Solved

Red Hat 6.5 chroot over ssh for shell users not sftp

Posted on 2014-10-23
11
666 Views
Last Modified: 2014-10-24
I need to jail some users in a automounter directory and additionally to allow only a list of commands. So i decided the right is to chroot these users over ssh.

The used os ist red hat 6.5 and i am not allowed to use third party packages. So my approach is of use the pam_chroot module:

Here are my Configs: (for better to read i deleted all what is commented out)
File: /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

Protocol 2
SyslogFacility AUTHPRIV

StrictModes yes
MaxAuthTries 4


IgnoreRhosts yes

PermitEmptyPasswords no
PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation no
ClientAliveCountMax 0

# Example of overriding settings on a per-user basis
Match Group users
        ChrootDirectory /chroot/fileservice

File: /etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

session required pam_chroot.so debug

File: /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
session required pam_chroot.so

File: /etc/security/chroot.conf

# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home
testuser /

Debug: ssh -v -v testuser@XXXXXX

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX [XXXXX] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'iumg032' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@XXX's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Oct 23 08:47:48 2014 from XXXX

        _________________________________________________________________
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        _________________________________________________________________


/bin/bash: Permission denied
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to XXXXX closed.
Transferred: sent 1912, received 3120 bytes, in 0.0 seconds
Bytes per second: sent 186500.2, received 304330.9
debug1: Exit status 1

# chroot /chroot/fileservice/
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1#

# ls -lh
total 36K
drwxr-x---   2 root root 4.0K Oct 21 10:26 bin
drwxr-xr-x  17 root root 3.7K Oct 21 09:00 dev
drwxr-x---  82 root root 4.0K Oct 22 10:42 etc
drwxrwxr-x   3 root root 4.0K Oct 21 10:52 home
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib64
drwxr-xr-x   2 root root 4.0K Oct 20 13:46 net
dr-xr-xr-x 108 root root    0 Oct 21 09:00 proc
drwxrwxrwt   2 root root 4.0K Oct 21 15:41 tmp
drwxr-x---   4 root root 4.0K Oct 22 08:43 usr
drwxr-x---   4 root root 4.0K Oct 21 16:35 var

bin # ls -lh
total 1.2M
-rwxr-xr-x 1 root root 918K Oct 21 10:26 bash
-rwxr-x--- 1 root root  48K Oct 21 10:26 cat
-rwxr-x--- 1 root root  28K Oct 21 10:26 echo
-rwxr-x--- 1 root root 115K Oct 21 10:26 ls
-rwxr-x--- 1 root root  57K Oct 21 10:26 rm

lib64]# ls -lh
total 2.6M
-rwxr-xr-x  1 root root 154K Oct 21 10:26 ld-linux-x86-64.so.2
drwxr-xr-x. 9 root root  12K May 15 09:32 lib64
-rwxr-xr-x  1 root root  34K Oct 21 10:26 libacl.so.1
-rwxr-xr-x  1 root root  21K Oct 21 10:26 libattr.so.1
-rwxr-xr-x  1 root root  19K Oct 21 10:26 libcap.so.2
-rwxr-xr-x  1 root root 1.9M Oct 21 10:26 libc.so.6
-rwxr-xr-x  1 root root  23K Oct 21 10:26 libdl.so.2
-rwxr-xr-x  1 root root 143K Oct 21 10:26 libpthread.so.0
-rwxr-xr-x  1 root root  46K Oct 21 10:26 librt.so.1
-rwxr-xr-x  1 root root 122K Oct 21 10:26 libselinux.so.1
-rwxr-xr-x  1 root root 136K Oct 21 10:26 libtinfo.so.5

lib64]# ldd /chroot/fileservice/bin/bash
        linux-vdso.so.1 =>  (0x00007fff043b2000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)


So the chroot itself is working the ssh is working but the /bin/bash permission denied permitted the working of the chroot environment. Is there someone who can help out there?
0
Comment
Question by:Wilder_Admin
  • 6
  • 5
11 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
chroot /chroot/fileservice bash
ldd bash
0
 
LVL 8

Author Comment

by:Wilder_Admin
Comment Utility
# chroot /chroot/fileservice/ bash
bash-4.1# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff9adff000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
ls -ld /chroot/fileservice

can user trespass ./bin/ ?
0
 
LVL 8

Author Comment

by:Wilder_Admin
Comment Utility
]# ls -ld /chroot/fileservice
drwxr-xr-x 13 root root 4096 Oct 21 16:22 /chroot/fileservice

# chroot /chroot/fileservice/ bash
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1# cd bin
bash-4.1# ls
bash  cat  echo  ls  rm

Is this the information about trespassing bin? Or what exactly?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
i meant...
ls -ld /chroot/fileservice/*
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 8

Author Comment

by:Wilder_Admin
Comment Utility
]# ls -ld /chroot/fileservice/*
drwxr-x---   2 root root 4096 Oct 21 10:26 /chroot/fileservice/bin
drwxr-xr-x  17 root root 3780 Oct 21 09:00 /chroot/fileservice/dev
drwxr-x---  82 root root 4096 Oct 22 10:42 /chroot/fileservice/etc
drwxrwxr-x   3 root root 4096 Oct 21 10:52 /chroot/fileservice/home
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib64
drwxr-xr-x   2 root root 4096 Oct 20 13:46 /chroot/fileservice/net
dr-xr-xr-x 107 root root    0 Oct 21 09:00 /chroot/fileservice/proc
drwxrwxrwt   2 root root 4096 Oct 21 15:41 /chroot/fileservice/tmp
drwxr-x---   4 root root 4096 Oct 22 08:43 /chroot/fileservice/usr
drwxr-x---   4 root root 4096 Oct 21 16:35 /chroot/fileservice/var
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
You need to add u+rx permissions to ./bin ./usr (bin) /etc/ directories (not files), so that users can reach the programs.
0
 
LVL 8

Author Comment

by:Wilder_Admin
Comment Utility
only to clearfy 755 as permisson to these folders?
0
 
LVL 8

Author Comment

by:Wilder_Admin
Comment Utility
Nearly done now:

-bash: id: command not found
-bash: id: command not found
-bash: tty: command not found

do i need to copy them into chroot?
0
 
LVL 8

Author Closing Comment

by:Wilder_Admin
Comment Utility
Great help and perfect supported. Thank you so much.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Yes, all commands need to be in chroot.
You can use readonly bind mounts to pass e.g all /bin and all /lib (to me it seems easir to maintain like patching)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now