shoed up:

    /sbin/pam_timestamp_check
    /sbin/pam_tally
    /sbin/pam_console_apply
    /usr/bin/pam-panel-icon

    regards,
    gregor
     
  7. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Put them all into the chroot environment, also /etc/pam and /etc/pam.d, if they exist. What's the output of
    Code:
    locate pam
    ?
     
  8. gregor_gede

    gregor_gede New Member

    locate pam returned :

    /lib/libpam_misc.so.0.79
    /lib/libpam.so.0
    /lib/security/pam_rootok.so
    /lib/security/pam_mkhomedir.so
    /lib/security/pam_stress.so
    /lib/security/pam_pwdb.so
    /lib/security/pam_unix_auth.so
    /lib/security/pam_time.so
    /lib/security/pam_passwdqc.so
    /lib/security/pam_chroot.so
    /lib/security/pam_shells.so
    /lib/security/pam_ccreds.so
    /lib/security/pam_motd.so
    /lib/security/pam_tally.so
    /lib/security/pam_wheel.so
    /lib/security/pam_permit.so
    /lib/security/pam_console.so
    /lib/security/pam_xauth.so
    /lib/security/pam_filter.so
    /lib/security/pam_group.so
    /lib/security/pam_winbind.so
    /lib/security/pam_krb5afs.so
    /lib/security/pam_limits.so
    /lib/security/pam_unix_passwd.so
    /lib/security/pam_nologin.so
    /lib/security/pam_postgresok.so
    /lib/security/pam_unix_acct.so
    /lib/security/pam_access.so
    /lib/security/pam_loginuid.so
    /lib/security/pam_listfile.so
    /lib/security/pam_cracklib.so
    /lib/security/pam_deny.so
    /lib/security/pam_rhosts_auth.so
    /lib/security/pam_smb_auth.so
    /lib/security/pam_lastlog.so
    /lib/security/pam_timestamp.so
    /lib/security/pam_localuser.so
    /lib/security/pam_filter
    /lib/security/pam_filter/upperLOWER
    /lib/security/pam_ldap.so
    /lib/security/pam_mail.so
    /lib/security/pam_ftp.so
    /lib/security/pam_securetty.so
    /lib/security/pam_debug.so
    /lib/security/pam_succeed_if.so
    /lib/security/pam_issue.so
    /lib/security/pam_smbpass.so
    /lib/security/pam_userdb.so
    /lib/security/pam_unix_session.so
    /lib/security/pam_krb5.so
    /lib/security/pam_unix.so
    /lib/security/pam_selinux.so
    /lib/security/pam_rps.so
    /lib/security/pam_krb5
    /lib/security/pam_krb5/pam_krb5_storetmp
    /lib/security/pam_stack.so
    /lib/security/pam_warn.so
    /lib/security/pam_env.so
    /lib/libpam_misc.so.0
    /lib/libpamc.so.0.79
    /lib/libpam.so.0.79
    /lib/libpamc.so.0
    /sbin/pam_timestamp_check
    /sbin/pam_tally
    /sbin/pam_console_apply
    /usr/lib/libpam_misc.so
    /usr/lib/libpam.so
    /usr/lib/libpamc.so
    /usr/lib/squid/pam_auth
    /usr/lib/libpam_misc.a
    /usr/lib/libpamc.a
    /usr/lib/libpam.a
    /usr/include/pam.h
    /usr/include/security/pam_modules.h
    /usr/include/security/pam_misc.h
    /usr/include/security/pam_client.h
    /usr/include/security/_pam_compat.h
    /usr/include/security/pam_filter.h
    /usr/include/security/pam_appl.h
    /usr/include/security/_pam_macros.h
    /usr/include/security/_pam_types.h
    /usr/include/pammap.h
    /usr/include/linux/isdn/tpam.h
    /etc/security/pam_env.conf
    /etc/dev.d/default/05-pam_console.dev
    /etc/udev/scripts/pam_console.dev
    /etc/pam.d
    /etc/pam.d/sshd
    /etc/pam.d/halt
    /etc/pam.d/system-config-users
    /etc/pam.d/ppp
    /etc/pam.d/system-config-printer-gui
    /etc/pam.d/printtool
    /etc/pam.d/system-auth
    /etc/pam.d/poweroff
    /etc/pam.d/up2date-config
    /etc/pam.d/atd
    /etc/pam.d/neat
    /etc/pam.d/newrole
    /etc/pam.d/system-cdinstall-helper
    /etc/pam.d/reboot
    /etc/pam.d/system-config-httpd
    /etc/pam.d/system-config-network-druid
    /etc/pam.d/up2date
    /etc/pam.d/other
    /etc/pam.d/system-install-packages
    /etc/pam.d/su
    /etc/pam.d/su
    /etc/pam.d/system-config-mouse
    /etc/pam.d/system-config-printer
    /etc/pam.d/system-config-printer-tui
    /etc/pam.d/cups
    /etc/pam.d/system-config-language
    /etc/pam.d/dateconfig
    /etc/pam.d/system-config-keyboard
    /etc/pam.d/system-config-packages
    /etc/pam.d/system-config-securitylevel
    /etc/pam.d/chfn
    /etc/pam.d/chsh
    /etc/pam.d/squid
    /etc/pam.d/system-config-soundcard
    /etc/pam.d/printconf-gui
    /etc/pam.d/internet-druid
    /etc/pam.d/login
    /etc/pam.d/system-config-nfs
    /etc/pam.d/setup
    /etc/pam.d/samba
    /etc/pam.d/kbdrate
    /etc/pam.d/system-config-network
    /etc/pam.d/authconfig-gtk
    /etc/pam.d/rhn_register
    /etc/pam.d/up2date-nox
    /etc/pam.d/printconf-tui
    /etc/pam.d/imap
    /etc/pam.d/crond
    /etc/pam.d/remote
    /etc/pam.d/sudo
    /etc/pam.d/pop3
    /etc/pam.d/serviceconf
    /etc/pam.d/system-config-services
    /etc/pam.d/screen
    /etc/pam.d/passwd
    /etc/pam.d/system-config-rootpassword
    /etc/pam.d/vsftpd
    /etc/pam.d/printconf
    /etc/pam.d/system-config-network-cmd
    /etc/pam.d/system-config-authentication
    /etc/pam.d/system-config-lvm
    /etc/pam.d/run_init
    /etc/pam.d/system-config-samba
    /etc/pam.d/authconfig
    /etc/pam.d/system-config-date
    /etc/pam.d/system-config-time

