Comments on: Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

By: Rick

Rick — Fri, 04 Nov 2011 02:10:34 +0000

Feel the exact same why *sigh* but client gets what client wants.

By: Loshen

Loshen — Mon, 12 Sep 2011 08:40:27 +0000

In version 5, jailing is now natively supported.
The problem is that SSH with centos 5.5 lower came with ssh 4.8 < .
So if you upgrade you will automatically get Jailing.
I followed these instructions. http://adamsworld.name/chrootjailv5.php

By: Gustavo

Gustavo — Sat, 10 Sep 2011 03:36:42 +0000

Very good tutorial, I wonder if there is no way to change the message out to access “This account is restricted by rssh.
Allowed commands: scp

If you believe this is in error, please contact your system administrator.
”
For another message.

Thank you for your help. Greetings from Colombia

By: tgutierrez

tgutierrez — Fri, 09 Sep 2011 22:56:16 +0000

Working!!
This work perfectly,at first I’d connection problems but these problems were fixed just adding /chroot/lib64/libnss_files.so.2.
I have RHEL 6

Thanks

By: Solaria

Solaria — Fri, 22 Jul 2011 20:29:52 +0000

Got this working on Solaris, works well. Here are some of the errors encountered, and the solutions:

Error: unknown user xxx

Occurs during SCP. Missing “nss* lib in chroot, copy /lib/nss_files.so.1 to chroot. (Solaris 10)

Error: connection closed

Occurs during SFTP. Missing *ksh* in chroot, copy /bin/ksh and/or /usr/bin/ksh to chroot

Error: connection closed

Occurs during SCP on Solaris 9. Missing *nss* lib in chroot, different library path than in Solaris 10. Copy /usr/lib/nss_files.so.1 to chroot.

Error: rssh_chroot_helper failed, Not owner

/usr/local/libexec/rssh_chroot_helper must be SUID root

Error: user attempted to execute forbidden commands; /usr/lib/ssh/sftp-server

Occurs during SFTP, logged in /var/adm/messages. Target system had both OpenSSH and SolarisSSH, error caused by conflict between rssh config and sshd_config. run ‘/usr/local/bin/rssh -v’ to get sftp server binary path, compare to ‘Subsystem sftp’ path in sshd_config (both config files, OpenSSH and SolarisSSH). Edit sshd_config to match rssh config.

Found a pretty good script file for setting up the chroot on Solaris…

By: Amit

Amit — Fri, 08 Jul 2011 05:22:48 +0000

Try to upgrade openSSH version and enjoy the new inbuilt jailroot system. Much easier.

CyberCiti : please post an article for the same.

By: X

Fri, 08 Jul 2011 02:14:48 +0000

Everyone stuck at:

“… ssh_chroot_helper[4470]: changing working directory to / (inside jail)”

but then getting a refused connection on your sftp client. *Trust other posters* in that it is a library issue… I thought it was bullshit myself and almost gave up hope (no aparent error on my /var/log/syslog). My last resort was to copy all the files in the /lib folder to the /chroot/lib folder. Use the -p and –preserve=link switches so you preserve permissions and links (otherwise linked libraries will be copied as a file…).

cp -v -p -d –preserve=link /lib/* /chroot/lib/

It *will* work… Now it’s a matter of deleting one by one (if you want) and figuring it out the minimum subset required. In my case (Ubuntu 11.04 server):
ld-2.12.1.so
ld-linux-x86-64.so.2
libc-2.12.1.so
libc.so.6
libnsl-2.12.1.so
libnsl.so.1
libnss_compat-2.12.1.so
libnss_compat.so.2

I also followed all previous suggestions in the earlier comments on this site (e.g., adding user to /chroot/etc/passwd… etcetera). Good hunting!

By: Amit

Amit — Tue, 05 Jul 2011 08:10:02 +0000

I am getting this error.. please help

Status: Connected to x.x.x.x
Error: Connection closed by server with exitcode 1
Error: Could not connect to server

By: Greg

Greg — Fri, 20 May 2011 22:24:24 +0000

I also found MySecureShell to be a superior tool to rssh.
It solved the issue that Ivan and Stefan warned about.
Their comments are dated August 22, 2008 & September 2, 2008.

By: Greg

Greg — Thu, 19 May 2011 21:41:42 +0000

When in doubt, verify that the /chroot/dev/null exists. Worked for me.

