Red Hat 6.5 chroot over ssh for shell users not sftp

I need to jail some users in a automounter directory and additionally to allow only a list of commands. So i decided the right is to chroot these users over ssh.

The used os ist red hat 6.5 and i am not allowed to use third party packages. So my approach is of use the pam_chroot module:

Here are my Configs: (for better to read i deleted all what is commented out)
File: /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

Protocol 2
SyslogFacility AUTHPRIV

StrictModes yes
MaxAuthTries 4


IgnoreRhosts yes

PermitEmptyPasswords no
PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation no
ClientAliveCountMax 0

# Example of overriding settings on a per-user basis
Match Group users
        ChrootDirectory /chroot/fileservice

File: /etc/pam.d/login

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
-session   optional     pam_ck_connector.so

session required pam_chroot.so debug

File: /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
# Setting UMASK for all ssh based connections (ssh, sftp, scp)
session optional pam_umask.so umask=0027
session required pam_chroot.so

File: /etc/security/chroot.conf

# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home
testuser /

Debug: ssh -v -v testuser@XXXXXX

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXX [XXXXX] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 512/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'iumg032' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:10
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
testuser@XXX's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Oct 23 08:47:48 2014 from XXXX

        _________________________________________________________________
      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        _________________________________________________________________


/bin/bash: Permission denied
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to XXXXX closed.
Transferred: sent 1912, received 3120 bytes, in 0.0 seconds
Bytes per second: sent 186500.2, received 304330.9
debug1: Exit status 1

# chroot /chroot/fileservice/
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1#

# ls -lh
total 36K
drwxr-x---   2 root root 4.0K Oct 21 10:26 bin
drwxr-xr-x  17 root root 3.7K Oct 21 09:00 dev
drwxr-x---  82 root root 4.0K Oct 22 10:42 etc
drwxrwxr-x   3 root root 4.0K Oct 21 10:52 home
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib
drwxr-xr-x   3 root root 4.0K Oct 22 08:25 lib64
drwxr-xr-x   2 root root 4.0K Oct 20 13:46 net
dr-xr-xr-x 108 root root    0 Oct 21 09:00 proc
drwxrwxrwt   2 root root 4.0K Oct 21 15:41 tmp
drwxr-x---   4 root root 4.0K Oct 22 08:43 usr
drwxr-x---   4 root root 4.0K Oct 21 16:35 var

bin # ls -lh
total 1.2M
-rwxr-xr-x 1 root root 918K Oct 21 10:26 bash
-rwxr-x--- 1 root root  48K Oct 21 10:26 cat
-rwxr-x--- 1 root root  28K Oct 21 10:26 echo
-rwxr-x--- 1 root root 115K Oct 21 10:26 ls
-rwxr-x--- 1 root root  57K Oct 21 10:26 rm

lib64]# ls -lh
total 2.6M
-rwxr-xr-x  1 root root 154K Oct 21 10:26 ld-linux-x86-64.so.2
drwxr-xr-x. 9 root root  12K May 15 09:32 lib64
-rwxr-xr-x  1 root root  34K Oct 21 10:26 libacl.so.1
-rwxr-xr-x  1 root root  21K Oct 21 10:26 libattr.so.1
-rwxr-xr-x  1 root root  19K Oct 21 10:26 libcap.so.2
-rwxr-xr-x  1 root root 1.9M Oct 21 10:26 libc.so.6
-rwxr-xr-x  1 root root  23K Oct 21 10:26 libdl.so.2
-rwxr-xr-x  1 root root 143K Oct 21 10:26 libpthread.so.0
-rwxr-xr-x  1 root root  46K Oct 21 10:26 librt.so.1
-rwxr-xr-x  1 root root 122K Oct 21 10:26 libselinux.so.1
-rwxr-xr-x  1 root root 136K Oct 21 10:26 libtinfo.so.5

lib64]# ldd /chroot/fileservice/bin/bash
        linux-vdso.so.1 =>  (0x00007fff043b2000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)


So the chroot itself is working the ssh is working but the /bin/bash permission denied permitted the working of the chroot environment. Is there someone who can help out there?
LVL 8
Wilder_AdminAsked:
Who is Participating?
 
gheistConnect With a Mentor Commented:
You need to add u+rx permissions to ./bin ./usr (bin) /etc/ directories (not files), so that users can reach the programs.
0
 
gheistCommented:
chroot /chroot/fileservice bash
ldd bash
0
 
Wilder_AdminAuthor Commented:
# chroot /chroot/fileservice/ bash
bash-4.1# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff9adff000)
        libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00000036c5400000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00000036c3c00000)
        libc.so.6 => /lib64/libc.so.6 (0x00000036c4000000)
        /lib64/ld-linux-x86-64.so.2 (0x00000036c3800000)
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
gheistCommented:
ls -ld /chroot/fileservice

can user trespass ./bin/ ?
0
 
Wilder_AdminAuthor Commented:
]# ls -ld /chroot/fileservice
drwxr-xr-x 13 root root 4096 Oct 21 16:22 /chroot/fileservice

# chroot /chroot/fileservice/ bash
bash-4.1# ls
bin  dev  etc  home  lib  lib64  net  proc  tmp  usr  var
bash-4.1# cd bin
bash-4.1# ls
bash  cat  echo  ls  rm

Is this the information about trespassing bin? Or what exactly?
0
 
gheistCommented:
i meant...
ls -ld /chroot/fileservice/*
0
 
Wilder_AdminAuthor Commented:
]# ls -ld /chroot/fileservice/*
drwxr-x---   2 root root 4096 Oct 21 10:26 /chroot/fileservice/bin
drwxr-xr-x  17 root root 3780 Oct 21 09:00 /chroot/fileservice/dev
drwxr-x---  82 root root 4096 Oct 22 10:42 /chroot/fileservice/etc
drwxrwxr-x   3 root root 4096 Oct 21 10:52 /chroot/fileservice/home
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib
drwxr-xr-x   3 root root 4096 Oct 22 08:25 /chroot/fileservice/lib64
drwxr-xr-x   2 root root 4096 Oct 20 13:46 /chroot/fileservice/net
dr-xr-xr-x 107 root root    0 Oct 21 09:00 /chroot/fileservice/proc
drwxrwxrwt   2 root root 4096 Oct 21 15:41 /chroot/fileservice/tmp
drwxr-x---   4 root root 4096 Oct 22 08:43 /chroot/fileservice/usr
drwxr-x---   4 root root 4096 Oct 21 16:35 /chroot/fileservice/var
0
 
Wilder_AdminAuthor Commented:
only to clearfy 755 as permisson to these folders?
0
 
Wilder_AdminAuthor Commented:
Nearly done now:

-bash: id: command not found
-bash: id: command not found
-bash: tty: command not found

do i need to copy them into chroot?
0
 
Wilder_AdminAuthor Commented:
Great help and perfect supported. Thank you so much.
0
 
gheistCommented:
Yes, all commands need to be in chroot.
You can use readonly bind mounts to pass e.g all /bin and all /lib (to me it seems easir to maintain like patching)
0
All Courses

From novice to tech pro — start learning today.