topic Re: chroot, sftp, authentication key generation - not working in Operating System - Linux

chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Fri, 30 Sep 2005 11:24:47 GMT

I have a RedHat server with a chroot'd user that works fine via ssh and sftp.

When I try to create a ssh key so the I can sftp without a password it does not work.

If I do it for a non-chroot'd user the keys work fine.

How do I get a chroot'd user to login without a password via ssh or sftp?

Thanks.

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Fri, 30 Sep 2005 14:00:07 GMT

Is the user chrooted to his home directory?

Maybe the .ssh directory and the respective contents is not found when you are working in a chroot environment.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Fri, 30 Sep 2005 14:04:37 GMT

Yes the user is chrooted but I am prompted for a password. If I remove the chroot then I am not prompted for the password. How do I get the chroot environment to see the .ssh ?

Re: chroot, sftp, authentication key generation - not working

baiju_3 — Fri, 30 Sep 2005 14:17:17 GMT

Hi ,

try to copy the ssh-keygen binary to users choroot/bin directory as root user and try to run it as the required user .

I haven't done it , you may try .

Thx,
bl.

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Fri, 30 Sep 2005 14:31:27 GMT

Post the output of ssh -v server, with and without chroot. Let's see if something comes out.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Fri, 30 Sep 2005 14:59:32 GMT

ssh -v swohftp@chpftp01
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to chpftp01 [10.233.30.171] port 22.
debug1: Connection established.
debug1: identity file /home/hoev178/.ssh/id_rsa type 1
debug1: identity file /home/hoev178/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'chpftp01' is known and matches the RSA host key.
debug1: Found key in /home/hoev178/.ssh/known_hosts:36
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

UNAUTHORIZED USE AND/OR ACCESS IS STRICTLY PROHIBITED

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/hoev178/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/hoev178/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
swohftp@chpftp01's password:

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Fri, 30 Sep 2005 15:29:51 GMT

From the client side, nothing wrong can be seen.

Try debugging from the server side.

Stop the sshd service:

service sshd stop

Start the sshd daemon:

/usr/sbin/sshd -D -d -f /etc/ssh/sshd_config

Start the connection. Try to see if the server use the public key for the user.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Fri, 30 Sep 2005 15:46:52 GMT

I just acts as if it cannot see the keys in the .ssh directory.

????

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Fri, 30 Sep 2005 16:31:53 GMT

I think that the problem could be the AuthorizedKeysFile parameter. Maybe is trying to find the key in the user home, but, when chrooted, the user home is the /.

Try changing the AuthorizedKeysFile parameter to /.ssh/authorized_keys.

Next, if that works, maybe you will need to setup differents sshd configuration for chrooted and no chrooted users, listening on different ports.

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Fri, 30 Sep 2005 16:34:26 GMT

One more question. Are you using the sshd chroot patch or the pam chroot module to setup the chroot jail?

I would like to do some testings to reproduce your environment.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Mon, 03 Oct 2005 08:25:03 GMT

Changing the location of the keys file did not work.

I modified the /etc/pam.d/sshd file:

#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_chroot.so

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Mon, 03 Oct 2005 15:26:26 GMT

Good and bad news.

Good news, I tested and the sshd with chroot and public keys worked.

Bad news, I don't know why it does not works for you.

What I did:

OS Fedora Core 4.

File /etc/pam.d/sshd

Added

session required pam_chroot.so debug

File /etc/security/chroot.conf

Added

iferreira /home/iferreira/chroot

File

/etc/ssh/sshd_config

Added

UsePAM yes
UsePrivilegeSeparation no

Using ldd, I created the a minimal chroot environment, all files owned by root.root and perm 755

/home/iferreira/chroot
/home/iferreira/chroot/bin
/home/iferreira/chroot/bin/bash
/home/iferreira/chroot/bin/ls
/home/iferreira/chroot/lib/ld-linux.so.2
/home/iferreira/chroot/lib/libacl.so.1
/home/iferreira/chroot/lib/libattr.so.1
/home/iferreira/chroot/lib/libc.so.6
/home/iferreira/chroot/lib/libdl.so.2
/home/iferreira/chroot/lib/libpthread.so.0
/home/iferreira/chroot/lib/librt.so.1
/home/iferreira/chroot/lib/libselinux.so.1
/home/iferreira/chroot/lib/libtermcap.so.2
/home/iferreira/chroot/home/iferreira (iferreira.iferreira 755)

In another system, created the keys using:

ssh-keygen -t dsa

Copied the id_dsa.pub file to /home/iferreira/.ssh/authorized_keys:

/home/iferreira/.ssh (iferreira.iferreira 700)
/home/iferreira/.ssh/authorized_keys (iferreira.iferreira 600)

As you can note, the key was copied to the real HOME, not the chrooted home directory.

Tested and worked. What does not works is connecting to the system using ssh -l iferreira remote_host. You need to connect directly using the iferreira user. That means, connect without using the -l option, otherwise the password will be prompted.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Mon, 03 Oct 2005 15:41:55 GMT

Did it work with sftp and scp?

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Mon, 03 Oct 2005 16:27:33 GMT

I quick try did not worked. sftp closes the connection and scp respond with unknown user error (even when I configured a fake passwd file in the chrooted environment).

Maybe there are more files/libraries that must to be copied. It's a hard work with shared libraries.

I think that using the chroot patch for sshd will be easier.

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Tue, 04 Oct 2005 06:32:37 GMT

I am not fimiliar with the "chroot patch". Can I get that from RedHat?

Re: chroot, sftp, authentication key generation - not working

Jeff Hoevenaar — Tue, 04 Oct 2005 07:41:22 GMT

I created the same user id on both server and client and put the authorized_keys file in the /home/userid/.ssh vs. the chrooted home dir on the server. I can now sftp and without a password and be chrooted.

The scp doesnot work but I can work with the sftp.

Thanks for the help.

The scp gives a unknow user id kind of error. I tried giving the user the same id number of both systems and placing key files on both sides but it still doesn't work. I will use sftp - good for now.

Re: chroot, sftp, authentication key generation - not working

Ivan Ferreira — Tue, 04 Oct 2005 07:41:53 GMT

You can get it from here:

http://chrootssh.sourceforge.net/index.php

With all instructions to use.