Pam_chroot
Ed Schmollinger
schmolli at frozencrow.org
Fri Mar 24 19:17:26 UTC 2006
On Thu, Mar 23, 2006 at 07:25:27AM -0500, Kevin Alford wrote:
> I am trying to configure pam_chroot on Redhat ES4. My log files are
> really not giving me any information regarding chroot.
> What am I doing wrong? Does anyone have any documentation on how to
> setup chroot for SSH on RedHat?
> I haven't been able to find any good documentation regarding
> pam_chroot. Any help is greatly appreciated.
>
>
> My etc/pam.d/sshd configuration is below:
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required /lib/security/pam_chroot.so debug
> session required pam_stack.so service=system-auth
> session required pam_loginuid.so
you should be seeing at least some debug messages in syslog. iirc, the
pam_chroot redhat uses doesn't say much, but there should be something.
maybe check your syslog.conf settings to make sure you're capturing
DEBUG level messages.
also, you *probably* want pam_chroot to be the last session module you
run, unless you have duplicated all the support for the rest of the
modules inside the chroot jail.
> My /etc/security/chroot.conf looks like this
> more chroot.conf
> # /etc/security/chroot.conf
> # format:
> # username_regex chroot_dir
> jdoe /home/jdoe
>
> /home/jdoe looks like this:
>
> -rw------- 1 root root 92 Mar 19 23:13 .bash_history
> -rw-r--r-- 1 root root 41 Mar 16 15:55 .bash_login
> -rw-r--r-- 1 root root 20 Mar 16 13:58 .bash_logout
> -rw-r--r-- 1 root root 131 Mar 16 16:21 .bash_profile
> -rw-r--r-- 1 root root 124 Mar 16 13:51 .bashrc
> drwxr-xr-x 2 root root 4096 Mar 22 11:53 bin
> drwxr-xr-x 2 root root 4096 Mar 22 11:56 home
> drwxr-xr-x 2 root root 4096 Mar 22 11:58 lib
> -rw-r--r-- 1 root root 27 Mar 16 16:16 .profile
> drwx------ 2 jdoe jdoe 4096 Mar 16 13:56 .ssh
> -rw------- 1 jdoe jdoe 426 Mar 22 12:36 .Xauthority
what's in /home/jdoe/{bin,lib}/ ? is this set up as a full chroot?
another thing you can do to debug is to start up a debugging instance of
sshd and strace it:
# strace -fv /usr/sbin/sshd -p 8022 -d -d -d -D
and then from a seperate window, try sshing in on port 8022.
% ssh -p 8022 jdoe at localhost
cheers,
--
Ed Schmollinger - schmolli at frozencrow.org - http://frozencrow.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060324/76142b80/attachment.sig>
More information about the Pam-list
mailing list