From owner-freebsd-security Mon Nov 5 8:48:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f149.pav1.hotmail.com [64.4.31.149]) by hub.freebsd.org (Postfix) with ESMTP id E640237B416 for ; Mon, 5 Nov 2001 08:48:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 5 Nov 2001 08:48:22 -0800 Received: from 212.30.183.3 by pv1fd.pav1.hotmail.msn.com with HTTP; Mon, 05 Nov 2001 16:48:22 GMT X-Originating-IP: [212.30.183.3] From: "Magdalinin Kirill" To: volax@uh.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: Chrooted SSH2 problem Date: Mon, 05 Nov 2001 19:48:22 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 Nov 2001 16:48:22.0725 (UTC) FILETIME=[AE47EF50:01C16619] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >gate# ssh2 -l dummy localhost >dummy@localhost's password: >Authentication successful. >Connection to localhost closed. >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ at this point sshd already made chroot for the user and tries to run /bin/sh, which does not exist, because there is no sh in /home/chrooted/dummy/bin/ (after chroot /home/chrooted/dummy/bin/ is not a link to system /bin, it is just empty /bin). If you want to allow a couple of users at your box, then placing sh (which is statically linked) in /home/chrooted/dummy/bin/ should do the trick. If there must be many users, then consider making bin, usr and even var directories under /home/chrooted, and chroot all users to /home/chrooted. All binaries in bin, usr must be statically linked or you will have to place all necessary libraries over there, which is a security risk(?). I don't remember exectly why, but instead of chrooting users by sshd I use the following would-be-shell to chroot users, that shell is set as user's default shell and is called by sshd at login time: #include #include int main (int argc, char *argv []) { char *dir, *cmd; chroot("/home"); asprintf(&dir, "/home/home/%s", getenv("LOGNAME")); chdir(dir); free(dir); if (argc > 2) { asprintf(&cmd, "/usr/local/bin/bash %s %s", argv[1], argv[2]); } else { asprintf(&cmd, "/usr/local/bin/bash"); } system(cmd); free(cmd); } Hope this helps, Kirill Magdalinin bsdforumen@hotmail.com >From: "Alexander S. Volchenkov" >Reply-To: volax@uh.ru >To: freebsd-security@FreeBSD.ORG >Subject: Chrooted SSH2 problem >Date: Mon, 5 Nov 2001 18:51:52 +0300 > >Hi All! > >I've just installed ssh2 and trying to implement it's chroot feature. >I have a problem with user login. > >User "dummy" is in the "chrooted" group. His home directory : >/home/chrooted/dummy contains bin subdirectory with a mirror of /bin. >User's shell is /bin/sh. Command: chroot /home/chrooted/dummy works fine. > >From /etc/sshd2_conf: >------------------------------------------- >AllowGroups chrooted >ChRootGroups chrooted >------------------------------------------- > >Client session: >------------------------------------------- >gate# ssh2 -l dummy localhost >dummy@localhost's password: >Authentication successful. >Connection to localhost closed. >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >------------------------------------------- > >tail /var/log/messages: >------------------------------------------- >sshd[16513]: User dummy's local password accepted. >sshd[16513]: Password authentication for user dummy accepted. >sshd[16513]: User dummy, coming from localhost.sbm, authenticated. >------------------------------------------- > >What I need to do to fix it? > >Thanks, >Alexander S. Volchenkov (mailto:volax@uh.ru) > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message