chrooting SSH on Fedora Core 3

[xDamox]

First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.

if you have install ssh by default on fedora this module is installed :)

 

Ok so they should be installed.

 

Then edit "/etc/pam.d/sshd".

 

Code:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_chroot.so

 

if you do have pam_limits.so in the sshd config file comment it out with a # or remove the line

Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.

 

Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it [img]<___base_url___>/uploads/emoticons/default_laugh.png[/img]

 

Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.

 

Code:

#normally this is yes.. so switch to no
UsePrivilegeSeparation no

#normally this is yes...but check
UsePAM yes

 

Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.

 

Right.. so sshd is ready... Now to finish off the PAM setup.

 

Edit "/etc/security/chroot.conf"

 

Code:

znx /home/chroot

 

NOW we're ready.... Restart your ssh daemon to get the new config:

 

Code:

/etc/init.d/sshd restart

 

Once you have got this far you will want to chown /home/znx to root:root

 

Code:

chown root.root /home/znx

 

The finally change the permission to 755

 

Code:

chmod 755 /home/znx

 

you will need to add the binarys and library files to the chroot as shown below:

 

Code:

# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash
libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)
      libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)
      libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)
      /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/libncurses.so.5 lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ld-linux.so.2 lib/
# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit

 

Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...

 

Code:

# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.

 

Jy provided a link to the following site with a script that will move the binarys and librarys to the chrooted dir:

 

[/url][url=http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/]http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/

 

This guide was produced by znx and edited by xDamox ;) many thanks to znx

[square]

Nice xdamox/znx cool tutorial

 

 

keep them coming

 

 

 

square

[FluKex]

Note!!!!! VERY important note.

 

I just tried this walkthrough on RH9, Fedora Core 2, and Redhat Enterprise 4.

 

It doesnt work, and infact kills sshd. the "UsePam" feature doesnt exist in any of the versions i tried and therefor fails on restarting sshd.

 

What distro was this figured out for?

[xDamox]

This works fine on Fedora core 3

[znx]

Note!!!!!

[FluKex]

Already verified that the version has support for pam.

[znx]

Already verified that the version has support for pam.

<{POST_SNAPBACK}>

 

 

and pam_limits.so ?