# sftp+rssh+chroot not working, /dev/null problem [solved]

## pavel.stratil

Hi, i followed the guide at http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29 to setup a chrooted sftp without shell.. unfortunatelly, i keep having the connection closed problem mentioned in the wiki..

pavel@localhost ~ $ sftp -oPort=21 myuser@server.com

Connecting to server.com...

Password: 

Connection closed

what i did was this:

```

emerge rssh

echo /usr/bin/rssh >> /etc/shells

# edit /etc/rssh.conf

#

# logfacility = LOG_USER

# allowscp

# allowsftp 

# umask = 022 

# create default chroot user in /var/www/localhost/defchroot

DEFCHROOTNAME="myuser"

mkdir -p /var/www/localhost/defchroot

cd /var/www/localhost/defchroot

mkdir -p {usr,usr/bin,usr/libexec,usr/lib,usr/lib/misc,lib,dev}

mknod -m 666 null c 1 3

cp /usr/bin/{scp,rssh} usr/bin 

cp /usr/lib/misc/{sftp-server,rssh_chroot_helper} usr/lib/misc

cp /lib/{libcrypt.so.1,ld-linux.so.2,libnss_compat.so.2} lib

ln -s lib lib64

cd usr; ln -s lib lib64; cd ..

chmod u+s usr/lib/misc/rssh_chroot_helper

ls -alh usr/lib/misc/rssh_chroot_helper

for f in `ldd /usr/bin/rssh /usr/lib/misc/rssh_chroot_helper /usr/lib/misc/sftp-server /usr/bin/scp | sed -ne's/.*=> \([^ ]*\).*/\1/p' | sort -u | grep -v "^$"`; do echo "Copying $f to /var/www/localhost/defchroot${f}"; cp $f /var/www/localhost/defchroot${f}; done

useradd -d /var/www/localhost/defchroot -s /usr/bin/rssh -G users ${DEFCHROOTNAME}

passwd ${DEFCHROOTNAME}

echo "user=${DEFCHROOTNAME}:077:00010:/var/www/localhost/defchroot" >> /etc/rssh.conf

mkdir /var/www/localhost/defchroot/htdocs

chown ${DEFCHROOTNAME}:users /var/www/localhost/defchroot/htdocs

mkdir etc; cp /etc/{passwd,group} etc

```

which is basically everything that the wiki suggests to have this running...

but i still get the connection closed error.. auth.log isnt very helpful here:

```

Dec 12 08:58:47 pool2 sshd[6053]: Accepted keyboard-interactive/pam for myuser from xxx.xxx.xxx.xxx port 2014 ssh2

Dec 12 08:58:47 pool2 sshd[6056]: pam_unix(sshd:session): session opened for user myuser by (uid=0)

Dec 12 08:58:47 pool2 sshd[6056]: subsystem request for sftp

Dec 12 08:58:47 pool2 sshd[6056]: pam_unix(sshd:session): session closed for user myuser

```

using pam-tally ...

```

pool2 ~ # cat /etc/pam.d/sshd

#%PAM-1.0

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

# after 4 unsucsessfull login attepts lock out user for 5 minutes

auth       required   pam_tally.so onerr=fail deny=4 unlock_time=300

account    required   pam_tally.so onerr=fail

```

the problem seems to be here:

```

pool2 ~ # tail -n 19 /var/log/syslog

Dec 12 08:58:47 pool2 sshd[6053]: Accepted keyboard-interactive/pam for myuser from xxx.xxx.xxx.xxx port 2014 ssh2

Dec 12 08:58:47 pool2 sshd[6056]: subsystem request for sftp

Dec 12 08:58:47 pool2 rssh[6057]: setting log facility to LOG_USER

Dec 12 08:58:47 pool2 rssh[6057]: allowing scp to all users

Dec 12 08:58:47 pool2 rssh[6057]: allowing sftp to all users

Dec 12 08:58:47 pool2 rssh[6057]: setting umask to 022

Dec 12 08:58:47 pool2 rssh[6057]: line 54: configuring user myuser

Dec 12 08:58:47 pool2 rssh[6057]: setting myuser's umask to 077

Dec 12 08:58:47 pool2 rssh[6057]: allowing sftp to user myuser

Dec 12 08:58:47 pool2 rssh[6057]: chrooting myuser to /var/www/localhost/defchroot

Dec 12 08:58:47 pool2 rssh[6057]: chroot cmd line: /usr/lib64/misc/rssh_chroot_helper 2 "/usr/lib64/misc/sftp-server"

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: new session for myuser, UID=1004

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: user's home dir is /var/www/localhost/defchroot

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: couldn't find /var/www/localhost/defchroot in chroot jail

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: chrooted to /var/www/localhost/defchroot

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: changing working directory to / (inside jail)

Dec 12 07:58:47 pool2 rssh_chroot_helper[6057]: execv() failed, /usr/lib64/misc/sftp-server: No such file or directory

```

which is kinda weird becahse

```
pool2 ~ # ls -ahl /var/www/localhost/defchroot/usr/lib64/misc

total 100K

drwxr-xr-x 2 root root 4.0K Dec 11 20:34 .

drwxr-xr-x 3 root root 4.0K Dec 11 20:34 ..

-rwsr-xr-x 1 root root  26K Dec 11 20:34 rssh_chroot_helper

-rwxr-xr-x 1 root root  59K Dec 11 20:34 sftp-server
```

what am i missing?

