chrooted SSH + Debian Etch

Hi,

has any body an idea how to chroot SSH in Debian Etch 4.0?
I know this howto here: http://howtoforge.com/chrooted_ssh_howto_debian
but it's sadly only for Debian Sarge ... and the Scripts won't work for Etch ;-/



Thanks


Leander

 

Hi, were you able to install all necessary packages with apt-get (newer ssl is openssl-0.9.8 I believe). And if so, did you get any error output when running the script ?

Except for Falko's "incredimail" script, all the rest are basic linux/shell commands.

Kind regards,
Thanis

 

????? Waht are you talking about ??? Do you mean if I got openssl-0.9.8 ready for a jailed user?

I am even not able to jail anybody, beause the script of Falko is only for Sarge users.


But, I fund something ....

http://howtoforge.com/forums/attachment.php?attachmentid=402&d=1175003548

BUT I don't realy understand how to use it .... I don't know if I still have to install software how Falkos howto describes that ... like 1 Install The Newest Zlib Version, or 2 Install The Chrooted SSH and so on ...

It would be helpful if somebody can give me some ideas how to go on.

Thank you very much!


Leander

 

I haven't tried this on Etch, but I'll try to write a tutorial about it.

 

The tutorial is fine actually, it only needs a VERY small bit of tweaking for it to work on Debian Etch:

1.Don't do the zlib install !
2.

Code:

apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.8 libssl-dev ssh zlib1g zlib1g-dev zlibc build-essential

3. then just follow the tutorial (the script is not actually important). But what falko forgot to mention, is that you need to copy the "script" contents to a file (e.g.: /home/chroot/chroot.sh) and then run that script:

Code:

 chmod +x /home/chroot/chroot.sh
/home/chroot/chroot.sh

Then follow the rest of the tutorial.

Like I said, its just a question of updating your apt packages to etch level !

GRtz,
Thanis

 

Hi,

thank you for your helpful response - but I seem to stupid for it ;-)

just step for step:


1. Don't install the zlib

2. Install The Chrooted SSH ? What about that? Should I do this step?

3. Create The Chroot Environment ? What about that? Should I do this step exactly how it's described in the Howto?

What about the part with the script? Should I skip executing his script?

What about the steps written under the script part ... like

Should I go one from there until step 4 ?


And _what_ script are you talking about ... the script I linked up in this thread or the one from Falko's howto?

Sorry for those stupid questions .. - I just want to make sure before I kill my installation again ;-)


Regards,

Leander

 

Well ... all answers are positive to your questions.
Yes, install the chrooted SSH (download from sourceforge).
Yes, execute the script (use the one you mentioned, it's better than in the tutorial )
Yes, copy the files.
Yes, keep following the tutorial untill the end.
No, never use root as your chrooted user

Grtz,
Thanis

 

hmm thanks .... but the script which I mentioned didn't work ;-( nearly every command endet in a mess .. ... and those mysql pathes aren't there ...

and I'm still not sure if I should do step

Code:

mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

before I execute any of those both scripts or not?!


Thank you very much

;-)

Leander

 

Hi,

has no body an idea, or any good howto?

How far is Falko with his new howto for Etch? ;-)


Leander

 

I haven't started yet - so many other things to do... But it's on my list.

 

I don't want to push you Falko ;-) but when do you guess you're able to publish a howto? I'm kind of lost without that ;-/

Thank you very much


Leander

 

I got it to work

Hello
I have just followed the guide on a Debian Etch AMD64, and the only problem I had, was that an error about /bin/bash not could be found.
A quick search on google gave me the result, that a lib-file was missing.
`ldd /bin/bash`
shows whats files the program need. And the guide didn't say anything about
/lib64/ld-linux-x86-64.so.2
After adding this to the chroot, Its work without problems.

 

Hi,

Thanks for your response. Can you tell me where you found this tutorial, or do you have a link?


Leander

 

I use the same tutorial as you.

I only have som problems with sftp, where the connection are closed after password supplied. But ssh til the chroot works fine.

 

Ok - I did it ...

Hi again ...

ok ... , I did it .. and it seems to work ... the users are jailed ... BUT .. if I type as root

Code:

ssh -l user 10.1.10.1

the following error appears:

Code:

/etc/ssh/ssh_config line 45: Unsupported option "GSSAPIAuthentication"
/etc/ssh/ssh_config line 46: Unsupported option "GSSAPIDelegateCredentials"

but the connection goes on ... it seems as I could ignore it ... but why shows that up?? should I hav compiled those options with the ssh chroot patch before?? Or should I easily just comment those Lines out ;-) ?


Leander

 

sftp

Thanks for all of the tips on this folks - I have also just managed to get to the stage that LeoLinux is at.

I can't figure out how to get sFTP working tho - know it's not a "real" protocol, I have tried copying over a few things but an getting the message..

sftp [email protected]
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer.

Can anyone tell me what I need to do?

Thanks in advance..

 

Any errors in your logs?

 

Logs

Thanks for reply Falko,

I don't seem to have a log file for SSH - I don't have a file \var\log\secure - should this have been setup automatically or is it something that I should have done? I'm a noob at this stuff, please excuse my ignorance.

I can log in fine with a user that is not jailed, so at a guess I need to add somehting else to the chroot environment, just not too sure.

 

Take a look at /var/log/auth.log.

 

Got it

Thanks Falko again for the response. The auth log wasn't showing me anything, it was showing all the authentications as accepted. I actually managed to find this out today, If anyone is interested this is what I had to do.

Replace this line in the sshd_config file:

Subsystem sftp /usr/lib/openssh/sftp-server

With this line:

Subsystem sftp /usr/lib/sftp-server

that got rid of the subsystem error. And I got connected okay.

Thanks to one and all!

8c2