Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users

openssh-5.3p1 chroot selinux error on CentOS-5.4

  

 
OpenSSH users RSS feed   Index | Next | Previous | View Threaded


byrnejb at harte-lyne

Feb 2, 2010, 1:25 PM

Post #1 of 2 (1432 views)
Permalink
openssh-5.3p1 chroot selinux error on CentOS-5.4
I built and installed openssh-5.3p1 on an x86_64 host running
CentOs-5.4. These are the build options:

./configure --prefix=/opt --with-libedit --with-md5-passwords
--with-pam --with-selinux --with-tcp-wrappers

OpenSSH has been configured with the following options:
User binaries: /opt/bin
System binaries: /opt/sbin
Configuration files: /opt/etc
Askpass program: /opt/libexec/ssh-askpass
Manual pages: /opt/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH:
/usr/bin:/bin:/usr/sbin:/sbin:/opt/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: yes
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
libedit support: yes
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wno-pointer-sign -Wformat-security
-fno-builtin-memset
-fstack-protector-all -std=gnu99
Preprocessor flags:
Linker flags: -fstack-protector-all
Libraries: -lcrypto -lutil -lz -lnsl -lcrypt -lresolv
+for sshd: -lwrap -lpam -ldl -lselinux


I have also set up a chroot environment. When I attempt to logon
via sftp then I see this:

ssh_selinux_getctxbyname: ssh_selinux_getctxbyname:
security_getenforce() failed

My sestatus on this host is:

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted

I searched for this error and found a number of hits specific to
various distributions. I found one thread that said the following:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/237557

i am using openssh with libpam_chroot to have a chrooted login but
following error message denies access for chrooted uses

sshd[14644]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed

. . .

This fix is in OpenSSH 4.9p1



I am not sure that this is exactly what I am encountering. I am
using the following sshd_config directives to define the chroot
environment:

# These lines must appear at the *end* of sshd_config
Match Group sshchroot
AllowTcpForwarding no
ChrootDirectory /var/data/%h
ForceCommand internal-sftp

Have I a misconfiguration problem or is this a bug?

I have read that I can avoid this by building openssh without the
selinux option. I am not certain that this is the best way to go
however.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB [at] Harte-Lyne
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


Jon.Kibler at aset

Feb 14, 2010, 12:09 AM

Post #2 of 2 (1356 views)
Permalink
Re: openssh-5.3p1 chroot selinux error on CentOS-5.4 [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/2/10 4:25 PM, James B. Byrne wrote:
> I built and installed openssh-5.3p1 on an x86_64 host running
> CentOs-5.4. These are the build options:
>

I have it working on CentOS 5.4. It was a PITA to get to work. Most
likely you are getting bit by selinux. Here is some stuff that may be of
help:

BUILD SCRIPT
============
[root [at] FO openssh-5.3p1]# more run-config
#/bin/bash
PFX='/usr/local'
./configure \
--prefix=${PFX} \
--sysconfdir=${PFX}/etc/ssh \
--with-pam \
--with-lastlog \
--with-tcp-wrappers \
--with-md5-passwords \
--with-selinux \
--with-kerberos5 \

exit


CHANGES TO /etc/init.d/sshd
===========================
...
# pull in sysconfig settings
[ -f /usr/local/etc/sysconfig/sshd ] && . /usr/local/etc/sysconfig/sshd

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh/ssh_host_key
RSA_KEY=/usr/local/etc/ssh/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh/ssh_host_dsa_key
...


SSHD PAM STACK
==============
[root [at] FO pam.d]# cat sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so


ADDITIONS TO /etc/fstab
=======================
/selinux /PATH2CHROOT/chroot/selinux none bind,ro 0 0
/etc/selinux /PATH2CHROOT/chroot/etc/selinux none bind,ro 0 0
proc /PATH2CHROOT/chroot/proc proc defaults 0 0
sysfs /PATH2CHROOT/chroot/sys sysfs defaults 0 0
tmpfs /PATH2CHROOT/chroot/tmp tmpfs
noatime,nodev,nosuid,noexec,nouser,mode=1777,size=512M 0 0


