SSH/CVS Chroot
Sam Varshavchik
mrsam at courier-mta.com
Fri May 20 20:18:23 UTC 2005
Yang Xiao writes:
> Hi all,
> I'm trying to build a CVS server with SSH chroot following this link
> on a FC2 box
> ht
> tp://www.grack.com/news/FedoraCore3RunningCVSinac.html.
>
> I can't even seem to get SSH chroot to work, the document says all I
> need to do is to add the pam_chroot.so to /etc/pam.d/sshd and add the
> user names to /etc/security/chroot.conf, but this doesn't seem to
> work.
> any hints and help are appreciated.
Everything a chrooted program needs must, obviously, be in your chroot jail
environment.
For example, sshd loads all of the following libraries:
# ldd /usr/sbin/sshd
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
libpam.so.0 => /lib/libpam.so.0 (0x00a6d000)
libdl.so.2 => /lib/libdl.so.2 (0x00a67000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00afa000)
libutil.so.1 => /lib/libutil.so.1 (0x00a97000)
libz.so.1 => /usr/lib/libz.so.1 (0x00aa4000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00b0f000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cd4000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00b26000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c64000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00a92000)
libc.so.6 => /lib/tls/libc.so.6 (0x00949000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00930000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00b90000)
All of these libraries must, obviously, exist in your chrooted environment,
otherwise sshd can't possibly start.
And that's just the beginning. Everything sshd could possibly touch must
also be in your chroot jail. sshd's man page lists a lot of files that sshd
might need, but I'm sure there's plenty more stuff that's not documented.
It's probably easier to configure sshd to allow cert authentication only,
then patch it so that it always executes cvs, ignoring whatever command the
ssh client wants sshd to run, then patch cvs to chroot itself into a jail.
It's very easy to patch cvs to come up in a chrooted jail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050520/898071f6/attachment-0002.bin
More information about the users
mailing list