I've been googling for tutorial on creating multiple chroot users accounts in batch but find none yet. The one that i found was creating multiple accounts from www.cyberciti.biz/tips/linux-how-to-create-multiple-users-accounts-in-batch.html May be some expterts out there could write a good tutorial about my subject. I'd be so grateful. regards, gregor
Did you have a look at this tutorial? http://www.howtoforge.com/chrooted_ssh_howto_debian It shouldn't be too hard to create a little script with some kind of loop that creates your chroot accounts.
ok, i'll give it a try.thx a lot falko, you r the angel of my day... btw, i use fedora core,hopefully it would work.i'll let you know when i'm done.
hi Falko, With proper adjustment of copying some missing libraries, i finally got it done. testuser is successfully chrooted. There's a minor problem everytime sshd is restarted saying "Unsupported option GSSAPIAuthentication" and "Unsupported option GSSAPICleanupCredentials" but it can be eliminated by commenting those options in the sshd_config. But there's one big problem left that i hope you can help me figure out. testuser could not change password . I've already added /usr/bin/passwd to the APPS line of your script but everytime testuser issued passwd command, the system respond : Changing password for user testuser. passwd: unable to start pam i've also run ldd passwd to see what libraries might missing and tried to copy them to the proper lib directories and restart sshd but still the user could not change password. any suggestions? regards, gregor
could you be more specific about what pam that should be copied? i've already got the following : /home/chroot/lib/libpam.so.0 /home/chroot/lib/libpam_misc.so.0 /home/chroot/usr/lib/libpam.so.0 /home/chroot/usr/lib/libpam_misc.so.0 in my chroot jail, but it doesn't work. If you mean i should add pam's binary in the APPS line, which one is it? I tried to locate pam's binary (locate bin/pam) and here's what shoed up: /sbin/pam_timestamp_check /sbin/pam_tally /sbin/pam_console_apply /usr/bin/pam-panel-icon regards, gregor
Put them all into the chroot environment, also /etc/pam and /etc/pam.d, if they exist. What's the output of Code: locate pam ?
locate pam returned : /lib/libpam_misc.so.0.79 /lib/libpam.so.0 /lib/security/pam_rootok.so /lib/security/pam_mkhomedir.so /lib/security/pam_stress.so /lib/security/pam_pwdb.so /lib/security/pam_unix_auth.so /lib/security/pam_time.so /lib/security/pam_passwdqc.so /lib/security/pam_chroot.so /lib/security/pam_shells.so /lib/security/pam_ccreds.so /lib/security/pam_motd.so /lib/security/pam_tally.so /lib/security/pam_wheel.so /lib/security/pam_permit.so /lib/security/pam_console.so /lib/security/pam_xauth.so /lib/security/pam_filter.so /lib/security/pam_group.so /lib/security/pam_winbind.so /lib/security/pam_krb5afs.so /lib/security/pam_limits.so /lib/security/pam_unix_passwd.so /lib/security/pam_nologin.so /lib/security/pam_postgresok.so /lib/security/pam_unix_acct.so /lib/security/pam_access.so /lib/security/pam_loginuid.so /lib/security/pam_listfile.so /lib/security/pam_cracklib.so /lib/security/pam_deny.so /lib/security/pam_rhosts_auth.so /lib/security/pam_smb_auth.so /lib/security/pam_lastlog.so /lib/security/pam_timestamp.so /lib/security/pam_localuser.so /lib/security/pam_filter /lib/security/pam_filter/upperLOWER /lib/security/pam_ldap.so /lib/security/pam_mail.so /lib/security/pam_ftp.so /lib/security/pam_securetty.so /lib/security/pam_debug.so /lib/security/pam_succeed_if.so /lib/security/pam_issue.so /lib/security/pam_smbpass.so /lib/security/pam_userdb.so /lib/security/pam_unix_session.so /lib/security/pam_krb5.so /lib/security/pam_unix.so /lib/security/pam_selinux.so /lib/security/pam_rps.so /lib/security/pam_krb5 /lib/security/pam_krb5/pam_krb5_storetmp /lib/security/pam_stack.so /lib/security/pam_warn.so /lib/security/pam_env.so /lib/libpam_misc.so.0 /lib/libpamc.so.0.79 /lib/libpam.so.0.79 /lib/libpamc.so.0 /sbin/pam_timestamp_check /sbin/pam_tally /sbin/pam_console_apply /usr/lib/libpam_misc.so /usr/lib/libpam.so /usr/lib/libpamc.so /usr/lib/squid/pam_auth /usr/lib/libpam_misc.a /usr/lib/libpamc.a /usr/lib/libpam.a /usr/include/pam.h /usr/include/security/pam_modules.h /usr/include/security/pam_misc.h /usr/include/security/pam_client.h /usr/include/security/_pam_compat.h /usr/include/security/pam_filter.h /usr/include/security/pam_appl.h /usr/include/security/_pam_macros.h /usr/include/security/_pam_types.h /usr/include/pammap.h /usr/include/linux/isdn/tpam.h /etc/security/pam_env.conf /etc/dev.d/default/05-pam_console.dev /etc/udev/scripts/pam_console.dev /etc/pam.d /etc/pam.d/sshd /etc/pam.d/halt /etc/pam.d/system-config-users /etc/pam.d/ppp /etc/pam.d/system-config-printer-gui /etc/pam.d/printtool /etc/pam.d/system-auth /etc/pam.d/poweroff /etc/pam.d/up2date-config /etc/pam.d/atd /etc/pam.d/neat /etc/pam.d/newrole /etc/pam.d/system-cdinstall-helper /etc/pam.d/reboot /etc/pam.d/system-config-httpd /etc/pam.d/system-config-network-druid /etc/pam.d/up2date /etc/pam.d/other /etc/pam.d/system-install-packages /etc/pam.d/su /etc/pam.d/su /etc/pam.d/system-config-mouse /etc/pam.d/system-config-printer /etc/pam.d/system-config-printer-tui /etc/pam.d/cups /etc/pam.d/system-config-language /etc/pam.d/dateconfig /etc/pam.d/system-config-keyboard /etc/pam.d/system-config-packages /etc/pam.d/system-config-securitylevel /etc/pam.d/chfn /etc/pam.d/chsh /etc/pam.d/squid /etc/pam.d/system-config-soundcard /etc/pam.d/printconf-gui /etc/pam.d/internet-druid /etc/pam.d/login /etc/pam.d/system-config-nfs /etc/pam.d/setup /etc/pam.d/samba /etc/pam.d/kbdrate /etc/pam.d/system-config-network /etc/pam.d/authconfig-gtk /etc/pam.d/rhn_register /etc/pam.d/up2date-nox /etc/pam.d/printconf-tui /etc/pam.d/imap /etc/pam.d/crond /etc/pam.d/remote /etc/pam.d/sudo /etc/pam.d/pop3 /etc/pam.d/serviceconf /etc/pam.d/system-config-services /etc/pam.d/screen /etc/pam.d/passwd /etc/pam.d/system-config-rootpassword /etc/pam.d/vsftpd /etc/pam.d/printconf /etc/pam.d/system-config-network-cmd /etc/pam.d/system-config-authentication /etc/pam.d/system-config-lvm /etc/pam.d/run_init /etc/pam.d/system-config-samba /etc/pam.d/authconfig /etc/pam.d/system-config-date /etc/pam.d/system-config-time i've copied them all to my chroot dir. now the error message turn to : -bash-3.00$ passwd Changing password for user testuser. passwd: Module is unknown what else do you think i should do? regards, gregor
Did you put the passwd program into the APPS line of the script that copies the desired programs to the chroot jail?
Hi Falko, Gregor, I had exactly same problem (passwd: Module is unknonwn) after I copied all the relavant libs and programs specified in this thread. If I do >ldd passwd, all the dependent libs are all there. Anything else is needed? Thanks, Yogi
hi guys yes i put the passwd in the APPS line. i've mentioned it in my post on 30th August 2006 06:10. i believe yogi had also done the same thing. what distro that you use yogi? i use fedora core 4. i've tried googling but nothing good comes up so far. may be nobody has ever tried this subject before regards, gregor
hi guys yes i put the passwd in the APPS line. i've mentioned it in my post on 30th August 2006 06:10. i believe yogi had also done the same thing. what distro that you use yogi? i use fedora core 4. i've tried googling but nothing good comes up so far. may be nobody has ever tried this subject before regards, gregor
Hi, I use RedHat Enterprise Linux 4.2.6.9. tried to put "UsePAM yes" in sshd_config, got "Unsupported option" when restart sshd. Regards, yogi
Hi gregor, Finally got passwd to work here. 1. Module is unknown: due to missing cracklib.so.2 cp /usr/lib/libcrack.so* /usr/lib (or /lib/ it works for me in /lib. try /usr/lib first) 2. passwd: Critical error - immediate abort - make sure dictionary is in /usr/lib/ cracklib_dict.hwm cracklib_dict.pwd cracklib_dict.pwi 3. passwd: Authentication token manipulation error - make sure /etc/shadow has the user in it. tgif, yogi
thx yogi. i've got it work too. but when i log out and tried to log in back again using the new password, it won't work. i have to login using the old password. didn't you face the same thing? btw, shouldn't the system automatically adds every newly created user in /etc/shadow- ? regards, gregor
hi guys, i've found a way to make use of the new password. copy the /etc/shadow, /etc/passwd, /etc/group to /home/chroot/./etc/ Make sure password field in passwd file is x which indicates that the real password is stored in the shadow file. when the chrooted testuser issues passwd command and create a new password, it would change the password value stored in the /home/chroot/./etc/shadow file. when he log in back again using the new password, the system won't recognize it because it compares the password with the one stored in /etc/shadow. so my idea is to create a patch file using diff command from the /home/chroot/./etc/shadow and then applied it to /etc/shadow. chmod 400 /etc/shadow chmod 400 /home/chroot/./etc/shadow cd /home/chroot/etc diff -u /etc/shadow /home/chroot/etc/shadow > shadow.patch patch -b /etc/shadow /home/chroot/etc/shadow.patch put the last two commands in the cron job...... it works perfectly now for me.... thank's to you guys...... regards, gregor
