Re: OpenSSH, Chroot, and Public Key issue

From: Jeff Rosowski (rosowskij_at_ie.ymp.gov)
Date: 08/16/05

  • Next message: Mark Senior: "RE: sftp"
    Date: Tue, 16 Aug 2005 09:37:33 -0700 (PDT)
    To: David Coley <dcoley@davidcoley.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I tried chrooting openssh, and found scponly (which also does sftp) to be
    a far simpler solution. It's a replacement shell for the user that does a
    chroot when the user logs in via ssh and only allows them to scp/sftp.
    I have it working with public key authentication as well.

    http://www.sublimation.org/scponly/

    It also has the nice feature of logging the requests the user makes to
    syslog.

    On Mon, 15 Aug 2005, David Coley wrote:

    > Hello all,
    >
    > I recently built a chroot jail from scratch. I'm not using the /./ patch
    > but built a custom one based on the http://intmainvoid.nl/?chroot+shell
    > instructions.
    >
    > Now everything is working for the chroot and the secure shell, except for
    > public key authentication.
    >
    > Users who are not in the chroot can use public keys, those who are can't.
    >
    > I would appreciate any help at all. I've been working on this for days and
    > can not figure out what's wrong:
    >
    > Chroot users are in the following directory:
    > /home/sftp/[username]/home/[username]/
    >
    > I use the:
    > #!/bin/bash
    >
    > # chrootshell spawns chroot shell
    > #
    > # (c) 2003-2005 Anne Jan Brouwer
    > # GNU GPL
    >
    > if [ "$1" = "-c" ]
    > then
    > i=0
    > PARAMETERS=""
    > for parameter in $*
    > do
    > if [ $i -gt 0 ]
    > then
    > PARAMETERS="$PARAMETERS $parameter"
    > fi
    > let i++
    > done
    > sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMETERS"
    > else
    > sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
    > fi
    >
    > as my Chroot shell Script.
    >
    > Below is my debug info from openssh. Any help would be greatly appreciated:
    >
    > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
    > debug1: Reading configuration data /etc/ssh/ssh_config
    > debug1: Applying options for *
    > debug1: Rhosts Authentication disabled, originating port will not be
    > trusted.
    > debug1: ssh_connect: needpriv 0
    > debug1: Connecting to mydomain.com [204.92.116.50] port 22.
    > debug1: Connection established.
    > debug1: identity file /home/coley/.ssh/identity type -1
    > debug3: Not a RSA1 key file /home/coley/.ssh/id_rsa.
    > debug2: key_type_from_name: unknown key type '-----BEGIN'
    > debug3: key_read: no key found
    > debug2: key_type_from_name: unknown key type 'Proc-Type:'
    > debug3: key_read: no key found
    > debug2: key_type_from_name: unknown key type 'DEK-Info:'
    > debug3: key_read: no key found
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug3: key_read: no space
    > debug2: key_type_from_name: unknown key type '-----END'
    > debug3: key_read: no key found
    > debug1: identity file /home/coley/.ssh/id_rsa type 1
    > debug1: identity file /home/coley/.ssh/id_dsa type -1
    > debug1: Remote protocol version 1.99, remote software version
    > OpenSSH_3.6.1p2
    > debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_3.5p1
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug2: kex_parse_kexinit:
    > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
    > ijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
    > ijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
    > ac-md5-96
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
    > ac-md5-96
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: kex_parse_kexinit:
    > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
    > ijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
    > ijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
    > ac-md5-96
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
    > ac-md5-96
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: mac_init: found hmac-md5
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug2: mac_init: found hmac-md5
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > debug1: dh_gen_key: priv key bits set: 118/256
    > debug1: bits set: 1559/3191
    > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > debug3: check_host_in_hostfile: filename /home/coley/.ssh/known_hosts
    > debug3: check_host_in_hostfile: match line 4
    > debug3: check_host_in_hostfile: filename /home/coley/.ssh/known_hosts
    > debug3: check_host_in_hostfile: match line 3
    > debug1: Host 'mydomain.com' is known and matches the RSA host key.
    > debug1: Found key in /home/coley/.ssh/known_hosts:4
    > debug1: bits set: 1611/3191
    > debug1: ssh_rsa_verify: signature correct
    > debug1: kex_derive_keys
    > debug1: newkeys: mode 1
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: waiting for SSH2_MSG_NEWKEYS
    > debug1: newkeys: mode 0
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: done: ssh_kex2.
    > debug1: send SSH2_MSG_SERVICE_REQUEST
    > debug1: service_accept: ssh-userauth
    > debug1: got SSH2_MSG_SERVICE_ACCEPT
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug3: start over, passed a different list
    > publickey,password,keyboard-interactive
    > debug3: preferred publickey,keyboard-interactive,password
    > debug3: authmethod_lookup publickey
    > debug3: remaining preferred: keyboard-interactive,password
    > debug3: authmethod_is_enabled publickey
    > debug1: next auth method to try is publickey
    > debug1: try privkey: /home/coley/.ssh/identity
    > debug3: no such identity: /home/coley/.ssh/identity
    > debug1: try pubkey: /home/coley/.ssh/id_rsa
    > debug3: send_pubkey_test
    > debug2: we sent a publickey packet, wait for reply
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: try privkey: /home/coley/.ssh/id_dsa
    > debug3: no such identity: /home/coley/.ssh/id_dsa
    > debug2: we did not send a packet, disable method
    > debug3: authmethod_lookup keyboard-interactive
    > debug3: remaining preferred: password
    > debug3: authmethod_is_enabled keyboard-interactive
    > debug1: next auth method to try is keyboard-interactive
    > debug2: userauth_kbdint
    > debug2: we sent a keyboard-interactive packet, wait for reply
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug3: userauth_kbdint: disable: no info_req_seen
    > debug2: we did not send a packet, disable method
    > debug3: authmethod_lookup password
    > debug3: remaining preferred:
    > debug3: authmethod_is_enabled password
    > debug1: next auth method to try is password
    >
    >
    >
    >
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (FreeBSD)
    Comment: For info see http://quantumlab.net/pine_privacy_guard/

