Operating System - HP-UX
1833696 Members
3226 Online
110062 Solutions
New Discussion

chroot-ed ssh, scp and sftp

 

chroot-ed ssh, scp and sftp

hello all,

i am trying to create a chroot-ed environment for ssh, scp and sftp on a hpux 11.11 system using hp's ssh (A.04.10.004). i used the provided ssh_chroot_setup.sh script - ssh and sftp work, however both do not show the user id/group id of files and directories when the ls command is used.
additionally scp authenticates but fails after that with:

unknown user 111
lost connection

the etc directory in the chroot-ed environment does contain: passwd, group (i copied that manually), pam.conf and nsswitch.conf and the files are readable for everyone (444).

any hints on what the problem could be will be greatly appreciated.

greetings,

Stoyan
4 REPLIES 4
Steven E. Protter
Exalted Contributor

Re: chroot-ed ssh, scp and sftp

Shalom,

If you chroot ssh and thereby cut off its connection to /etc/passwd the results you are getting are expected.

You must provide alternatives to what you are cutting off. Usually this involved copies of binaries.

Can you provide your configuration file and the method you used the chroot etc into the environment? That is probably the key to solving this problem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Re: chroot-ed ssh, scp and sftp

hello,

i have checked the /opt/ssh/README.hp file to see if all binaries and libraries mentioned there are properly copied by the script. all the binaries were copied correctly.
i have not done any modification to the sshd_config file.

thank you,

Stoyan

Re: chroot-ed ssh, scp and sftp

the problem was that the entries for passwd and group in the nsswitch.conf file were "compat" - changing these to "files" fixed the problem.

greetings,

Stoyan
Haralambos
Advisor

Re: chroot-ed ssh, scp and sftp

Please see a similar entry I have in ITRC with subject:

"public key auth. by SFTP does not work on chrooted accounts" on 01/20/06

It ends up that you can use the HP provided script /opt/ssh/ssh_chroot_setup.sh to create the chrooted accounts. It works well when creating the accounts and copying the corerct binaries/libs but I have experienced the same problem as you did with acconts/groups.

It ends up that every chrooted accnt has its own provide passwd & group files which the script does not bother to update when a new account is created for example. So you will have to manually copy and paste those new entries from the /etc/passwd & /etc/groups file to the corresponding ones in the private chrooted env.

It also turns out that the private copies of these files do NOT need all the account and group info that is contained within the original files. All they need is the chrooted accnts info, in passwd file and info for root, sys, bin groups (and the chrooted users group) in the group file.

Finally, the script gives for some reason 777 perms to some dirs within the chrooted environment which I had modified as I do think that world write access is actually needed.

Regards, Haralambos