By: ALEX

ALEX — Tue, 12 Apr 2011 12:09:08 +0000

JP – /libexec is inside /usr. You can remove libexec from your /chroot dir. That probably won’t fix your problem but it could be messing with something. Other than that, I noticed your permissions in /etc are only operational for root. Try giving read permissions on the files in /etc. If that doesn’t work, change it back.

By: Zoltan

Zoltan — Fri, 08 Apr 2011 14:48:20 +0000

ps.: also make sure that your chroot user exists in the chroot/etc/passw file.

By: Zoltan

Zoltan — Fri, 08 Apr 2011 14:47:39 +0000

What you get as a root is not an error, it just tells that the root user’s home directory is not in the chrooted folder. This is expected
It seems your rssh is working with root user, so now you just need to figure out why it’s not working with your chroot user.

Probably one of the necessary lib files, passwd file, sftp-server, rssh_chroot_helper etc file is not readable or executable by that user.
Unfortunately I couldn’t figure out how to get logging activated to see what is missing, so from this point on you just need to check all these files for proper access rights.

By: jp

jp — Fri, 08 Apr 2011 14:01:16 +0000

Hi Zoltan,
I have changed the user permissions on the original rssh_chroot_helper to root:testing and then performed a chmod to reassert the SetUID.
I still get the same error and an extrea one when I do this.
Apr 8 14:55:46 testing-ftp rssh_chroot_helper[5621]: chroot() failed, 2: Operation not permitted
I have run throught the example 3 times and I know I have added more libs than are nessary at this point.
I have already copied /libnss_files.so.2 into the rewlative location as shown in my ls –lR above.
I can’t run the command /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as the testing user as the user is not allowed a shell. While trying to run the command as root. I get the following error
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: new session for root, UID=0
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: user’s home dir is /root
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: couldn’t find /root in chroot jail
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: chrooted to /users
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: changing working directory to / (inside jail)
Thanks for your help.

By: Zoltan

Zoltan — Fri, 08 Apr 2011 13:32:56 +0000

Hi JP,
Actually I found another possibe reason.
The rssh_chroot_helper is exeuted from the original folder and not the chrooted one, so you need to make sure that your chroot user has execute access to it.

By: Zoltan

Zoltan — Fri, 08 Apr 2011 11:23:49 +0000

Hi JP,
In my case the solution for the same problem was to add /[chrootedlibrary]/lib64/libnss_files.so.2

But in your case it might be some other lib files missing.

I would try to run /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
from shell to see whether I get any error message. You might want to try with different users.

Also if the user (At least the user number )is not in the /chrootlibrary/etc/passwd file, then you will get the same error as above, but when you run it from shell it will tell you that couldn’t find the user id.

I hope it helps

By: jp

jp — Fri, 08 Apr 2011 09:13:06 +0000

1> To get the rssh system to appear in my log. I followed – Paul Mitchell comment and added the following line to the sshd.conf. “Subsystem sftp /usr/libexec/openssh/sftp-server”

After which the following shows up in my /var/log/messages

{code}
Apr 8 09:15:34 test-ftp rssh[11728]: setting log facility to LOG_USER
Apr 8 09:15:34 test-ftp rssh[11728]: allowing scp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: allowing sftp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: setting umask to 022
Apr 8 09:15:34 test-ftp rssh[11728]: chrooting all users to /users
Apr 8 09:15:34 test-ftp rssh[11728]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
Apr 8 09:15:34 test-ftp kernel: type=1104 audit(1302250534.943:2545183): user pid=11723 uid=0 auid=526 msg=’PAM: setcred acct=”testing” : exe=”/usr/sbin/sshd” (hostname=XX.XX.XX.XX, addr=XX.XX.XX.XX, terminal=ssh res=success)’
{code}

2> followed – Danilo Mota advise and made my passwd paths in the file relative to the enviroment.

I am still getting the errors above.

3> I copied the nesary files sugested in several comments down. content of my /users folder shown below.

