Date: Tue, 6 Nov 2001 11:56:31 +0200 From: Peter Pentchev <roam@ringlet.net> To: "Alexander S. Volchenkov" <volax@uh.ru> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem Message-ID: <20011106115631.C10023@straylight.oblivion.bg> In-Reply-To: <200111060717.fA67HZu81881@ns.uh.ru>; from volax@uh.ru on Tue, Nov 06, 2001 at 10:21:40AM %2B0300 References: <200111051546.fA5FkLu62095@ns.uh.ru> <20011105174639.C77919@straylight.oblivion.bg> <200111060717.fA67HZu81881@ns.uh.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 06, 2001 at 10:21:40AM +0300, Alexander S. Volchenkov wrote: > Hello, Peter! > > > > > > > I've just installed ssh2 and trying to implement it's chroot feature. > > > I have a problem with user login. > > > > > > User "dummy" is in the "chrooted" group. His home directory : > > > /home/chrooted/dummy contains bin subdirectory with a mirror of /bin. > > > User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > > > > > > From /etc/sshd2_conf: > > > ------------------------------------------- > > > AllowGroups chrooted > > > ChRootGroups chrooted > > > ------------------------------------------- > > -------------- SKIP ----------------- > > > On the server, stop any sshd's running, then run an 'sshd -d' and > > watch its output. > > The output of sshd2 -d1: > > gate# ssh2 -l dummy gate > dummy@gate's password: <password> > Authentication successful. > sshd2[1296]: /etc/spwd.db: No such file or directory > debug: ssh_user_become: getpwnam: Bad file descriptor > debug: Switching to user 'dummy' failed! > Connection to gate closed. > > Does it mean i must provide /etc/spwd.db file in the user home directory? > In this case, how can I create this file for single user usage? Yes, this is exactly what it means. To create this file, take your /etc/passwd and /etc/master.passwd, copy them to the user's $HOME/etc/, then run 'vipw -d /path/to/usershome/etc' and delete all the lines you do not want. Alternatively, you could do something like: # fgrep username /etc/passwd > /userhome/etc/passwd # fgrep username /etc/master.passwd > /userhome/etc/master.passwd # pwd_mkdb -d /userhome/etc/master.passwd ..which might be preferable if you intend to set up more than one of these jails. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011106115631.C10023>