Jail ssh - chroot with home mounted ?

Hello,

If I not wrong in the last version of interworx-cp-install you set by default the installation of the jailed ssh. You don’t perform this task when home is a partition which is mounted.

So is it possible to set the jail ssh if home is a partition ?

Pascal

Hi Pascal,

Here is the process:

  1. service iworx stop
  2. service httpd stop
  3. you may need to stop other services, do an ‘lsof /home’ to determinen what’s using /home
  4. cd /
  5. umount /home
  6. confirm /home is umounted and empty. If it is, go ahead rmdir /home
  7. edit /etc/fstab to change the mount point of the partition to /chroot instead of /home (you may want to change the label of the partition using e2label to stay consistent with the other partitions)
  8. mkdir /chroot
  9. mount /chroot
  10. mkdir /chroot/home
  11. ln -fs /chroot/home /home
  12. cd /chroot
  13. mv * home
  14. mv home/aquota.* /chroot
  15. chmod 755 /chroot
  16. chmod 711 /chroot/home

That should do it. Hope that helps!
Socheat

Hi Socheat,

it’s exactly what I was looking for :slight_smile:

Thanks

Pascal

Hello

When I connect whit a siteworx account to my box with the jail ssh setup I have this

Last login: Sat May 6 05:40:11 2006 from xxe-01-111-08-19.w81-3.abo.1.fr
id: cannot find name for group ID 574
id: cannot find name for user ID 574
[I have no name!@obiwan ~]$

Why is there this id: cannot find name ? and have “I have no name!”

is it normal ?

Also is it absolutly necesseray to have /chroot set with a chmod to 755 ? 711 wouldn’t be fine ?

And finally, on my other box (with home not mounted) I have done this

  • mkdir /chroot
  • mv /home /chroot/
  • ln -sf /chroot/home /home
  • chmod 755 /chroot
  • chmod 711 /chroot/home

Then I have changed one siteworx to allow it to connect with /usr/sbin/jk_chrootsh

But when I connect with this user I’m disconnect immediatly after the password

here is the log in /var/log/message, nothing special

May 6 06:14:26 padawan sshd(pam_unix)[6032]: session opened for user carathos by (uid=0)
May 6 06:14:27 padawan jk_chrootsh[6033]: now entering jail /chroot for user carathos (500)
May 6 06:14:27 padawan sshd(pam_unix)[6032]: session closed for user carathos

Do you know why ? what I have to check ?

Pascal

711 is should be fine Pascal, IIRC I did the same on a box a while back but the drawback is that your users will NOT be able to go that far down the directory tree which is pribably what you want anyway :wink:

As for the [I have no name!@obiwan ~]$

I suspect if you type #hostname you will get I have no name

The hostname can be changed via

if you don’t already know how (though I suspect you do)

Take a look at /etc/passwd and /etc/group to see if the user obiwan is really user and group 574

The rest of it “looks” right to me but I’ll leave that to Socheat :wink:

711 is should be fine Pascal, IIRC I did the same on a box a while back but the drawback is that your users will NOT be able to go that far down the directory tree which is pribably what you want anyway :wink:

exactly, it is what I want :slight_smile:

As for the [I have no name!@obiwan ~]$

I suspect if you type #hostname you will get I have no name

The hostname can be changed via

if you don’t already know how (though I suspect you do)

Tim, it is not the hostname but the name of the user. Hostname is well shown, it is obiwan
For exemple
[root@obiwan html]# the user is root and the hostname is obiwan and the current dir is html. What is not shown well a user log in using jail ssh is their user name :slight_smile:

Take a look at /etc/passwd and /etc/group to see if the user obiwan is really user and group 574

Obiwan is not a user but the hostname :slight_smile: and yes the user carathos have the id 574

The rest of it “looks” right to me but I’ll leave that to Socheat :wink:

Cool

Pascal

Hello,

And finally, on my other box (with home not mounted) I have done this

  • mkdir /chroot
  • mv /home /chroot/
  • ln -sf /chroot/home /home
  • chmod 755 /chroot
  • chmod 711 /chroot/home

Then I have changed one siteworx to allow it to connect with /usr/sbin/jk_chrootsh

But when I connect with this user I’m disconnect immediatly after the password

I find why but not sure why it occurs

[root@padawan root]# su carathos
/bin/bash: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory

I first login as root then su carathos (the user with jk_chrootsh)

The libc.so.6 is here

/lib/i686/libc.so.6
/lib/libc.so.6
/lib/tls.disabled/libc.so.6
/lib/tls.disabled-2005-07-28-02-07-1122508852/libc.so.6
/lib/tls.disabled-2005-11-09-09-11-1131526544/libc.so.6

Don’t ask me why /lib/tls is /lib/tls.disabled/ I don’t know :-p

Pascal

Hi Pascal,

Actually, the passwd file you should be checking for is /chroot/etc/passwd. Make sure the /chroot/etc/passwd entry for that user is identical to the entry in /etc/passwd, including uid and gids.

Socheat

Hi*

What I do not understand is in the strace it founds the libc.so file. There is a lot of bad descriptor when it searche for the rlimit, but not sure it is related.

Here is the strace output of the su carathos command.

Hope it might help

Pascal

su.txt (36.1 KB)

Hi Pascal,

Please open a ticket, we’ll check it out.

Socheat

slaps forehead

I should have known that :wink:

Whoops! You’re right. I don’t know what I was thinking :wink:

Lol no pbm Tim

I have opened a ticket :slight_smile:

Pascal