- Install pam_chroot and set your chroot. See http://singe.za.net/blog/a
rchives/378-Linux-SSH-Jail -with-pam_chroot.html - Set UsePrivilegeSeparation to "no" in sshd_config and restart sshd
- Add the pam_chroot line to /etc/pam.d/ssh aswell as /etc/pam.d/login.
- Make sure there's a /tmp dir in your chroot. If not, create it : mkdir -m 1777 $CHROOTDIR/tmp
- Make sure you have the libs to execute your shell inside the chroot. A bit of a barbarian way to do that (adapt to your shell) is :
cp $(ldd /bin/bash | sed -e "s/.* => \([^\)]*\) .*/\1/") $CHROOTDIR/lib/
If you need to debug: - Turn on debug in the pam_chroot line of /etc/pam.d/ssh. This will display the debug messages in /var/log/auth.log on Debian.
- Turn on debug in sshd ('SSHD_OPTS="-d"' in /etc/default/ssh) and restart sshd.
- Use verbose on your ssh client.
- Check the logs inside the chroot too, if you have syslogging on.
September 23, 2008
SSH + pam_chroot
I've been trying to get pam_chroot to work with ssh. There's a few little things to do to get it to work.
Subscribe to:
Post Comments (Atom)
Posts
2 comments:
Much simpler than your crazy sed regex:
ldd /bin/bash | awk '{if ($3 ~ "\.so\.") print $3}'
Also faster in microbenchmarks because it doesn't do as much work.
That's quite nice. Thanks Jeff.
Being faster is not very important in this case since this is just a one-shot configuration command, but it's surely a bit cleaner, although my version of awk complains that "\.so\." will be treated as ".so.".
Thanks for your comment.
Post a Comment