    iD8DBQFDAhZQTs2s3OoD6D8RAn+1AJwIexY5rcyrqA8kz4OPk/ZJ48pz0ACgkM9l
    X2AC6+qmUEqMVmOouh+cweI=
    =rN2z
    -----END PGP SIGNATURE-----


  • Next message: Mark Senior: "RE: sftp"

    Relevant Pages

    • Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)
      ... >> It used a chrooted sshd with private passwd/shadow files in the ... >> chroot jail. ... The login shell for the users in that private passwd ... >> config file to get a destination host, and execed an ssh client to ...
      (Firewall-Wizards)
    • Re: Restricted Shells or Menu Based Shells
      ... I am using the flash program for the users that do not require a shell. ... create a chroot area for them using the jail program. ... I am considering a virtual server scenario as a next tier. ... to the point where we break even on the hosting costs. ...
      (Focus-Linux)
    • Re: Chroot environment for ssh
      ... > would like to use SSH for the connections, as opposed to FTP, but I ... > users to be able to log into an interactive shell and I ... > want them to 'escape' out of their home directories. ... directives to chroot the groupand/or userthat are to have ...
      (FreeBSD-Security)
    • Re: help - I installed rpm4.0.6 and now nothing works!
      ... revert back to the previous version of RPM (because I have not yet ... Moe's post indicated that rpm4 for rh6.2 did exist. ... prevents you from starting a shell on the hosting computer, and and then chroot to the mounted disk within the same shell. ... chroot needs to start a shell inside the chroot environment. ...
      (comp.os.linux.misc)
    • Re: concurrent users in one account
      ... The only part that needs to be copied to each account ... >> app configuration level, not at the user configuration level. ... None of what I said was meant to be used with chroot... ... needs a shell, ...
      (comp.os.linux.misc)