OpenSSH Chroot on AIX 5.2

From: Patrick Marshall (marshallp_at_aptea.com)
Date: 04/21/04

• Next message: Bob: "port forwarding"
• Previous message: Gregory Neil Shapiro: "Re: Public key limited to using CVS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 21 Apr 2004 12:01:32 -0700

I've compiled the latest chroot patched source (openssh-3.8p1-chroot)
without problem for AIX 5.2.

I can use ssh and sftp to the server running this code without
problem.

I have built an environment I can chroot into with no problem.

The problem is when I attempt to use ssh or sftp to login as the
chrooted user.

It's connecting, displaying my banner, asking me for my password, then
dying once I provide it with an error code of 255.

  # ssh mftgw001

  [BANNER MESSAGE]

  marshalp@mftgw001's password:
  Connection to mftgw001 closed by remote host.
  Connection to mftgw001 closed.

The user I am trying this on is marshalp with the home directory set
to /home/marshalp/./

My chroot environment is as follows:

[root@mftgw001 /home/marshalp]
# find . -ls | grep -v sh_hist
    8 4 dr-xr-xr-x 7 marshalp marshalp 4096 Apr 21 23:16 .
    9 4 -rwx------ 1 marshalp marshalp 254 Apr 9 05:35
./.profile
   39 0 drwx------ 2 marshalp marshalp 256 Apr 9 20:28
./.ssh
   40 4 -rw------- 1 marshalp marshalp 227 Apr 9 20:28
./.ssh/authorized_keys
  121 0 dr-xr-xr-x 2 root system 256 Apr 21 00:10 ./dev
  130 0 crw-rw-rw- 1 root system 2, 2 Apr 21 00:10
./dev/null
  127 0 crw-rw-rw- 1 root system 2, 3 Apr 21 00:10
./dev/zero
  123 0 dr-xr-xr-x 2 root system 256 Apr 21 01:15 ./etc
  151 4 -r--r--r-- 1 root system 107 Apr 21 01:15
./etc/group
  150 4 -r--r--r-- 1 root system 102 Apr 21 01:15
./etc/passwd
  149 4 -r--r--r-- 1 root system 111 Apr 21 01:14
./etc/shells
  125 0 dr-xr-xr-x 4 root system 256 Apr 21 01:20 ./usr
  122 4 d--x--x--x 2 root system 4096 Apr 21 01:09
./usr/bin
  131 20 -r-xr-xr-x 1 root system 18748 Apr 21 00:05
./usr/bin/cp
  145 228 -r-xr-xr-x 1 root system 229804 Apr 21 01:09
./usr/bin/ksh
  132 24 -r-xr-xr-x 1 root system 22564 Apr 21 00:05
./usr/bin/ls
  133 8 -r-xr-xr-x 1 root system 6096 Apr 21 00:05
./usr/bin/mkdir
  134 12 -r-xr-xr-x 1 root system 11964 Apr 21 00:05
./usr/bin/mv
  135 12 -r-xr-xr-x 1 root system 9188 Apr 21 00:05
./usr/bin/rm
  136 12 -r-xr-xr-x 1 root system 9188 Apr 21 00:05
./usr/bin/rmdir
  143 140 -r-xr-xr-x 1 root system 140230 Apr 21 01:05
./usr/bin/sftp-server
  137 228 -r-xr-xr-x 1 root system 229804 Apr 21 00:05
./usr/bin/sh
  124 0 dr-xr-xr-x 2 root system 256 Apr 21 01:03
./usr/lib
  139 6872 -r-xr-xr-x 1 root system 7036004 Apr 21 00:15
./usr/lib/libc.a
  141 12 -r-xr-xr-x 1 root system 10993 Apr 21 01:03
./usr/lib/libcrypt.a
  142 1576 -r--r--r-- 1 root system 1610327 Apr 21 01:03
./usr/lib/libcurses.a

I've played a bit with putting the ssh executables in the environment
to no avail. The contents of my custom passwd and group are:

# cat passwd
root:!:0:0::/root:/usr/bin/ksh
marshalp:!:10028:10028:Patrick Marshall:/home/marshalp/./:/usr/bin/ksh

# cat group
system:!:0:root
marshalp:!:10028:marshalp

I'm at my wits end here. Any help will be appreciated.

-Pat Marshall
marshallpNOSPAM@NOSPAMaptea.com

(Remove the NOSPAM's to contact me via email)

• Next message: Bob: "port forwarding"
• Previous message: Gregory Neil Shapiro: "Re: Public key limited to using CVS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Need advice on setting of an SSH server for untrusted users ... > I've just set up an ssh server so that my customers can download code ... I've set up ssh so that it requires rsa authentication. ... There is a patch for openssh that will cause it to do a chroot like ... The issue with a chroot jail for ssh is that you have to hand-roll the ... (comp.os.linux.security) Re: Problems with Sudo ... you can't sudo to root. ... SSH is generally allowed, all limitations should still apply including ... secure, the internet is a very dangerous place. ... allowing someone to break out of a chroot jail by simply logging back ... (Ubuntu) Re: sftponly ... provided the server is secure or what other services/interfaces you ... > I agree - chrooting is a good practice, and I wouldn't set SSH up without ... > you pair them with a chroot jail. ... Of course they can do more with SSH access, ... (SSH) Re: Chroot environment for ssh ... > would like to use SSH for the connections, as opposed to FTP, but I ... > users to be able to log into an interactive shell and I ... > want them to 'escape' out of their home directories. ... directives to chroot the groupand/or userthat are to have ... (FreeBSD-Security) sftp with chroot ... chroot, so that users can be jailed to their home folder only. ... But sftp does not restrict to ... I tried to patch the Openssh 4.3p2 source code from openssh.org as given ... No output written to ssh ... (SunManagers)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint