Re: [Jailkit-users] pam_unix(sshd:session): session closed for user

jailkit-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] pam_unix(sshd:session): session closed for user

From:	Olivier Sessink
Subject:	Re: [Jailkit-users] pam_unix(sshd:session): session closed for user
Date:	Sun, 28 Jun 2009 10:28:05 +0200
User-agent:	Thunderbird 2.0.0.21 (X11/20090409)

Igor Galić wrote:

Hi folks,

Today I've been evaluating a couple of methods of chrooting scp/sftp users,
and it seems that jk_chrootsh is so far the sanest.

I didn't like the fact that jk_chrootsh was chrooted, so I gave it 
SYS_CAP_CHROOT:
% sudo setcap CAP_SYS_CHROOT=ep /opt/bw/sbin/jk_chrootsh
% sudo chmod -s /opt/bw/sbin/jk_chrootsh

Of course that wouldn't work:
jk_chrootsh[25029]: abort, effective user ID is not 0, possibly jk_chrootsh is 
not setuid root

hmm that is a bug indeed. I don't have a system with SElinux around. Doyou know how to check for a capability?

As a long time user, or rather admin of vsftpd, I'm used to the chrooting to
be a straight forward process, as vsftpd implements all calls by itself.

Thus my logical next step was compile jk_lsh with -static. A feble atempt to 
reduce
the amount of libraries and binaries needed.

I've never tried it, but I'm not sure what happens on a system with adynamic nsswitch config. all the libnss_*.so libraries are plugins forlibnss which is required to look up users. Can you compile thesestatically as well?

I added the needed binaries, and libraries:
address@hidden /srv/web/esotericsystems.at/www # tree bin etc lib* usr
bin
`-- jk_lsh
etc
|-- group
|-- jailkit
|   `-- jk_lsh.ini
`-- passwd
lib
|-- libacl.so.1
|-- libattr.so.1
|-- libc.so.6
|-- libcom_err.so.2
|-- libcrypt.so.1
|-- libdl.so.2
|-- libkeyutils.so.1
|-- libnsl.so.1
|-- libpopt.so.0
|-- libpthread.so.0
|-- libresolv.so.2
`-- libutil.so.1
lib64
`-- ld-linux-x86-64.so.2
usr
|-- bin
|   |-- rsync
|   `-- scp
`-- lib
    |-- libcrypto.so.0.9.8
    |-- libgssapi_krb5.so.2
    |-- libk5crypto.so.3
    |-- libkrb5.so.3
    |-- libkrb5support.so.0
    |-- libz.so.1
    `-- sftp-server

I don't see a /dev/log here, so you will not get any logging from jailedutilities such as jk_lsh or the sftp-server

And added the necesary configs:

address@hidden /srv/web/esotericsystems.at/www # grep -r "" etc/*
etc/group:ftp:x:21:esatwww
etc/group:esatwww:x:21001:
etc/jailkit/jk_lsh.ini:[DEFAULT]
etc/jailkit/jk_lsh.ini:executables = /usr/bin/scp, /usr/lib/sftp-server, 
/usr/bin/rsync
etc/jailkit/jk_lsh.ini:paths = /usr/bin/, /usr/lib
etc/jailkit/jk_lsh.ini:allow_word_expansion = 1
etc/passwd:esatwww:x:21001:21001::/htdocs:/bin/jk_lsh



Still, when trying to login, I'm getting:

address@hidden ~ % sftp -oPort=115 address@hidden
Connecting to esotericsystems.at...
address@hidden's password:
Couldn't read packet: Connection reset by peer
255 address@hidden ~ % sftp -oPort=115 address@hidden
Connecting to esotericsystems.at...
address@hidden's password:
Couldn't read packet: Connection reset by peer
255 address@hidden ~ % scp -oPort=115 address@hidden:HOKOHOKO.rar ./
address@hidden's password:
1


And in the auth.log:

Jun 16 01:12:07 localhost sshd[27546]: Accepted password for esatwww from 
78.47.99.118 port 45276 ssh2
Jun 16 01:12:07 localhost sshd[27546]: pam_unix(sshd:session): session opened 
for user esatwww by (uid=0)
Jun 16 01:12:07 localhost sshd[27549]: subsystem request for sftp
Jun 16 01:12:07 localhost jk_chrootsh[27550]: path 
/srv/web/esotericsystems.at/www/./htdocs is not owned by group 21001
Jun 16 01:12:07 localhost jk_chrootsh[27550]: now entering jail 
/srv/web/esotericsystems.at/www for user esatwww (21001)
Jun 16 01:12:07 localhost sshd[27546]: pam_unix(sshd:session): session closed 
for user esatwww
Jun 16 01:12:19 localhost sshd[27553]: Accepted password for esatwww from 
78.47.99.118 port 45278 ssh2
Jun 16 01:12:19 localhost sshd[27553]: pam_unix(sshd:session): session opened 
for user esatwww by (uid=0)
Jun 16 01:12:19 localhost sshd[27555]: subsystem request for sftp
Jun 16 01:12:19 localhost jk_chrootsh[27556]: path 
/srv/web/esotericsystems.at/www/./htdocs is not owned by group 21001
Jun 16 01:12:19 localhost jk_chrootsh[27556]: now entering jail 
/srv/web/esotericsystems.at/www for user esatwww (21001)
Jun 16 01:12:19 localhost sshd[27553]: pam_unix(sshd:session): session closed 
for user esatwww
Jun 16 01:12:27 localhost sshd[27557]: Accepted password for esatwww from 
78.47.99.118 port 45279 ssh2
Jun 16 01:12:27 localhost sshd[27557]: pam_unix(sshd:session): session opened 
for user esatwww by (uid=0)
Jun 16 01:12:27 localhost sshd[27559]: subsystem request for sftp
Jun 16 01:12:27 localhost jk_chrootsh[27560]: path 
/srv/web/esotericsystems.at/www/./htdocs is not owned by group 21001
Jun 16 01:12:27 localhost jk_chrootsh[27560]: now entering jail 
/srv/web/esotericsystems.at/www for user esatwww (21001)
Jun 16 01:12:27 localhost sshd[27557]: pam_unix(sshd:session): session closed 
for user esatwww
Jun 16 01:12:45 localhost sshd[27561]: Accepted password for esatwww from 
78.47.99.118 port 45280 ssh2
Jun 16 01:12:45 localhost sshd[27561]: pam_unix(sshd:session): session opened 
for user esatwww by (uid=0)
Jun 16 01:12:45 localhost jk_chrootsh[27564]: path 
/srv/web/esotericsystems.at/www/./htdocs is not owned by group 21001
Jun 16 01:12:45 localhost jk_chrootsh[27564]: now entering jail 
/srv/web/esotericsystems.at/www for user esatwww (21001)
Jun 16 01:12:45 localhost sshd[27561]: pam_unix(sshd:session): session closed 
for user esatwww
Jun 16 01:13:43 localhost sshd[27565]: Accepted password for esatwww from 
78.47.99.118 port 45281 ssh2
Jun 16 01:13:43 localhost sshd[27565]: pam_unix(sshd:session): session opened 
for user esatwww by (uid=0)
Jun 16 01:13:43 localhost jk_chrootsh[27568]: path 
/srv/web/esotericsystems.at/www/./htdocs is not owned by group 21001
Jun 16 01:13:43 localhost jk_chrootsh[27568]: now entering jail 
/srv/web/esotericsystems.at/www for user esatwww (21001)
Jun 16 01:13:43 localhost sshd[27565]: pam_unix(sshd:session): session closed 
for user esatwww



Am I overlooking anything very obvious here?

configure your syslog server to get logging in the jail. The errormessages are usually pretty self-explanatory.


regards,
  Olivier

[Prev in Thread]

Current Thread

[Next in Thread]

[Jailkit-users] pam_unix(sshd:session): session closed for user, Igor Galić, 2009/06/15
- Re: [Jailkit-users] pam_unix(sshd:session): session closed for user, Olivier Sessink <=
- Re: [Jailkit-users] pam_unix(sshd:session): session closed for user, Olivier Sessink, 2009/06/30

Prev by Date: Re: [Jailkit-users] Problem with jail closed season.
Next by Date: Re: [Jailkit-users] pam_unix(sshd:session): session closed for user
Previous by thread: [Jailkit-users] pam_unix(sshd:session): session closed for user
Next by thread: Re: [Jailkit-users] pam_unix(sshd:session): session closed for user
Index(es):
- Date
- Thread