# Chrooting SSH

## Ph0eniX

Hi,

I followed this guide:

http://gentoo.linuxhowtos.org/openssh/chrootedssh.htm

...but for some reason when I try to login as a chroot'ed user, I get disconnected immediately.  The logs indicate that I'm authenticating ok.  Any ideas?

Thank you!  :Very Happy: 

----------

## Hu

Does the chroot contain all libraries required to run the shell?  Use dev-util/strace to monitor the new process to find out what happens after authentication.

----------

## Ph0eniX

I emerged strace but I'm not sure how to use it.

Thanks!  :Very Happy: 

----------

## Ph0eniX

 *Ph0eniX wrote:*   

> I emerged strace but I'm not sure how to use it.
> 
> Thanks! 

 

It looks like I was missing some libraries because I was unable to chroot to the jail environment from the main environment.

Now if I do:

```

chroot /home/chroot /bin/bash

```

...I'm actually getting a bash prompt.  SSH still disconnects me though.  

I tried adding:

```

Match user username

         ChrootDirectory /home/chroot/home/username

         X11Forwarding no

         AllowTcpForwarding no

         ForceCommand internal-sftp

```

...to sshd_config (because one of the guides I saw had said to do that) but I'm getting:

```

/etc/ssh/sshd_config line 127: Directive 'ChrootDirectory' is not allowed within a Match block

```

...when I restart SSH.  What am I doing wrong?

Thank you!  :Very Happy: 

----------

## Ph0eniX

I found out that OpenSSH 4.9 and higher include chroot without the need for special hacks so I updated to 5.1 and Voila!  I just made the following changes to the sshd_config:

```

Subsystem       sftp    internal-sftp

Match Group sftponly

        ChrootDirectory /home/%u

        ForceCommand internal-sftp

   AllowTcpForwarding no

```

...created a user whose primary group is sftponly and it's actually working!!!

----------

## myha

Hi,

I am strugling with this but for some reason it is not working...?

Here is the relevant part of sshd_config:

```

# override default of no subsystems

# Subsystem   sftp   internal-sftp

Subsystem       sftp    /usr/lib/misc/sftp-server

Match User test

#   ForceCommand internal-sftp

   ChrootDirectory /home/%u

```

```

server ~ # ls -l /home/  

drwxr-xr-x  3 root  root  192 Nov  3 10:49 test

```

If the root is the owner of /home/test/ I get the following response:

```
/bin/bash: No such file or directory
```

If the test is the owner of /home/test I get:

```
sshd[4969]: fatal: bad ownership or modes for chroot directory "/home/test"
```

I tried with all combinations of stuff but cannot get it working... If I uncomment the ForceCommand it hangs when I enter password.

Any ideas?

EDIT: And the openssh version&flags:

```
[ebuild   R   ] net-misc/openssh-5.1_p1-r1  USE="pam tcpd -X -X509 -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB 
```

----------

## myha

And here is the debug of the hanged session (which I believe is the closest one):

```

sshd   sshd[5686]: debug1: session_new: session 0

sshd   sshd[5686]: User child is on pid 5690

sshd   sshd[5690]: debug1: PAM: establishing credentials

sshd   sshd[5686]: pam_unix(sshd:session): session opened for user test by (uid=0)

sshd   sshd[5686]: debug1: PAM: establishing credentials

sshd   sshd[5686]: debug1: monitor_child_preauth: test has been authenticated by privileged process

sshd   sshd[5686]: Accepted keyboard-interactive/pam for test from 10.12.136.158 port 55992 ssh2

sshd   sshd[5686]: debug1: do_pam_account: called

sshd   sshd[5686]: debug1: PAM: num PAM env strings 0

sshd   sshd[5689]: debug1: do_pam_account: called

sshd   sshd[5686]: Failed publickey for test from 10.12.136.158 port 55992 ssh2

sshd   sshd[5686]: debug1: restore_uid: 0/0

sshd   sshd[5686]: debug1: trying public key file /home/test/.ssh/authorized_keys2

sshd   sshd[5686]: debug1: temporarily_use_uid: 1005/1008 (e=0/0)

sshd   sshd[5686]: debug1: restore_uid: 0/0

sshd   sshd[5686]: debug1: trying public key file /home/test/.ssh/authorized_keys

sshd   sshd[5686]: debug1: temporarily_use_uid: 1005/1008 (e=0/0)

sshd   sshd[5686]: debug1: PAM: setting PAM_TTY to "ssh"

sshd   sshd[5686]: debug1: PAM: setting PAM_RHOST to "10.12.136.158"

sshd   sshd[5686]: debug1: PAM: initializing for "test"

sshd   sshd[5686]: debug1: user test matched 'User test' at line 118

sshd   sshd[5686]: debug1: Local version string SSH-2.0-OpenSSH_5.1

sshd   sshd[5686]: debug1: Enabling compatibility mode for protocol 2.0

sshd   sshd[5686]: debug1: match: OpenSSH_5.1 pat OpenSSH*

sshd   sshd[5686]: debug1: Client protocol version 2.0; client software version OpenSSH_5.1

sshd   sshd[5686]: Connection from 10.12.136.158 port 55992

sshd   sshd[5686]: debug1: inetd sockets after dupping: 3, 3

sshd   sshd[5674]: debug1: Forked child 5686.

sshd   sshd[5686]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7

```

----------

