I have successfully upgraded to version 2.2.5 and just tested the chroot function. I logged in using a non-admin user and was able to access higher levels above the user's jailed directory. I could get all the way up to root. Is this not a security issue? What do I need to do?
Hmm, I installed openssh-4.2p1-chroot and followed the remaining commands in step 2 from the tutorial http://www.howtoforge.com/chrooted_ssh_howto_debian , restarted sshd and ISPConfig, but I can still break out of the jailed dir. Any initial ideas? Btw, this is Fedora Core 4, rather than Debian, but that shouldn't matter I don't think.
I'm having the same problem with an updated server! When I install ISPconfig on a clean Debian system (I love VMware) it's working fine! *** Edit *** I'm wrong.. It's also working on the old system... So I'm not having any problems.. All I needed was a SSH restart
Yes, but I get the following: Code: [root@server2 ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: /etc/ssh/sshd_config line 74: Unsupported option GSSAPIAuthentication /etc/ssh/sshd_config line 76: Unsupported option GSSAPICleanupCredentials [ OK ]
No sir, I did not change anything manually. But I am wondering if this has anything to do with running your chrooted how-to in the past and if the updated ISPConfig chroot function is conflicting with it. Here are the contents: Code: # $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #ShowPatchLevel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
Which distribution do you use? I wrote the tutorial for Debian so if you use another distribution that might be the problem. Anyway, comment out this line: Code: GSSAPIAuthentication yes and restart the SSH daemon.
The distro is Fedora Core 4. I did what you recommended and still no luck. When I try using PuTTy, I login and is simply closes the interface without error. This usually happens when I do not specify the BASH shell in the /etc/passwd file, but this is not the case. Each user has BASH specified. I noticed that only a couple web users are in the replicated webx/etc/passwd file. Wouldn't this be a problem? I created a new user and looked to see if they were copied to the webx/etc/passwd file and they were not.
FYI, I found this extra bit of info for other Fedora users: http://www.redhat.com/archives/fedora-list/2006-June/msg04104.html
Has the error message changed? I think the problem is this: Code: tar xvfz openssh-4.2p1-chroot.tar.gz cd openssh-4.2p1-chroot ./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam make make install I guess you need to change the ./configure statement so that it suits to Fedora. You can find out about available configuration paramters by running Code: ./configure --help
So before I run the ./configure command for Fedora, can you think of anything that I need to do with the current sshd config?
I had the same problem as you. (but with CentOS) It seems the /root/ispconfig/scripts/shell/create_chroot_env.sh is not good enough for FC/CentOS. It doens't copy all the needed files to run /bin/bash Just add the last 5 lines to your create_chroot_env.sh It should work. But I was unable to test it, because I get segmentation faults now. Code: #!/bin/bash # # Usage: ./create_chroot_env username # # Here specify the apps you want into the enviroment APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/zip /bin/tar /usr/bin/dircolors" # Sanity check if [ "$1" = "" ] ; then echo " Usage: ./create_chroot_env username" exit fi # Obtain username and HomeDir CHROOT_USERNAME=$1 HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME" | cut -d':' -f 6` cd $HOMEDIR # Create Directories no one will do it for you mkdir etc mkdir bin mkdir usr mkdir usr/bin # Create short version to /usr/bin/groups # On some system it requires /bin/sh, which is generally unnessesary in a chroot cage echo "#!/bin/bash" > usr/bin/groups echo "id -Gn" >> usr/bin/groups # Add some users to ./etc/paswd grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group # Copy the apps and the related libs for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done # From some strange reason these 3 libraries are not in the ldd output, but without them # some stuff will not work, like usr/bin/groups cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/ #ADDED by AlecWeb for CentOS 4.3 support. #Special thanks to http://ymettier.free.fr/articles_lmag/lmag54_chroot/lmag54_chroot.html cp /lib/libc.so* ./lib/ cp /lib/libc-* ./lib/ cp /lib/ld* ./lib/
Well, it looks to me like the ./configure statement takes the same options as Debian.. I used (wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz) for this install. Should i be getting it from RedHat instead? Code: [root@server2 openssh-4.2p1-chroot]# ./configure --help `configure' configures OpenSSH Portable to adapt to many kinds of systems. Usage: ./configure [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print `checking...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for `--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or `..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [/usr/local] [B] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX][/B] By default, `make install' will install all the files in `/usr/local/bin', `/usr/local/lib' etc. You can specify an installation prefix other than `/usr/local' using `--prefix', for instance `--prefix=$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --datadir=DIR read-only architecture-independent data [PREFIX/share] [B] --sysconfdir=DIR read-only single-machine data [PREFIX/etc][/B] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --infodir=DIR info documentation [PREFIX/info] --mandir=DIR man documentation [PREFIX/man] System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] Optional Features: --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-largefile omit support for large files --disable-strip Disable calling strip(1) on install --disable-etc-default-login Disable using PATH from /etc/default/login no --disable-lastlog disable use of lastlog even if detected no --disable-utmp disable use of utmp even if detected no --disable-utmpx disable use of utmpx even if detected no --disable-wtmp disable use of wtmp even if detected no --disable-wtmpx disable use of wtmpx even if detected no --disable-libutil disable use of libutil (login() etc.) no --disable-pututline disable use of pututline() etc. (uwtmp) no --disable-pututxline disable use of pututxline() etc. (uwtmpx) no Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --without-rpath Disable auto-added -R linker paths --with-osfsia Enable Digital Unix SIA --with-cflags Specify additional flags to pass to compiler --with-cppflags Specify additional flags to pass to preprocessor --with-ldflags Specify additional flags to pass to linker --with-libs Specify additional libraries to link with --with-Werror Build main code with -Werror --with-zlib=PATH Use zlib in PATH --without-zlib-version-check Disable zlib version check --with-skey[=PATH] Enable S/Key support (optionally in PATH) --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) --with-libedit[=PATH] Enable libedit support for sftp --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm) [B] --with-pam Enable PAM support[/B] --with-ssl-dir=PATH Specify path to OpenSSL installation --with-rand-helper Use subprocess to gather strong randomness --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var /run/egd-pool) --with-entropy-timeout Specify entropy gathering command timeout (msec) --with-privsep-user=user Specify non-privileged user for privilege separation --with-sectok Enable smartcard support using libsectok --with-opensc[=PFX] Enable smartcard support using OpenSC (optionally in P ATH) --with-kerberos5=PATH Enable Kerberos 5 support --with-privsep-path=xxx Path for privilege separation chroot (default=/var/emp ty) --with-xauth=PATH Specify path to xauth program --with-mantype=man|cat|doc Set man page type --with-md5-passwords Enable use of MD5 passwords --without-shadow Disable shadow password support --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY --with-default-path= Specify default \$PATH environment for server --with-superuser-path= Specify different path for super-user --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses --with-bsd-auth Enable BSD auth support --with-pid-dir=PATH Specify location of ssh.pid file --with-lastlog=FILE|DIR specify lastlog location common locations Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a nonstandard directory <lib dir> CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have headers in a nonstandard directory <include dir> CPP C preprocessor Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to <[email protected]>.
If you find an RPM, you can try that one. Otherwise you must compile the sources, Well, there are a lot of parameters to play with...