CHROOT DIRECTORY REQUIREMENTS
=============================
[root [at] FO chroot]# ll
drwxr-x--x 2 root root 4096 Jan 24 21:40 bin
drwxr-x--x 2 root root 4096 Jan 24 15:10 dev
drwxr-x--x 3 root root 4096 Jan 25 10:55 etc
drwxr-x--x 4 root root 4096 Jan 25 10:47 home
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64
dr-xr-xr-x 117 root root 0 Jan 24 01:12 proc
drwxr-xr-x 4 root root 0 Jan 24 01:12 selinux
drwxr-xr-x 11 root root 0 Jan 24 01:12 sys
drwxrwxrwt 2 root root 40 Jan 24 14:04 tmp
drwxr-x--x 5 root root 4096 Jan 24 15:35 usr
drwxr-x--x 3 root root 4096 Jan 24 16:14 var


[root [at] FO chroot]# ll bin
total 2128
- -r-xr-xr-x 1 root root 801512 Jan 22 2009 bash
(and other stuff that you may want users to use)


[root [at] FO chroot]# ll dev
crw-rw-rw- 1 root root 1, 3 Jan 24 15:02 null
crw-rw-rw- 1 root root 1, 8 Jan 24 15:07 random
lrwxrwxrwx 1 root root 15 Jan 24 15:09 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 Jan 24 15:10 stdout -> /proc/self/fd/1
cr--r--r-- 1 root root 1, 9 Jan 24 15:08 urandom
crw-rw-rw- 1 root root 1, 5 Jan 24 15:02 zero


# except for motd, all of the following is needed
# motd is needed if you have SSH display motd message
[root [at] FO chroot]# ll etc
total 88
- -r--r--r-- 1 root root 80 Jan 24 21:39 bashrc
- -r--r--r-- 1 root root 266 Jan 25 10:50 group
- -r--r--r-- 1 root root 1257 Jan 24 20:52 hosts
- -r--r--r-- 1 root root 758 Sep 23 2004 inputrc
- -r--r--r-- 1 root root 118 May 8 2009 localtime
- -r--r--r-- 1 root root 2026 Jan 24 23:02 motd
- -r--r--r-- 1 root root 1696 Sep 23 2004 nsswitch.conf
- -r--r--r-- 1 root root 558 Jan 25 10:55 passwd
- -r--r--r-- 1 root root 739 Jan 24 22:16 profile
- -r--r--r-- 1 root root 149 Jan 24 20:55 resolv.conf
drwxr-x--x 3 root root 4096 Jan 22 11:00 selinux


# most lib + lib64 + /usr/lib + /usr/lib64
# exists so that name services works
# including making the bash command prompt work
[root [at] FO chroot]# ll lib
- -rwxr-xr-x 1 root root 36348 Jan 20 22:11 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 824548 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 21876 Jan 20 22:11 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 46680 Jan 20 22:11 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 22692 Jan 20 22:11 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3200212 Oct 27 14:01 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 42372 Jan 20 22:11 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 51636 Jan 20 22:11 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so


