Yang Xiao writes:
Hi all, I'm trying to build a CVS server with SSH chroot following this link on a FC2 box ht tp://www.grack.com/news/FedoraCore3RunningCVSinac.html.
I can't even seem to get SSH chroot to work, the document says all I need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the user names to /etc/security/chroot.conf, but this doesn't seem to work. any hints and help are appreciated.
Everything a chrooted program needs must, obviously, be in your chroot jail environment.
For example, sshd loads all of the following libraries:
# ldd /usr/sbin/sshd
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
libpam.so.0 => /lib/libpam.so.0 (0x00a6d000)
libdl.so.2 => /lib/libdl.so.2 (0x00a67000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000)
libutil.so.1 => /lib/libutil.so.1 (0x00a97000)
libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000)
libc.so.6 => /lib/tls/libc.so.6 (0x00949000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000)All of these libraries must, obviously, exist in your chrooted environment, otherwise sshd can't possibly start.
And that's just the beginning. Everything sshd could possibly touch must also be in your chroot jail. sshd's man page lists a lot of files that sshd might need, but I'm sure there's plenty more stuff that's not documented.
It's probably easier to configure sshd to allow cert authentication only, then patch it so that it always executes cvs, ignoring whatever command the ssh client wants sshd to run, then patch cvs to chroot itself into a jail.
It's very easy to patch cvs to come up in a chrooted jail.
Attachment:
pgp4I1obkNvLK.pgp
Description: PGP signature
