Solved

Red Hat 6.5 chroot over ssh for shell users not sftp

Posted on 2014-10-23
11
724 Views
Last Modified: 2014-10-24
I need to jail some users in a automounter directory and additionally to allow only a list of commands. So i decided the right is to chroot these users over ssh.

The used os ist red hat 6.5 and i am not allowed to use third party packages. So my approach is of use the pam_chroot module:

Here are my Configs: (for better to read i deleted all what is commented out)
File: /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

Protocol 2
SyslogFacility AUTHPRIV

StrictModes yes
MaxAuthTries 4


IgnoreRhosts yes

PermitEmptyPasswords no
PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation no
ClientAliveCountMax 0

# Example of overriding settings on a per-user basis
Match Group users
        ChrootDirectory /chroot/fileservice

File: /etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

session required pam_chroot.so debug

File: /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
session required pam_chroot.so

File: /etc/security/chroot.conf

# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home
testuser /

Debug: ssh -v -v testuser@XXXXXX

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX [XXXXX] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'iumg032' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@XXX's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Oct 23 08:47:48 2014 from XXXX

        _________________________________________________________________
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        _________________________________________________________________


/bin/bash: Permission denied
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to XXXXX closed.
Transferred: sent 1912, received 3120 bytes, in 0.0 seconds
Bytes per second: sent 186500.2, received 304330.9
debug1: Exit status 1

# chroot /chroot/fileservice/
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1#

# ls -lh
total 36K
drwxr-x---   2 root root 4.0K Oct 21 10:26 bin
drwxr-xr-x  17 root root 3.7K Oct 21 09:00 dev
drwxr-x---  82 root root 4.0K Oct 22 10:42 etc
drwxrwxr-x   3 root root 4.0K Oct 21 10:52 home
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib64
drwxr-xr-x   2 root root 4.0K Oct 20 13:46 net
dr-xr-xr-x 108 root root    0 Oct 21 09:00 proc
drwxrwxrwt   2 root root 4.0K Oct 21 15:41 tmp
drwxr-x---   4 root root 4.0K Oct 22 08:43 usr
drwxr-x---   4 root root 4.0K Oct 21 16:35 var

bin # ls -lh
total 1.2M
-rwxr-xr-x 1 root root 918K Oct 21 10:26 bash
-rwxr-x--- 1 root root  48K Oct 21 10:26 cat
-rwxr-x--- 1 root root  28K Oct 21 10:26 echo
-rwxr-x--- 1 root root 115K Oct 21 10:26 ls
-rwxr-x--- 1 root root  57K Oct 21 10:26 rm

lib64]# ls -lh
total 2.6M
-rwxr-xr-x  1 root root 154K Oct 21 10:26 ld-linux-x86-64.so.2
drwxr-xr-x. 9 root root  12K May 15 09:32 lib64
-rwxr-xr-x  1 root root  34K Oct 21 10:26 libacl.so.1
-rwxr-xr-x  1 root root  21K Oct 21 10:26 libattr.so.1
-rwxr-xr-x  1 root root  19K Oct 21 10:26 libcap.so.2
-rwxr-xr-x  1 root root 1.9M Oct 21 10:26 libc.so.6
-rwxr-xr-x  1 root root  23K Oct 21 10:26 libdl.so.2
-rwxr-xr-x  1 root root 143K Oct 21 10:26 libpthread.so.0
-rwxr-xr-x  1 root root  46K Oct 21 10:26 librt.so.1
-rwxr-xr-x  1 root root 122K Oct 21 10:26 libselinux.so.1
-rwxr-xr-x  1 root root 136K Oct 21 10:26 libtinfo.so.5

lib64]# ldd /chroot/fileservice/bin/bash
        linux-vdso.so.1 =>  (0x00007fff043b2000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)


So the chroot itself is working the ssh is working but the /bin/bash permission denied permitted the working of the chroot environment. Is there someone who can help out there?
0
Comment
Question by:Wilder_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40399206
chroot /chroot/fileservice bash
ldd bash
0
 
LVL 8

Author Comment

by:Wilder_Admin
ID: 40399291
# chroot /chroot/fileservice/ bash
bash-4.1# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff9adff000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)
0
 
LVL 62

Expert Comment

by:gheist
ID: 40399302
ls -ld /chroot/fileservice

can user trespass ./bin/ ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:Wilder_Admin
ID: 40399325
]# ls -ld /chroot/fileservice
drwxr-xr-x 13 root root 4096 Oct 21 16:22 /chroot/fileservice

# chroot /chroot/fileservice/ bash
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1# cd bin
bash-4.1# ls
bash  cat  echo  ls  rm

Is this the information about trespassing bin? Or what exactly?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40399366
i meant...
ls -ld /chroot/fileservice/*
0
 
LVL 8

Author Comment

by:Wilder_Admin
ID: 40399449
]# ls -ld /chroot/fileservice/*
drwxr-x---   2 root root 4096 Oct 21 10:26 /chroot/fileservice/bin
drwxr-xr-x  17 root root 3780 Oct 21 09:00 /chroot/fileservice/dev
drwxr-x---  82 root root 4096 Oct 22 10:42 /chroot/fileservice/etc
drwxrwxr-x   3 root root 4096 Oct 21 10:52 /chroot/fileservice/home
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib64
drwxr-xr-x   2 root root 4096 Oct 20 13:46 /chroot/fileservice/net
dr-xr-xr-x 107 root root    0 Oct 21 09:00 /chroot/fileservice/proc
drwxrwxrwt   2 root root 4096 Oct 21 15:41 /chroot/fileservice/tmp
drwxr-x---   4 root root 4096 Oct 22 08:43 /chroot/fileservice/usr
drwxr-x---   4 root root 4096 Oct 21 16:35 /chroot/fileservice/var
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40399467
You need to add u+rx permissions to ./bin ./usr (bin) /etc/ directories (not files), so that users can reach the programs.
0
 
LVL 8

Author Comment

by:Wilder_Admin
ID: 40401736
only to clearfy 755 as permisson to these folders?
0
 
LVL 8

Author Comment

by:Wilder_Admin
ID: 40401748
Nearly done now:

-bash: id: command not found
-bash: id: command not found
-bash: tty: command not found

do i need to copy them into chroot?
0
 
LVL 8

Author Closing Comment

by:Wilder_Admin
ID: 40401782
Great help and perfect supported. Thank you so much.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40401833
Yes, all commands need to be in chroot.
You can use readonly bind mounts to pass e.g all /bin and all /lib (to me it seems easir to maintain like patching)
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question