TIA, Pavel[/url]

----------

## pumpichank

I can't help a whole lot because I don't have a 64bit box, but be sure you have an etc/group and etc/password in your chroot.  IIRC that's one problem described at the bottom of that wiki page that could cause your problems.

Oh, and I built rssh statically with the 'static' USE flag.  Maybe that will help you too.

Good luck!   :Very Happy: 

----------

## pavel.stratil

Thanks! I've already tried

 *Quote:*   

> mkdir etc; cp /etc/{passwd,group} etc

 

but unfortunately it didnt help.. i'll try to build rssh statically ... maybe that'll do it! Thanks for your time for replyin  :Smile: 

----------

## pavel.stratil

well what i tried now was to add bash to the chroot and see what happens myself...

```

pool2 defchroot # chroot /var/www/localhost/defchroot /bin/bash

bash-3.2# /usr/lib64/misc/sftp-server

Couldn't open /dev/null: Permission deniedbash-3.2# exit

exit

pool2 defchroot # ls -ahl /dev/null

crw-rw-rw- 1 root root 1, 3 Dec 12 09:30 /dev/null

pool2 defchroot # ls -ahl dev/null

crw-rw-rw- 1 root root 1, 3 Dec 12 20:53 dev/null

```

.. i created the null device as suggested with

```
mkdir /your/chroot/dir/dev

mknod -m 666 /your/chroot/dir/dev/null c 1 3
```

any hints?

----------

## pumpichank

I wish I could give more guidance.  :Sad: 

Here's what I have in my chroot's dev:

```
total 0

srw-rw-rw- 1 root root    0 Dec 10 03:10 log=

crw-rw-rw- 1 root root 1, 3 Jan  3  2007 null
```

----------

## pavel.stratil

i straced the sftp-server binary wth the following result...

```
pool2 defchroot # cat strace.log | grep open

open("/etc/ld.so.cache", O_RDONLY)      = 3chroot@server.com

open("/usr/lib/libssl.so.0.9.8", O_RDONLY) = 3

open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3

open("/lib/libdl.so.2", O_RDONLY)       = 3

open("/lib/libutil.so.1", O_RDONLY)     = 3

open("/lib/libz.so.1", O_RDONLY)        = 3

open("/lib/libnsl.so.1", O_RDONLY)      = 3

open("/lib/libcrypt.so.1", O_RDONLY)    = 3

open("/lib/libresolv.so.2", O_RDONLY)   = 3

open("/lib/libc.so.6", O_RDONLY)        = 3

open("/dev/urandom", O_RDONLY)          = 3

open("/dev/null", O_RDWR)               = 3

open("/etc/nsswitch.conf", O_RDONLY)    = 3

open("/etc/ld.so.cache", O_RDONLY)      = 3

open("/lib/libnss_compat.so.2", O_RDONLY) = 3

open("/etc/ld.so.cache", O_RDONLY)      = 3

open("/lib/libnss_nis.so.2", O_RDONLY)  = 3

open("/lib/libnss_files.so.2", O_RDONLY) = 3

open("/etc/passwd", O_RDONLY)           = 3

open("/etc/localtime", O_RDONLY)        = 5

```

... so i added what could have been missing...

```
rsync -a /dev/urandom dev

cp /etc/ld.so.cache etc

cp /etc/nsswitch.conf etc

cp /lib/libnss_nis.so.2 lib

cp /lib/libnss_files.so.2 lib

cp /etc/localtime etc

```

didnt help

----------

## pavel.stratil

i copied all libs needed for the following to work...

```
pool2 defchroot # ls -ahl /var/www/localhost/defchroot/bin

total 2.1M

drwxr-xr-x 2 root      root  4.0K Dec 12 23:25 .

drwxrwxrwx 9 myuser users 4.0K Dec 12 22:42 ..

-rwxr-xr-x 1 root      root  962K Dec 12 22:41 bash

-rwxr-xr-x 1 root      root   22K Dec 12 23:25 echo

-rwxr-xr-x 1 root      root  107K Dec 12 23:22 ls

-rwxr-xr-x 1 root      root  962K Dec 12 22:41 sh

```

```

pool2 defchroot # chroot /var/www/localhost/defchroot /bin/bash

bash-3.2# ls -ahl /dev/null

crw-rw-rw- 1 root root 1, 3 Dec 12 22:22 /dev/null

bash-3.2# echo bla > /dev/null

bash: /dev/null: Permission denied

bash-3.2# exit

exit

```

now what the hack is this supposed to mean?

----------

## pavel.stratil

i forgot that i mount the /var/www with nodev option...

so changing /etc/fstab

/dev/vg/varwww         /var/www           ext3  noatime,nosuid,nodev              1 2

to

/dev/vg/varwww         /var/www           ext3  noatime,nosuid              1 2

and remounting manually helped...

----------