    i've copied them all to my chroot dir. now the error message turn to :

    -bash-3.00$ passwd
    Changing password for user testuser.
    passwd: Module is unknown

    what else do you think i should do?

    regards,
    gregor
     
  9. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Did you put the passwd program into the APPS line of the script that copies the desired programs to the chroot jail?
     
  10. yogibear

    yogibear New Member

    Hi Falko, Gregor,

    I had exactly same problem (passwd: Module is unknonwn)
    after I copied all the relavant libs and programs specified in
    this thread.

    If I do >ldd passwd, all the dependent libs are all there.

    Anything else is needed?

    Thanks,

    Yogi
     
  11. gregor_gede

    gregor_gede New Member

    hi guys:)

    yes i put the passwd in the APPS line. i've mentioned it in my post on 30th August 2006 06:10. i believe yogi had also done the same thing. what distro that you use yogi? i use fedora core 4.
    i've tried googling but nothing good comes up so far. may be nobody has ever tried this subject before :(

    regards,
    gregor
     
  12. gregor_gede

    gregor_gede New Member

    hi guys:)

    yes i put the passwd in the APPS line. i've mentioned it in my post on 30th August 2006 06:10. i believe yogi had also done the same thing. what distro that you use yogi? i use fedora core 4.
    i've tried googling but nothing good comes up so far. may be nobody has ever tried this subject before :(

    regards,
    gregor
     
  13. yogibear

    yogibear New Member

    Hi,

    I use RedHat Enterprise Linux 4.2.6.9. tried to put "UsePAM yes" in sshd_config, got "Unsupported option" when restart sshd.

    Regards,
    yogi
     
  14. yogibear

    yogibear New Member

    Hi gregor,

    Finally got passwd to work here.

    1. Module is unknown: due to missing cracklib.so.2

    cp /usr/lib/libcrack.so* /usr/lib
    (or /lib/ it works for me in /lib. try /usr/lib first)

    2. passwd: Critical error - immediate abort

    - make sure dictionary is in /usr/lib/
    cracklib_dict.hwm
    cracklib_dict.pwd
    cracklib_dict.pwi

    3. passwd: Authentication token manipulation error
    - make sure /etc/shadow has the user in it.

    tgif,

    yogi
     
  15. gregor_gede

    gregor_gede New Member

    thx yogi. i've got it work too. but when i log out and tried to log in back again using the new password, it won't work. i have to login using the old password. didn't you face the same thing?
    btw, shouldn't the system automatically adds every newly created user in /etc/shadow- ?

    regards,
    gregor
     
  16. gregor_gede

    gregor_gede New Member

    hi guys, i've found a way to make use of the new password. copy the /etc/shadow, /etc/passwd, /etc/group to /home/chroot/./etc/
    Make sure password field in passwd file is x which indicates that the real password is stored in the shadow file.

    when the chrooted testuser issues passwd command and create a new password, it would change the password value stored in the /home/chroot/./etc/shadow file. when he log in back again using the new password, the system won't recognize it because it compares the password with the one stored in /etc/shadow.

    so my idea is to create a patch file using diff command from the /home/chroot/./etc/shadow and then applied it to /etc/shadow.

    chmod 400 /etc/shadow
    chmod 400 /home/chroot/./etc/shadow
    cd /home/chroot/etc

    diff -u /etc/shadow /home/chroot/etc/shadow > shadow.patch
    patch -b /etc/shadow /home/chroot/etc/shadow.patch

    put the last two commands in the cron job......:)

    it works perfectly now for me.... thank's to you guys......

    regards,
    gregor
     

Share This Page