Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Users

openssh 5.x, sftp & chroot

 

 

OpenSSH users RSS feed   Index | Next | Previous | View Threaded


andrej.groups at gmail

Jun 22, 2010, 5:22 PM

Post #1 of 2 (2203 views)
Permalink
openssh 5.x, sftp & chroot

Hi Gents,

for about week now I've been trying to get the sftp chroot jail feature on
RHEL/Centos (5.4 / 5) going.

The behaviour differs a bit between 5.2 and 5.5.

While compiling openssh (and the newer openssl) was no problem,
and following a variety of tutorials (walk-throughs) seemed easy enough
I can't for the life of me figure out why y chrooted user(s) have no permission
to do anything at all in their jail directory, not even an 'ls'.

Details:
openssh version 5.2p1 & 5.5p1 respectively
./configure --exec-prefix=/usr --datarootdir=/usr/share
--sysconfdir=/etc/ssh --libexecdir=/usr/libexec/openssh
--datadir=/usr/share/openssh --with-tcp-wrappers
--with-default-path=/usr/local/bin:/bin:/usr/bin
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
--with-privsep-path=/var/empty/sshd --disable-strip
--without-zlib-version-check --with-ssl-engine -with-pka --with-nss
--with-pam --with-selinux --with-linux-audit --with-kerberos5

/etc/passwd:
000000000:x:1002:1002:SFTP chroot user:/sftransfers/000000000:/bin/true
000000001:x:1002:1002:SFTP chroot user:/sftransfers/000000001:/bin/bash



sshd_config:
# egrep -v "^ *#|^ *$" /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp internal-sftp
Match Group sftransfers
ChrootDirectory %h
ForceCommand internal-sftp


perms:
# ls -l
total 146
drwxr-xr-x 2 root root 4096 Jun 18 04:09 bin
drwxr-xr-x 4 root root 1024 Jun 18 02:18 boot
drwxr-xr-x 12 root root 3820 Jun 22 00:23 dev
drwxr-xr-x 83 root root 4096 Jun 22 03:20 etc
drwxr-xr-x 5 root root 4096 Jan 27 10:43 home
drwxr-xr-x 13 root root 12288 Jun 19 04:10 lib
drwx------ 2 root root 16384 May 27 22:38 lost+found
drwxr-xr-x 2 root root 4096 Jan 27 10:43 media
drwxr-xr-x 2 root root 0 Jun 22 00:23 misc
drwxr-xr-x 2 root root 4096 Jan 27 10:43 mnt
drwxr-xr-x 2 root root 0 Jun 22 00:23 net
drwxr-xr-x 2 root root 4096 Jan 27 10:43 opt
dr-xr-xr-x 93 root root 0 Jun 22 00:22 proc
drwxr-x--- 10 root root 4096 Jun 22 21:05 root
drwxr-xr-x 2 root root 12288 Jun 18 04:09 sbin
drwxr-xr-x 4 root root 0 Jun 22 00:22 selinux
drwx------ 3 root root 4096 Jun 19 02:54 sftransfers
drwxr-xr-x 2 root root 4096 Jan 27 10:43 srv
drwxr-xr-x 11 root root 0 Jun 22 00:22 sys
drwxrwxrwt 3 root root 4096 Jun 23 04:02 tmp
drwxr-xr-x 13 root root 4096 Jun 18 02:16 usr
drwxr-xr-x 19 root root 4096 Jun 18 02:16 var

# ls -l /sftransfers
total 8
drwx------ 14 root root 4096 Jun 19 02:39 000000000
drwx------ 14 root root 4096 Jun 19 02:39 000000001

With 5.2 I see
on the client:

sftp 000000000 [at] cento
Connecting to centos...
000000000 [at] cento's password:
Read from remote host centos: Connection reset by peer
Couldn't read packet: Connection reset by peer


On the server:
==> secure <==
Jun 24 00:01:43 centos1 sshd[19662]: Accepted password for 000000000
from 10.68.66.17 port 50147 ssh2
Jun 24 00:01:44 centos1 sshd[19662]: pam_unix(sshd:session): session
opened for user 000000000 by (uid=0)
Jun 24 00:01:44 centos1 sshd[19664]: fatal: ssh_selinux_getctxbyname:
ssh_selinux_getctxbyname: security_getenforce() failed
Jun 24 00:01:44 centos1 sshd[19662]: pam_unix(sshd:session): session
closed for user 000000000

