On 5/20/05, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > Yang Xiao writes: > > > Hi all, > > I'm trying to build a CVS server with SSH chroot following this link > > on a FC2 box > > ht > > tp://www.grack.com/news/FedoraCore3RunningCVSinac.html. > > > > I can't even seem to get SSH chroot to work, the document says all I > > need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the > > user names to /etc/security/chroot.conf, but this doesn't seem to > > work. > > any hints and help are appreciated. > > Everything a chrooted program needs must, obviously, be in your chroot jail > environment. > > For example, sshd loads all of the following libraries: > > # ldd /usr/sbin/sshd > libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000) > libpam.so.0 => /lib/libpam.so.0 (0x00a6d000) > libdl.so.2 => /lib/libdl.so.2 (0x00a67000) > libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000) > libutil.so.1 => /lib/libutil.so.1 (0x00a97000) > libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000) > libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000) > libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000) > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000) > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000) > libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000) > libc.so.6 => /lib/tls/libc.so.6 (0x00949000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000) > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000) > > All of these libraries must, obviously, exist in your chrooted environment, > otherwise sshd can't possibly start. > > And that's just the beginning. Everything sshd could possibly touch must > also be in your chroot jail. sshd's man page lists a lot of files that sshd > might need, but I'm sure there's plenty more stuff that's not documented. > > It's probably easier to configure sshd to allow cert authentication only, > then patch it so that it always executes cvs, ignoring whatever command the > ssh client wants sshd to run, then patch cvs to chroot itself into a jail. > > It's very easy to patch cvs to come up in a chrooted jail. > > > Hi, Thanks for replying, I found what the problem was, I didn't follow the document by the letter, and set the wrong home dir and login shell for the test user account. So it works now, many thanks. Yang