[root [at] FO chroot]# ll lib64
- -rwxr-xr-x 1 root root 139416 Jan 20 18:43 ld-2.5.so
lrwxrwxrwx 1 root root 9 Jan 24 15:59 ld-linux-x86-64.so.2 ->
ld-2.5.so
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libacl.so.1 -> libacl.so.1.1.0
- -rwxr-xr-x 1 root root 28008 May 24 2008 libacl.so.1.1.0
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libattr.so.1 -> libattr.so.1.1.0
- -rwxr-xr-x 1 root root 17888 Jan 6 2007 libattr.so.1.1.0
- -rwxr-xr-x 1 root root 1717800 Jan 20 18:43 libc-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libcom_err.so.2 ->
libcom_err.so.2.1
- -rwxr-xr-x 1 root root 10000 Sep 3 19:53 libcom_err.so.2.1
- -rwxr-xr-x 1 root root 48600 Jan 20 18:43 libcrypt-2.5.so
- -rwxr-xr-x 1 root root 1366208 Jan 20 15:56 libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libcrypto.so.6 ->
libcrypto.so.0.9.8e
lrwxrwxrwx 1 root root 15 Jan 24 15:59 libcrypt.so.1 -> libcrypt-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libc.so.6 -> libc-2.5.so
- -rwxr-xr-x 1 root root 23360 Jan 20 18:43 libdl-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 libdl.so.2 -> libdl-2.5.so
- -rwxr-xr-x 1 root root 9472 Jan 6 2007 libkeyutils-1.2.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libkeyutils.so.1 ->
libkeyutils-1.2.so
- -rwxr-xr-x 1 root root 615136 Jan 20 18:43 libm-2.5.so
lrwxrwxrwx 1 root root 11 Jan 24 15:59 libm.so.6 -> libm-2.5.so
- -rwxr-xr-x 1 root root 43040 Jan 20 18:43 libnss_compat-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_compat.so.2 ->
libnss_compat-2.5.so
- -rwxr-xr-x 1 root root 791456 May 24 2008 libnss_db-2.2.so
lrwxrwxrwx 1 root root 16 Jan 24 21:16 libnss_db.so.2 ->
libnss_db-2.2.so
- -rwxr-xr-x 1 root root 23736 Jan 20 18:43 libnss_dns-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_dns.so.2 ->
libnss_dns-2.5.so
- -rwxr-xr-x 1 root root 53880 Jan 20 18:43 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jan 24 21:16 libnss_files.so.2 ->
libnss_files-2.5.so
- -rwxr-xr-x 1 root root 24736 Jan 20 18:43 libnss_hesiod-2.5.so
lrwxrwxrwx 1 root root 20 Jan 24 21:16 libnss_hesiod.so.2 ->
libnss_hesiod-2.5.so
- -rwxr-xr-x 1 root root 3165384 Oct 27 13:56 libnss_ldap-2.5.so
lrwxrwxrwx 1 root root 18 Jan 24 21:16 libnss_ldap.so.2 ->
libnss_ldap-2.5.so
- -rwxr-xr-x 1 root root 53432 Jan 20 18:43 libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 62944 Jan 20 18:43 libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 21 Jan 24 21:16 libnss_nisplus.so.2 ->
libnss_nisplus-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 21:16 libnss_nis.so.2 ->
libnss_nis-2.5.so
- -rwxr-xr-x 1 root root 145824 Jan 20 18:43 libpthread-2.5.so
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libpthread.so.0 ->
libpthread-2.5.so
- -rwxr-xr-x 1 root root 92736 Jan 20 18:43 libresolv-2.5.so
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libresolv.so.2 ->
libresolv-2.5.so
- -rwxr-xr-x 1 root root 53448 Jan 20 18:43 librt-2.5.so
lrwxrwxrwx 1 root root 12 Jan 24 15:59 librt.so.1 -> librt-2.5.so
- -rwxr-xr-x 1 root root 95464 Sep 3 23:00 libselinux.so.1
- -rwxr-xr-x 1 root root 247496 Sep 3 20:35 libsepol.so.1
- -rwxr-xr-x 1 root root 306568 Jan 20 15:56 libssl.so.0.9.8e
lrwxrwxrwx 1 root root 16 Jan 24 15:59 libssl.so.6 -> libssl.so.0.9.8e
lrwxrwxrwx 1 root root 19 Jan 24 15:59 libtermcap.so.2 ->
libtermcap.so.2.0.8
- -rwxr-xr-x 1 root root 15584 Jan 6 2007 libtermcap.so.2.0.8


[root [at] FO chroot]# ll usr
drwxr-x--x 2 root root 4096 Jan 24 16:40 bin
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib
drwxr-x--x 2 root root 4096 Jan 24 21:16 lib64


[root [at] FO chroot]# ll usr/lib
- -rwxr-xr-x 1 root root 1187124 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 373992 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_compat.so ->
../../lib/libnss_compat.so.2
lrwxrwxrwx 1 root root 24 Jan 24 21:16 libnss_db.so ->
../../lib/libnss_db.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_dns.so ->
../../lib/libnss_dns.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_files.so ->
../../lib/libnss_files.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_hesiod.so ->
../../lib/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_ldap.so ->
../../lib/libnss_ldap.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_nisplus.so ->
../../lib/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 25 Jan 24 21:16 libnss_nis.so ->
../../lib/libnss_nis.so.2
- -rwxr-xr-x 1 root root 96924 Jul 27 2009 libnssutil3.so


