SSH/CVS Chroot

Sam Varshavchik mrsam at courier-mta.com
Fri May 20 20:18:23 UTC 2005 

Yang Xiao writes:

> Hi all,
> I'm trying to build a CVS server with SSH chroot following this link
> on a FC2 box
> ht
> tp://www.grack.com/news/FedoraCore3RunningCVSinac.html.
> 
> I can't even seem to get SSH chroot to work, the document says all I
> need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the
> user names to /etc/security/chroot.conf, but this doesn't seem to
> work.
> any hints and help are appreciated.

Everything a chrooted program needs must, obviously, be in your chroot jail 
environment.

For example, sshd loads all of the following libraries:

# ldd /usr/sbin/sshd
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
        libpam.so.0 => /lib/libpam.so.0 (0x00a6d000)
        libdl.so.2 => /lib/libdl.so.2 (0x00a67000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000)
        libutil.so.1 => /lib/libutil.so.1 (0x00a97000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000)
        libc.so.6 => /lib/tls/libc.so.6 (0x00949000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000)

All of these libraries must, obviously, exist in your chrooted environment, 
otherwise sshd can't possibly start.

And that's just the beginning.  Everything sshd could possibly touch must 
also be in your chroot jail.  sshd's man page lists a lot of files that sshd 
might need, but I'm sure there's plenty more stuff that's not documented.

It's probably easier to configure sshd to allow cert authentication only, 
then patch it so that it always executes cvs, ignoring whatever command the 
ssh client wants sshd to run, then patch cvs to chroot itself into a jail.

It's very easy to patch cvs to come up in a chrooted jail.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050520/898071f6/attachment-0002.bin

More information about the users mailing list