HPE Community
Operating System - HP-UX
1840014 Members
1680 Online
110159 Solutions
New Discussion

sshd and chroot

 
SOLVED
Go to solution
Dick van den Burg
Occasional Advisor

‎08-26-2008 01:33 AM

‎08-26-2008 01:33 AM

sshd and chroot

I hav run the ssh_chroot_setup.sh script for HP-UX 11.11 Secure Shell-A.05.00.024. When the user logs in he is not in a chroot environment and can cd to the real / directory.
HP-UX Secure Shell-A.03.91.002 works, but is very old.
Looking through the source provided with A.05 I can not find anything similar to the A.03 code for user chroot.

How can i chroot specific ssh users with A.05?

Thanks ... Dick
0 Kudos
Reply
9 REPLIES 9
Steven E. Protter
Exalted Contributor

‎08-26-2008 01:51 AM

‎08-26-2008 01:51 AM

Re: sshd and chroot

Shalom,

There should be error output in /var/adm/syslog/syslog.log

There may have been information when your run the ssh_chroot_setup.sh script. Something went wrong.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Dick van den Burg
Occasional Advisor

‎08-26-2008 02:06 AM

‎08-26-2008 02:06 AM

Re: sshd and chroot

Aug 26 12:01:58 omega4 sshd[4982]: SSH: Server;Ltype: Version;Remote: 10.84.8.13-56654;Protocol: 2.0;Client: OpenSSH_4.7
Aug 26 12:02:04 omega4 sshd[4982]: Accepted keyboard-interactive/pam for icctst from 10.84.8.13 port 56654 ssh2
Aug 26 12:02:17 omega4 inetd[5061]: registrar/tcp: Connection from omega4 (192.168.185.12) at Tue Aug 26 12:02:17 2008

Even when I run sshd with debugging there is no indication something went wrong. The script ran without errors.
I do not understand how A.05 can differentiated between non-chrooted and normal ssh users. The instructions in README.hp in A.05 tell me to add a user with a home directory of /newroot/home/user. A.03 uses a home directory of /newroot/./home/user and uses this format to decide to chroot the user.
0 Kudos
Reply
Alex Wanderley
Occasional Advisor

‎09-16-2008 07:35 AM

‎09-16-2008 07:35 AM

Re: sshd and chroot

Hi,

Did you manage to find the solution to your problem?
I'm having the same issue: after updating to A.05.00.024, our chroot for ssh, scp and sftp stopped working...

Thanks,

Alex
0 Kudos
Reply
Dick van den Burg
Occasional Advisor

‎09-16-2008 10:17 PM

‎09-16-2008 10:17 PM

Re: sshd and chroot

No, I have not found a solution. I looked at the source code that is supplied with the package and in the new version the code that accomplished the ssh chroot in the old version is completely missing in the new version. According to the documentation you can chroot ALL ssh sessions, but that is not what I want.
I am using the old version.
Dick
0 Kudos
Reply
Alex Wanderley
Occasional Advisor

‎09-18-2008 01:45 PM

‎09-18-2008 01:45 PM

Solution

Re: sshd and chroot

Hi Dick,

I had the help of HP Support and we got it working. Here what you have to do:

1 - On the actual /etc/passwd file, change the chrooted account's home directory from "//./home/" to "/home/".
2 - Do the same for "//etc/passwd"
3 - On the end of the /opt/ssh/etc/sshconfig file add two extra lines:
Match User
ChrootDirectory /
4 - Restart sshd.

FYI,

Alex
Reply
Dick van den Burg
Occasional Advisor

‎09-21-2008 10:17 PM

‎09-21-2008 10:17 PM

Re: sshd and chroot

Alex,

Thanks very much for your feedback. I will try this later on a test system.

Thanks again .. Dick
0 Kudos
Reply
Dick van den Burg
Occasional Advisor

‎09-21-2008 11:43 PM

‎09-21-2008 11:43 PM

Re: sshd and chroot

Alex,

This seems to work by putting the Match en ChrootDirectory lines in
/etc/ssh/etc/sshd_config (not sshconfig)

The man page has an entry for the Match, but explicitly names the commands that are allowed in the following block and ChrootDirectory is not on of them.

Is there any other documentation that explains how to set this up?

Thanks again
Dick
0 Kudos
Reply
Dick van den Burg
Occasional Advisor

‎09-22-2008 12:30 AM

‎09-22-2008 12:30 AM

Re: sshd and chroot

that should be
/opt/ssh/etc/sshd_config
0 Kudos
Reply
Alex Wanderley
Occasional Advisor

‎09-22-2008 08:12 AM

‎09-22-2008 08:12 AM

Re: sshd and chroot

Hi Dick,

Sorry the delay, things got a little busy around here.
Yes, I meant to type /opt/etc/sshd_config...
I couldn't find any documentation for that at all. It made sense to me when the HP guy came up with the suggestion, but domentation.
If you take a look at the ssh_config(5) man page, the ChrootDirectory clause does not even show on the list of possible clauses for the "Match" option.

Regards,

Alex
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.