[root [at] FO chroot]# ll usr/lib64
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libgssapi_krb5.so.2 ->
libgssapi_krb5.so.2.2
- -rwxr-xr-x 1 root root 190976 Jan 13 00:17 libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libk5crypto.so.3 ->
libk5crypto.so.3.1
- -rwxr-xr-x 1 root root 153624 Jan 13 00:17 libk5crypto.so.3.1
lrwxrwxrwx 1 root root 14 Jan 24 15:59 libkrb5.so.3 -> libkrb5.so.3.3
- -rwxr-xr-x 1 root root 613896 Jan 13 00:17 libkrb5.so.3.3
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libkrb5support.so.0 ->
libkrb5support.so.0.1
- -rwxr-xr-x 1 root root 35728 Jan 13 00:17 libkrb5support.so.0.1
lrwxrwxrwx 1 root root 21 Jan 24 15:59 liblber-2.3.so.0 ->
liblber-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 59040 Jan 21 2009 liblber-2.3.so.0.2.31
lrwxrwxrwx 1 root root 21 Jan 24 15:59 libldap-2.3.so.0 ->
libldap-2.3.so.0.2.31
- -rwxr-xr-x 1 root root 241360 Jan 21 2009 libldap-2.3.so.0.2.31
lrwxrwxrwx 1 root root 17 Jan 24 15:59 libncurses.so.5 ->
libncurses.so.5.5
- -rwxr-xr-x 1 root root 380336 Jan 6 2007 libncurses.so.5.5
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libncursesw.so.5 ->
libncursesw.so.5.5
- -rwxr-xr-x 1 root root 413488 Jan 6 2007 libncursesw.so.5.5
- -rwxr-xr-x 1 root root 1221496 Jul 27 2009 libnss3.so
- -rwxr-xr-x 1 root root 492960 Jul 27 2009 libnssckbi.so
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_compat.so ->
../../lib64/libnss_compat.so.2
lrwxrwxrwx 1 root root 26 Jan 24 21:16 libnss_db.so ->
../../lib64/libnss_db.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_dns.so ->
../../lib64/libnss_dns.so.2
lrwxrwxrwx 1 root root 29 Jan 24 21:16 libnss_files.so ->
../../lib64/libnss_files.so.2
lrwxrwxrwx 1 root root 30 Jan 24 21:16 libnss_hesiod.so ->
../../lib64/libnss_hesiod.so.2
lrwxrwxrwx 1 root root 28 Jan 24 21:16 libnss_ldap.so ->
../../lib64/libnss_ldap.so.2
lrwxrwxrwx 1 root root 31 Jan 24 21:16 libnss_nisplus.so ->
../../lib64/libnss_nisplus.so.2
lrwxrwxrwx 1 root root 27 Jan 24 21:16 libnss_nis.so ->
../../lib64/libnss_nis.so.2
- -rwxr-xr-x 1 root root 119696 Jul 27 2009 libnssutil3.so
lrwxrwxrwx 1 root root 18 Jan 24 15:59 libsasl2.so.2 ->
libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 105464 Sep 4 00:05 libsasl2.so.2.0.22
- -rwxr-xr-x 1 root root 805656 Sep 20 02:26 libtcl8.4.so
lrwxrwxrwx 1 root root 13 Jan 24 15:59 libz.so.1 -> libz.so.1.2.3
- -rwxr-xr-x 1 root root 85608 Jan 9 2007 libz.so.1.2.3


PASSWD MUNGE
============
entry in /etc/passwd
footest:x:505:505:Chroot Test
Account:/PATH2CHROOT/chroot/home/footest:/bin/bash

entry in /PATH2CHROOT/chroot/etc/passwd
footest:x:505:505:Chroot Test Account:/home/footest:/bin/bash

Also, in chroot-ed passwd and group file, strip out all non-chroot-ed
users and groups, except for root.


PROFILE MUNGE
=============
copy /etc/profile to /PATH2CHROOT/chroot/etc/profile and add the
following code to the top of the file:

# CHROOT environment for login setup
# Special setup for chroot
HOME=$(echo ${HOME} | sed 's^/PATH2CHROOT/chroot^^')
export HOME
PWD=${HOME}
export PWD
cd ${HOME}
umask 002
# end chroot setup



FINAL NOTES
===========
1) I have not tried to make syslog work. It should be rather straight
forward, but I just have not had time to set it up.

2) I am attaching a template that can be used to build the chroot
environment. It has been tested exactly once. YMMV. (Assuming it makes
it past the mailing list filter!)

I hope this fixes your problem.

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o/c/s: 843-849-8214 / 843-813-2924 / 843-564-4224
e: Jon.Kibler [at] aset or Jon.R.Kibler [at] gmail
s: JonRKibler
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt3r9MACgkQUVxQRc85QlPmZACgmYQ9z3Ji9TrUY9Qq372SpwTq
9OEAnikPvbaPr9f1EPPt3u7q9Qe57872
=YOSg
-----END PGP SIGNATURE-----
Attachments: create-chroot.sh-txt (16.5 KB)

OpenSSH users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.