Re: SSH/CVS Chroot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/20/05, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote:
> Yang Xiao writes:
> 
> > Hi all,
> > I'm trying to build a CVS server with SSH chroot following this link
> > on a FC2 box
> > ht
> > tp://www.grack.com/news/FedoraCore3RunningCVSinac.html.
> >
> > I can't even seem to get SSH chroot to work, the document says all I
> > need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the
> > user names to /etc/security/chroot.conf, but this doesn't seem to
> > work.
> > any hints and help are appreciated.
> 
> Everything a chrooted program needs must, obviously, be in your chroot jail
> environment.
> 
> For example, sshd loads all of the following libraries:
> 
> # ldd /usr/sbin/sshd
>         libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
>         libpam.so.0 => /lib/libpam.so.0 (0x00a6d000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00a67000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000)
>         libutil.so.1 => /lib/libutil.so.1 (0x00a97000)
>         libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000)
>         libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000)
>         libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000)
>         libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000)
>         libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000)
>         libc.so.6 => /lib/tls/libc.so.6 (0x00949000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000)
>         libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000)
> 
> All of these libraries must, obviously, exist in your chrooted environment,
> otherwise sshd can't possibly start.
> 
> And that's just the beginning.  Everything sshd could possibly touch must
> also be in your chroot jail.  sshd's man page lists a lot of files that sshd
> might need, but I'm sure there's plenty more stuff that's not documented.
> 
> It's probably easier to configure sshd to allow cert authentication only,
> then patch it so that it always executes cvs, ignoring whatever command the
> ssh client wants sshd to run, then patch cvs to chroot itself into a jail.
> 
> It's very easy to patch cvs to come up in a chrooted jail.
> 
> 
> 
Hi,
Thanks for replying, I found what the problem was, I didn't follow the
document by the letter, and set the wrong home dir and login shell for
the test user account. So it works now, many thanks.

Yang
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux