Re: OpenSSH, Chroot, and Public Key issue
From: Jeff Rosowski (rosowskij_at_ie.ymp.gov)
Date: 08/16/05
- Previous message: Robin Green: "Re: sftp"
- Maybe in reply to: David Coley: "OpenSSH, Chroot, and Public Key issue"
- Next in thread: Nathan Jackson-Eeles: "Re: OpenSSH, Chroot, and Public Key issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 09:37:33 -0700 (PDT) To: David Coley <dcoley@davidcoley.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I tried chrooting openssh, and found scponly (which also does sftp) to be
a far simpler solution. It's a replacement shell for the user that does a
chroot when the user logs in via ssh and only allows them to scp/sftp.
I have it working with public key authentication as well.
http://www.sublimation.org/scponly/
It also has the nice feature of logging the requests the user makes to
syslog.
On Mon, 15 Aug 2005, David Coley wrote:
> Hello all,
>
> I recently built a chroot jail from scratch. I'm not using the /./ patch
> but built a custom one based on the http://intmainvoid.nl/?chroot+shell
> instructions.
>
> Now everything is working for the chroot and the secure shell, except for
> public key authentication.
>
> Users who are not in the chroot can use public keys, those who are can't.
>
> I would appreciate any help at all. I've been working on this for days and
> can not figure out what's wrong:
>
> Chroot users are in the following directory:
> /home/sftp/[username]/home/[username]/
>
> I use the:
> #!/bin/bash
>
> # chrootshell spawns chroot shell
> #
> # (c) 2003-2005 Anne Jan Brouwer
> # GNU GPL
>
> if [ "$1" = "-c" ]
> then
> i=0
> PARAMETERS=""
> for parameter in $*
> do
> if [ $i -gt 0 ]
> then
> PARAMETERS="$PARAMETERS $parameter"
> fi
> let i++
> done
> sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMETERS"
> else
> sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
> fi
>
> as my Chroot shell Script.
>
> Below is my debug info from openssh. Any help would be greatly appreciated:
>
> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: ssh_connect: needpriv 0
> debug1: Connecting to mydomain.com [204.92.116.50] port 22.
> debug1: Connection established.
> debug1: identity file /home/coley/.ssh/identity type -1
> debug3: Not a RSA1 key file /home/coley/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: no key found
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: no key found
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: no key found
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: no key found
> debug1: identity file /home/coley/.ssh/id_rsa type 1
> debug1: identity file /home/coley/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.6.1p2
> debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.5p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
> ijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
> ijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
> ac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
> ac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
> ijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r
> ijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
> ac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hm
> ac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 118/256
> debug1: bits set: 1559/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/coley/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 4
> debug3: check_host_in_hostfile: filename /home/coley/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 3
> debug1: Host 'mydomain.com' is known and matches the RSA host key.
> debug1: Found key in /home/coley/.ssh/known_hosts:4
> debug1: bits set: 1611/3191
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/coley/.ssh/identity
> debug3: no such identity: /home/coley/.ssh/identity
> debug1: try pubkey: /home/coley/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: try privkey: /home/coley/.ssh/id_dsa
> debug3: no such identity: /home/coley/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: next auth method to try is password
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFDAhZQTs2s3OoD6D8RAn+1AJwIexY5rcyrqA8kz4OPk/ZJ48pz0ACgkM9l
X2AC6+qmUEqMVmOouh+cweI=
=rN2z
-----END PGP SIGNATURE-----
- Previous message: Robin Green: "Re: sftp"
- Maybe in reply to: David Coley: "OpenSSH, Chroot, and Public Key issue"
- Next in thread: Nathan Jackson-Eeles: "Re: OpenSSH, Chroot, and Public Key issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
