chrootssh-users

[Chrootssh-users] chrootssh code broken?

[Greg M. <gr...@ca...>]

I have installed openssh-3.8.1p1-chroot, and I have followed the procedures=
 described in "Setting up chrooted sftp in linux."=
  (http://chrootssh.sourceforge.net/docs/chrootedsftp.html)

Everything worked okay through the last step of "Build the chroot."

"To test, su to root and type "chroot /path/to/chroot /bin/sh". If this=
 works, excellent!"

# chroot /home/sftp/ /bin/sh
bash# ls
bin  dev  home  lib  usr
bash# pwd
/
bash#

I think this means that I have correctly configured the chroot, right?

However, when I try to connect as the chrooted user with ssh or sftp, the=
 connection fails.

# ssh localhost -l sftp
sftp@localhost's password:
Connection to localhost closed by remote host.
Connection to localhost closed.
#


# sftp sftp@localhost
Connecting to localhost...
sftp@localhost's password:
Connection closed
#

I can't find any error messages in the logs.  Only this in=
 /var/log/messages:

Jun  8 16:54:42 linux1363 sshd[30819]: Accepted password for sftp from=
 127.0.0.1 port 38488 ssh2
Jun  8 16:55:19 linux1363 sshd[30829]: Accepted password for sftp from=
 127.0.0.1 port 38489 ssh2

Looking back through the mailing list archives, I found a couple of=
 messages - one by Patrick Marshall on 2004/04/29 and one by Lee Fellows on=
 2004/03/10 - both saying that the patched code in session.c is broken:=
  "It appears that the patch for implementing chroot behaviour was coming=
 too soon in the do_setusercontext function of session.c...."

But it is hard for me to believe that if the code was really this badly=
 broken, it would have remained unfixed for three months - including the=
 latest version uploaded on 6/1.  And since my own C skills barely go=
 beyond "hello, world" I am afraid to implement their suggested fixes=
 without knowing what I am doing.

What is the status of this?  Is the code truly broken?  If not, could I=
 have a clue about what I might be doing wrong, or any tips on=
 troubleshooting this further?

Thank you,


Greg McCann

[Chrootssh-users] Fixed - was:chrootssh code broken?

[Greg M. <gr...@ca...>]

I got it working - no code modifications necessary in my case.  Except to=
 change the version banner in version.h to "OpenSSH_3.8.1p1_chroot" to=
 confirm that I was in fact using the patched code.  (Do telnet localhost=
 22 to see the ssh banner.)

Although I had no trouble with "chroot /path/to/chroot /bin/sh", there was=
 apparently more needed for sshd to function properly, which was not hinted=
 at in the documentation.

I did "strace -eopen /usr/local/sbin/sshd" and got the following:

open("/etc/ld.so.preload", O_RDONLY)    =3D -1 ENOENT (No such file or=
 directory)
open("/etc/ld.so.cache", O_RDONLY)      =3D 3
open("/lib/libresolv.so.2", O_RDONLY)   =3D 3
open("/lib/libutil.so.1", O_RDONLY)     =3D 3
open("/usr/local/lib/libz.so.1", O_RDONLY) =3D 3
open("/lib/libnsl.so.1", O_RDONLY)      =3D 3
open("/lib/libcrypt.so.1", O_RDONLY)    =3D 3
open("/lib/libc.so.6", O_RDONLY)        =3D 3
open("/usr/lib/libgcc_s.so.1", O_RDONLY) =3D 3
open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) =3D 3
open("/usr/local/etc/sshd_config", O_RDONLY|O_LARGEFILE) =3D 3
open("/usr/local/etc/ssh_host_dsa_key", O_RDONLY|O_LARGEFILE) =3D 3
open("/etc/nsswitch.conf", O_RDONLY)    =3D 3
open("/etc/ld.so.cache", O_RDONLY)      =3D 3
open("/lib/libnss_files.so.2", O_RDONLY) =3D 3
open("/etc/passwd", O_RDONLY)           =3D 3

I already had found most, if not all, of the libs with "ldd", but I was=
 missing /dev/urandom and all of the /etc files.  After copying all of=
 these to the corresponding place in the chroot environment it worked.

All of these may not be necessary.  If I had the time, I would go through=
 the process of elimination to determine what is really needed and what=
 isn't, but for the moment I am happy just to have it working.

Another hint to anyone trying to do this who is as inexperienced as I am.=
  In the chroot documentation, it says:  

mknod zero c 13 12; mknod null c 13 2

Unless you are running the same system as the author, your numbers will=
 probably be different - and /dev/urandom may be needed also.  Do ls=
 /dev/zero, ls /dev/null, and ls /dev/urandom to see what the correct=
 numbers are for your system.

Good luck.


Greg

[Chrootssh-users] the russian mails

[<ge...@we...>]

hi folks,
can some one kick-off the nasty russian spamers? or - don't say that - our
mailing list is open for everyone?
Petr Sp.