# [Worked around] sshd chroot jail (gentoo hardened)

## Rob101

All,

I'm having some trouble running sshd in a chroot jail for sftp protectction.

I'm using gentoo hardened, with selinux in permissive mode, sshd version OpenSSH_5.2p1.

I think i'm running into the problem described here: http://archive.netbsd.se/?ml=openssh-unix-dev&a=2008-05&t=7467381, that has presumably been fixed in sshd for some time.. 

The error message I get in /var/log/auth.log is:

```

Dec 16 17:50:50 www sshd[2208]: Accepted keyboard-interactive/pam for hjsimpson from 10.0.0.2 port 4937 ssh2

Dec 16 17:50:50 www sshd[2208]: pam_unix(sshd:session): session opened for user hjsimpson by (uid=0)

Dec 16 17:50:50 www sshd[2208]: pam_selinux(sshd:session): pam: default-context=user_u:user_r:user_crontab_t selected-context=user_u:user_r:user_crontab_t success 1

Dec 16 17:50:50 www sshd[2215]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed

Dec 16 17:50:50 www sshd[2208]: pam_unix(sshd:session): session closed for user hjsimpson

```

(specifically, the 'fatal' is where the problem is.)

The sshd config:

```

Protocol 2

AllowGroups remotelogin

PermitRootLogin no

MaxAuthTries 1

PasswordAuthentication no

UsePAM yes

X11Forwarding yes

TCPKeepAlive yes

Subsystem       sftp    internal-sftp

Match User hjsimpson

    ChrootDirectory /home

    AllowTCPForwarding no

    X11Forwarding no

    ForceCommand internal-sftp

```

Advice on bugs.gentoo says use pam_chroot - is'nt that what the ChrootDirectory config parameter does?

https://bugs.gentoo.org/show_bug.cgi?id=26615#c26

Mounting and additional /selinux in /home/selinux is permitted by the kernel, however does not alleviate the problem.

Does anyone have any suggestions?

Further. is Pure-ftpd regarded well as a secure, stable file x-fer server?

happy to include emerge --info if requested.

Cheers, RobLast edited by Rob101 on Mon Dec 28, 2009 12:23 am; edited 1 time in total

----------

## richard.scott

I think you may need to change this:

```
ChrootDirectory /home
```

to the users chrooted directory:

```
ChrootDirectory /home/hjsimpson
```

For some reason this is different on my system to the users home directory listed in /etc/passwd... not sure why but I seem to remember there was a reason... I guess you could create a sub directory and point it to that:

```
ChrootDirectory /home/hjsimpson/chroot
```

EDIT: I think I created a 2nd directory so the remote user couldn't change anything in the .ssh directory.

Rich.

----------

## Rob101

Richard,

Thankyou for your considered response. I think there is some great wizdom in having a $home/chroot dir.

I'm not sure though, are you running USE=selinux and not seeing the fault described?

If you are, then i've got a bigger problem than i thought?!

Rob

----------

## richard.scott

Hi Rob,

Nope, sorry I don't run any selinux systems yet.... thought it may be a miss configured server causing problems with the selinux rules.

Rich

----------

## Rob101

does anyone else have any ideas?

Can i compile a non-selinux aware sshd on this box and use that?

(not forgetting that i'm running selinux in permissive mode.)

----------

## richard.scott

why not try rebooting with "selinux=0" on the command line (if you've configued your kernel for that to work).

Perhaps that way, you could test it without selinux??

----------

## Rob101

i'm sorry for the late response, thankyou, I will try tommrow.

At this time i can't down the server.

----------

## Rob101

Richard,

Disabling selinux at boot time by passing the parameter 'selinux=0' to the kenel permits sshd to correctly chroot into the /home directory.

By design, sshd will not permit chrooting into /home/hjsimpson - which is fine by me.

This might imply that it is indeed selinux detection code in opensshd is not operating correctly as the referenced post comments on.

I'll try to write up a bug report soon.

Rob

----------