==> audit/audit.log <==
type=USER_ACCT msg=audit(1277290861.636:412): user pid=19533 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1277290861.636:413): user pid=19533 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1277290861.641:414): login pid=19533 uid=0 old
auid=4294967295 new auid=0 old ses=4294967295 new ses=62
type=USER_START msg=audit(1277290861.646:415): user pid=19533 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=CRED_DISP msg=audit(1277290861.675:416): user pid=19533 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred
acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'
type=USER_END msg=audit(1277290861.676:417): user pid=19533 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_ACCT msg=audit(1277294461.804:418): user pid=19657 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1277294461.805:419): user pid=19657 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1277294461.808:420): login pid=19657 uid=0 old
auid=4294967295 new auid=0 old ses=4294967295 new ses=63
type=USER_START msg=audit(1277294461.814:421): user pid=19657 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=CRED_DISP msg=audit(1277294461.843:422): user pid=19657 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred
acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'
type=USER_END msg=audit(1277294461.845:423): user pid=19657 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_AUTH msg=audit(1277294503.940:424): user pid=19662 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
authentication acct="000000000" : exe="/usr/sbin/sshd"
(hostname=client, addr=10.68.66.17, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1277294503.981:425): user pid=19662 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
accounting acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1277294504.031:426): user pid=19662 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=LOGIN msg=audit(1277294504.040:427): login pid=19662 uid=0 old
auid=679492 new auid=1002 old ses=1 new ses=64
type=USER_START msg=audit(1277294504.086:428): user pid=19662 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
session open acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1277294504.137:429): user pid=19664 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=CRED_DISP msg=audit(1277294504.187:430): user pid=19662 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=USER_END msg=audit(1277294504.234:431): user pid=19662 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
session close acct="000000000" : exe="/usr/sbin/sshd"
(hostname=client, addr=10.68.66.17, terminal=ssh res=success)'






With 5.5 I see
on the client:
$ sftp 000000000 [at] cento
Connecting to centos...
000000000 [at] cento's password:
sftp> ls
Couldn't get handle: Permission denied
sftp>

$ sftp 000000001 [at] cento
Connecting to centos...
000000001 [at] cento's password:
sftp> ls
Couldn't get handle: Permission denied
sftp>

On the server:
==> secure <==
Jun 24 00:10:32 centos1 sshd[13709]: Received signal 15; terminating.
Jun 24 00:10:39 centos1 sshd[19820]: Server listening on :: port 22.
Jun 24 00:10:39 centos1 sshd[19820]: Server listening on 0.0.0.0 port 22.
Jun 24 00:10:54 centos1 sshd[19823]: Accepted password for 000000000
from 10.68.66.17 port 44427 ssh2
Jun 24 00:10:54 centos1 sshd[19823]: pam_unix(sshd:session): session
opened for user 000000000 by (uid=0)
Jun 24 00:10:55 centos1 sshd[19825]: subsystem request for sftp


==> audit/audit.log <==
type=USER_AUTH msg=audit(1277295054.778:432): user pid=19823 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
authentication acct="000000000" : exe="/usr/sbin/sshd"
(hostname=client, addr=10.68.66.17, terminal=ssh res=success)'
type=USER_ACCT msg=audit(1277295054.830:433): user pid=19823 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
accounting acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1277295054.900:434): user pid=19823 uid=0
auid=679492 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=LOGIN msg=audit(1277295054.912:435): login pid=19823 uid=0 old
auid=679492 new auid=1002 old ses=40 new ses=65
type=USER_START msg=audit(1277295054.956:436): user pid=19823 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
session open acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1277295055.009:437): user pid=19825 uid=0
auid=1002 subj=user_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="000000000" : exe="/usr/sbin/sshd" (hostname=client,
addr=10.68.66.17, terminal=ssh res=success)'



Any pointers as to what I'm doing wrong, or how I can go about
finding out why this is failing would be greatly appreciated.


Cheers,
Andrej




--
Please don't top post, and don't use HTML e-Mail :} Make your quotes concise.

http://www.georgedillon.com/web/html_email_is_evil.shtml


andrej.groups at gmail

Jun 23, 2010, 4:53 PM

Post #2 of 2 (2120 views)
Permalink
Re: openssh 5.x, sftp & chroot [In reply to]

On 23 June 2010 12:22, Andrej <andrej.groups [at] gmail> wrote:
> perms:
> # ls -l
> total 146
> drwx------  3 root root  4096 Jun 19 02:54 sftransfers
Following up on my own request:

I found yet another walk-through; this one, unlike all the others I
came across googling, suggests 0755 for the base directory of
the chroot jail, and (funnily enough?) that works. Question is:
which is canonically correct, are there any implications to security
with the new perms?



Cheers,
Andrej



--
Please don't top post, and don't use HTML e-Mail :} Make your quotes concise.

http://www.georgedillon.com/web/html_email_is_evil.shtml

OpenSSH users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.