chroot, sftp, authentication key generation - not working

Jeff Hoevenaar · ‎09-30-2005

I have a RedHat server with a chroot'd user that works fine via ssh and sftp.

When I try to create a ssh key so the I can sftp without a password it does not work.

If I do it for a non-chroot'd user the keys work fine.

How do I get a chroot'd user to login without a password via ssh or sftp?

Thanks.

Ivan Ferreira · ‎09-30-2005

Is the user chrooted to his home directory?

Maybe the .ssh directory and the respective contents is not found when you are working in a chroot environment.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎09-30-2005

Yes the user is chrooted but I am prompted for a password. If I remove the chroot then I am not prompted for the password. How do I get the chroot environment to see the .ssh ?

baiju_3 · ‎09-30-2005

Hi ,

try to copy the ssh-keygen binary to users choroot/bin directory as root user and try to run it as the required user .

I haven't done it , you may try .

Thx,
bl.

Good things Just Got better (Plz,not stolen from advertisement -:) )

Ivan Ferreira · ‎09-30-2005

Post the output of ssh -v server, with and without chroot. Let's see if something comes out.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎09-30-2005

ssh -v swohftp@chpftp01
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to chpftp01 [10.233.30.171] port 22.
debug1: Connection established.
debug1: identity file /home/hoev178/.ssh/id_rsa type 1
debug1: identity file /home/hoev178/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'chpftp01' is known and matches the RSA host key.
debug1: Found key in /home/hoev178/.ssh/known_hosts:36
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

UNAUTHORIZED USE AND/OR ACCESS IS STRICTLY PROHIBITED

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/hoev178/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/hoev178/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
swohftp@chpftp01's password:

Ivan Ferreira · ‎09-30-2005

From the client side, nothing wrong can be seen.

Try debugging from the server side.

Stop the sshd service:

service sshd stop

Start the sshd daemon:

/usr/sbin/sshd -D -d -f /etc/ssh/sshd_config

Start the connection. Try to see if the server use the public key for the user.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎09-30-2005

I just acts as if it cannot see the keys in the .ssh directory.

????

Ivan Ferreira · ‎09-30-2005

I think that the problem could be the AuthorizedKeysFile parameter. Maybe is trying to find the key in the user home, but, when chrooted, the user home is the /.

Try changing the AuthorizedKeysFile parameter to /.ssh/authorized_keys.

Next, if that works, maybe you will need to setup differents sshd configuration for chrooted and no chrooted users, listening on different ports.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Ivan Ferreira · ‎09-30-2005

One more question. Are you using the sshd chroot patch or the pam chroot module to setup the chroot jail?

I would like to do some testings to reproduce your environment.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎10-03-2005

Changing the location of the keys file did not work.

I modified the /etc/pam.d/sshd file:

#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_chroot.so

Ivan Ferreira · ‎10-03-2005

Good and bad news.

Good news, I tested and the sshd with chroot and public keys worked.

Bad news, I don't know why it does not works for you.

What I did:

OS Fedora Core 4.

File /etc/pam.d/sshd

Added

session required pam_chroot.so debug

File /etc/security/chroot.conf

Added

iferreira /home/iferreira/chroot

File

/etc/ssh/sshd_config

Added

UsePAM yes
UsePrivilegeSeparation no

Using ldd, I created the a minimal chroot environment, all files owned by root.root and perm 755

/home/iferreira/chroot
/home/iferreira/chroot/bin
/home/iferreira/chroot/bin/bash
/home/iferreira/chroot/bin/ls
/home/iferreira/chroot/lib/ld-linux.so.2
/home/iferreira/chroot/lib/libacl.so.1
/home/iferreira/chroot/lib/libattr.so.1
/home/iferreira/chroot/lib/libc.so.6
/home/iferreira/chroot/lib/libdl.so.2
/home/iferreira/chroot/lib/libpthread.so.0
/home/iferreira/chroot/lib/librt.so.1
/home/iferreira/chroot/lib/libselinux.so.1
/home/iferreira/chroot/lib/libtermcap.so.2
/home/iferreira/chroot/home/iferreira (iferreira.iferreira 755)

In another system, created the keys using:

ssh-keygen -t dsa

Copied the id_dsa.pub file to /home/iferreira/.ssh/authorized_keys:

/home/iferreira/.ssh (iferreira.iferreira 700)
/home/iferreira/.ssh/authorized_keys (iferreira.iferreira 600)

As you can note, the key was copied to the real HOME, not the chrooted home directory.

Tested and worked. What does not works is connecting to the system using ssh -l iferreira remote_host. You need to connect directly using the iferreira user. That means, connect without using the -l option, otherwise the password will be prompted.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎10-03-2005

Did it work with sftp and scp?

Ivan Ferreira · ‎10-03-2005

I quick try did not worked. sftp closes the connection and scp respond with unknown user error (even when I configured a fake passwd file in the chrooted environment).

Maybe there are more files/libraries that must to be copied. It's a hard work with shared libraries.

I think that using the chroot patch for sshd will be easier.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Jeff Hoevenaar · ‎10-03-2005

I am not fimiliar with the "chroot patch". Can I get that from RedHat?

Jeff Hoevenaar · ‎10-04-2005

I created the same user id on both server and client and put the authorized_keys file in the /home/userid/.ssh vs. the chrooted home dir on the server. I can now sftp and without a password and be chrooted.

The scp doesnot work but I can work with the sftp.

Thanks for the help.

The scp gives a unknow user id kind of error. I tried giving the user the same id number of both systems and placing key files on both sides but it still doesn't work. I will use sftp - good for now.

Ivan Ferreira · ‎10-04-2005

You can get it from here:

http://chrootssh.sourceforge.net/index.php

With all instructions to use.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

chroot, sftp, authentication key generation - not working

chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working

Re: chroot, sftp, authentication key generation - not working