SSH/CVS Chroot

Yang Xiao yxiao2004 at gmail.com
Fri May 20 20:21:51 UTC 2005 

On 5/20/05, Sam Varshavchik <mrsam at courier-mta.com> wrote:
> Yang Xiao writes:
> 
> > Hi all,
> > I'm trying to build a CVS server with SSH chroot following this link
> > on a FC2 box
> > ht
> > tp://www.grack.com/news/FedoraCore3RunningCVSinac.html.
> >
> > I can't even seem to get SSH chroot to work, the document says all I
> > need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the
> > user names to /etc/security/chroot.conf, but this doesn't seem to
> > work.
> > any hints and help are appreciated.
> 
> Everything a chrooted program needs must, obviously, be in your chroot jail
> environment.
> 
> For example, sshd loads all of the following libraries:
> 
> # ldd /usr/sbin/sshd
>         libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
>         libpam.so.0 => /lib/libpam.so.0 (0x00a6d000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00a67000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000)
>         libutil.so.1 => /lib/libutil.so.1 (0x00a97000)
>         libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000)
>         libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000)
>         libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000)
>         libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000)
>         libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000)
>         libc.so.6 => /lib/tls/libc.so.6 (0x00949000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000)
>         libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000)
> 
> All of these libraries must, obviously, exist in your chrooted environment,
> otherwise sshd can't possibly start.
> 
> And that's just the beginning.  Everything sshd could possibly touch must
> also be in your chroot jail.  sshd's man page lists a lot of files that sshd
> might need, but I'm sure there's plenty more stuff that's not documented.
> 
> It's probably easier to configure sshd to allow cert authentication only,
> then patch it so that it always executes cvs, ignoring whatever command the
> ssh client wants sshd to run, then patch cvs to chroot itself into a jail.
> 
> It's very easy to patch cvs to come up in a chrooted jail.
> 
> 
> 
Hi,
Thanks for replying, I found what the problem was, I didn't follow the
document by the letter, and set the wrong home dir and login shell for
the test user account. So it works now, many thanks.

Yang

More information about the fedora-list mailing list