topic Re: sshd and chroot in Operating System - HP-UX

sshd and chroot

Ralph Weimann — Wed, 20 May 2009 07:55:09 GMT

Hello,

i try to get chroot with HP-UX sec shell 05.10 to work.
I use the script ssh_chroot_setup.sh.
When i try to connect, i am still in "normal" userhome.

So i make changes in sshd_config:

Match User test03
ChrootDirectory /newroot/home/test03

like discripe here:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1262739

But now, i can not connect:

Connection to "IP address" closed by remote host.
Couldn't read packet: Connection reset by peer

Syslog:

fatal: bad ownership or modes for chroot directory

who can help?

Ralph

Re: sshd and chroot

kemo — Wed, 20 May 2009 08:00:21 GMT

hi

user's home directories must be owned by root:root and its mode should be 755

thanks
Kamal

Re: sshd and chroot

Steven E. Protter — Wed, 20 May 2009 08:10:11 GMT

Shalom,

This message is spot on accurate.

fatal: bad ownership or modes for chroot directory

The most common problem I had when chrooting any ssh installation was the ownership and permissions were wrong.

Please post the ownership of the users home directory.

SEP

Re: sshd and chroot

Ralph Weimann — Wed, 20 May 2009 08:33:58 GMT

Hello,

theese permission are set by the script:

# ll -a /newroot/home/
total 16
drwxr-xr-x 3 root root 96 May 20 10:32 .
drwxr-xr-x 10 root root 8192 May 20 10:32 ..
drwxr-xr-x 2 test03 users 96 May 20 10:32 test03

I do not change anything.

Ralph

Re: sshd and chroot

Ralph Weimann — Wed, 20 May 2009 08:59:26 GMT

Hello,

i change permissions to root:root.
Now i get with sftp :Request for subsystem 'sftp' failed on channel 0

i check libs with #ldd /opt/ssh/libexec/sftp-server (see /opt/ssh/README.hp)
-- > Looks good!

With ssh i get /bin/sh no such file...
but there is a /newroot/bin/sh

Ralph

Re: sshd and chroot

kemo — Wed, 20 May 2009 11:22:19 GMT

hello Ralph

i think you are using a new version of openssh which doesn't require to create mini-operating system as your script did.
that means. just create an empty home directory for your user

for example

useradd -d test test
mkdir /home/test
chown root:root /home/test
chmod 766 /home/test

then edit sshd_config with

Match User test
ChrootDirectory /home/test

check also if these options are available with your ssh version

Match User test
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/test

Note: for more than one user e.g test,test1,test2 use the following

Match User test,test1,test2
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/%u

where %u is taking the list of users u specified in Match User directive.

thanks :)

Re: sshd and chroot

Ralph Weimann — Wed, 20 May 2009 11:46:37 GMT

Hello,

if i try it like this i get /sbin/sh not such file...
So i think i need a mini system, like discriped in /opt/ssh/README.hp.

Are you sure with chmod 766, only 755 works for me?

Ralph

Re: sshd and chroot

kemo — Thu, 21 May 2009 04:18:31 GMT

sorry, my fault
permission should be 755

Re: sshd and chroot

Ralph Weimann — Wed, 27 May 2009 14:36:49 GMT

Hello,

now it works...
I use the script ssh_chroot_setup.sh.
I make changes in sshd_config:

Match User test03
ChrootDirectory /newroot

For ChrootDirectory i use the dir i choose for
my chroot environment, not a home dir!

i am not using internal-sftp.
With that the connection closed after ls command!

Thanks

Ralph

Re: sshd and chroot

Ralph Weimann — Thu, 28 May 2009 06:36:59 GMT

Close...