Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

SOLVED! problems with chroot sftp user

Richard Pereira_1
Regular Advisor

SOLVED! problems with chroot sftp user

Hi,

 

Going in circles with this problem. Client wants to have a chrooted sftp only user. They have had some in the past but I cannot confirm when exactly. I tried adding a new user and it fails, so to remove any weird perms issues, I will use a new user with a completely new path.

 

OS verison B.11.11

OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell version

 

I go and use the povided script /opt/ssh/ssh_chroot_setup.sh, create a new user called bob, provided the path /newroot, modified his entry in /etc/passwd to this

bob:6o9NUcbnPEuqE:107:20:chrooted user:/newroot/./home/bob:/bin/sh

 

also made sure /etc/passwd and /etc/group were copied into /newroot/etc

 

Now, if I try to sftp as any regular user, it works and I can even see sftp-server putting positive logging info into syslog.log

 

But if i try to sftp as bob i get the following output and it kicks me out. The syslog only shows a std ssh succesfull login.

 

[rpereira@devap1]# sftp -vvv bob@server    
Connecting to server...
OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to s530k_nb [10.128.85.145] port 22.
debug1: Connection established.
debug1: identity file /home/rpereira/.ssh/id_rsa type -1
debug1: identity file /home/rpereira/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 1033/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/myuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 15
debug3: check_host_in_hostfile: filename /home/myuser/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 15
debug1: Host 's530k_nb' is known and matches the RSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:15
debug2: bits set: 1055/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/myuser/.ssh/id_rsa (00000000)
debug2: key: /home/myuser/.ssh/id_dsa (00000000)
debug3: input_userauth_banner

|-----------------------------------------------------------------|
| This system is for the use of authorized users only.            |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their   |
| activities on this system monitored and recorded by system      |
| personnel.                                                      |
|                                                                 |
|| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible         |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials.       |
|-----------------------------------------------------------------|


debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/myuser/.ssh/id_rsa
debug3: no such identity: /home/myuser/.ssh/id_rsa
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug3: no such identity: /home/myuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
bob@server's password:
debug3: packet_send2: adding 64 (len 54 padlen 10 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)

debug3: channel 0: close_fds r -1 w -1 e 7
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 141
Connection closed

 

7 REPLIES
Dennis Handly
Acclaimed Contributor

Re: problems with chroot sftp user

>also made sure /etc/passwd and /etc/group were copied into /newroot/etc

 

I thought you need to copy more than those files?

Richard Pereira_1
Regular Advisor

Re: problems with chroot sftp user

It does but what else should I check for?

Patrick Wallek
Honored Contributor
Richard Pereira_1
Regular Advisor

Re: problems with chroot sftp user

thanks for the link. I've already used the same instructions as the first one. My chroot user cant sftp but regular users can. Second link I dont think will work since my version of ssh is so much older.

Richard Pereira_1
Regular Advisor

Re: problems with chroot sftp user

heres more info, if i try calling the subsystem (ssh -s sftp-server -vvv bob@server)

i get a slightly different ending

ebug3: packet_send2: adding 64 (len 54 padlen 10 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug1: Sending subsystem: sftp-server
debug2: channel 0: request subsystem
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
Request for subsystem 'sftp-server' failed on channel 0
debug1: Calling cleanup 0x4001595a(0x0)
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 5/6)

debug3: channel 0: close_fds r 5 w 6 e 7
debug1: Calling cleanup 0x40015a3a(0x0)
Connection closed

 

so for some reason it cant call or execute sftp-server?? permissions look ok.

 

Matti_Kurkela
Honored Contributor

Re: problems with chroot sftp user

Check your /opt/ssh/etc/sshd_config, in particular the Subsystem lines.

 

If the sftp subsystem is pointing to a file (typically /opt/ssh/libexec/sftp-server), run "ldd /opt/ssh/libexec/sftp-server" to see a list of libraries required by the sftp-server. Make sure the sftp-server binary and all these required libraries are accessible within the chroot. Those libraries themselves may depend on other libraries: check them the same way.

 

If your (very old) SSH version supports an in-process sftp server, you can change the Subsystem line in sshd_config to:

Subsystem sftp internal-sftp

 This makes building the chroot environment much easier. Unfortunately, I have some doubt whether your old SSH version supports that setting or not. (If it is supported, it should be mentioned in the sshd_config man page.)

MK
Richard Pereira_1
Regular Advisor

SOLVED! Re: problems with chroot sftp user

Correct. my version is too old to use that sftp internal directive.

 

SOLVED IT!

 

I was missing a library for sftp-server to run properly in the chrooted directory. I had previously ran a ldd on /chroot/opt/ssh/libexec/sftp-server but didn't notice that 1 lib was a in fact a link that pointed to another link that pointed to a library file.

 

To confirm, I changed the chrooted user shell to /sbin/sh. Did a ssh into the chrooted environment, a cd into /opt/ssh/libexec and tried to manually start sftp-server and got a missing library error.

 

specifically I was missing " /usr/lib/libgssapi_krb5.sl -> ./gss/libgssapi_krb5.sl " so I copied it under /chroot/usr/lib/gss/libgssapi_krb5.sl, changed the users shell back to the sftponly script and now i get a sftp prompt!

 

Im still confused how it dissapeared from a working chroot but it seems the /opt/ssh/ssh_chroot_setup.sh is out of date since it omits this lib and didnt copy it in my test chroot directory either.