{code}
drwx—— 2 root root 4096 Apr 7 16:56 bin
drwxr-x— 2 root root 4096 Apr 8 09:36 dev
drwx—— 3 root root 4096 Apr 7 16:43 etc
lrwxrwxrwx 1 root root 5 Apr 7 16:40 lib -> lib64
drwxr-xr-x 2 root root 4096 Apr 7 17:02 lib64
drwxr-xr-x 3 root root 4096 Apr 7 13:35 libexec
drwxr-xr-x 2 testing testing 4096 Apr 7 20:57 testing
drwxr-xr-x 5 root root 4096 Apr 7 14:05 usr

./bin:
total 1576
-rwx—— 1 root root 801512 Apr 7 16:56 bash
-rwx—— 1 root root 801512 Apr 7 16:56 sh

./dev:
total 0
srwxr-x— 1 root root 0 Apr 8 09:36 log
crwxr-x— 1 root root 1, 3 Apr 7 13:35 null

./etc:
total 76
-rwx—— 1 root root 36 Apr 8 09:49 group
-rwx—— 1 root root 100 Apr 7 13:37 hosts
-rwx—— 1 root root 47495 Apr 7 15:40 ld.so.cache
-rwx—— 1 root root 280 Apr 7 15:39 ld.so.conf
drwx—— 2 root root 4096 Apr 7 16:43 ld.so.conf.d
-rwx—— 1 root root 1696 Apr 7 15:40 nsswitch.conf
-rwx—— 1 root root 74 Apr 8 09:56 passwd
-rwx—— 1 root root 74 Apr 7 13:37 resolv.conf

./etc/ld.so.conf.d:
total 4
-rwx—— 1 root root 17 Oct 23 03:23 mysql-x86_64.conf

./lib64:
total 6852
-rwxr-xr-x 1 root root 139416 Apr 7 14:04 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Apr 7 16:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366272 Apr 7 20:55 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Apr 7 20:55 libcrypt.so.1
-rwxr-xr-x 1 root root 1718120 Apr 7 20:55 libc.so.6
-rwxr-xr-x 1 root root 23360 Apr 7 20:55 libdl.so.2
-rwxr-xr-x 1 root root 190976 Apr 7 16:57 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 17:01 libk5crypto.so.3
-rwxr-xr-x 1 root root 9728 Apr 7 16:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 613896 Apr 7 16:58 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 17:01 libkrb5support.so.0
-rwxr-xr-x 1 root root 114352 Apr 7 20:55 libnsl.so.1
-rwxr-xr-x 1 root root 233112 Apr 7 16:59 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 17:01 libnss3.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:24 libnss_files-2.5.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:53 libnss_files.so
-rwxr-xr-x 1 root root 53880 Apr 8 09:59 libnss_files.so.2
-rwxr-xr-x 1 root root 123152 Apr 7 17:02 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:54 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 17:00 libplds4.so
-rwxr-xr-x 1 root root 145824 Apr 7 16:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Apr 7 20:55 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Apr 7 16:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Apr 7 16:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Apr 7 20:55 libutil.so.1
-rwxr-xr-x 1 root root 85928 Apr 7 17:00 libz.so.1

./libexec:
total 4
drwxr-xr-x 2 root root 4096 Apr 7 13:35 openssh

./libexec/openssh:
total 0

./testing:
total 0

./usr:
total 12
drwxr-xr-x 2 root root 4096 Apr 7 17:03 bin
drwxr-xr-x 2 root root 4096 Apr 7 14:05 lib64
drwxr-xr-x 3 root root 4096 Apr 7 16:55 libexec

./usr/bin:
total 252
-rwxr-xr-x 1 root root 29712 Apr 7 15:05 rssh
-rwxr-xr-x 1 root root 57504 Apr 7 15:05 scp
-rwxr-xr-x 1 root root 96280 Apr 7 15:05 sftp
-rwxr-xr-x 1 root root 53072 Apr 7 17:03 sftp-server

./usr/lib64:
total 2680
-rwxr-xr-x 1 root root 190976 Apr 7 16:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 16:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Apr 7 16:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 16:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 233112 Apr 7 16:18 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 16:18 libnss3.so
-rwxr-xr-x 1 root root 123152 Apr 7 16:18 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:18 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 16:18 libplds4.so
-rwxr-xr-x 1 root root 85928 Apr 7 20:55 libz.so.1

./usr/libexec:
total 76
drwxr-xr-x 2 root root 4096 Apr 7 13:45 openssh
-rwsr-xr-x 1 root root 67691 Apr 7 16:55 rssh_chroot_helper

./usr/libexec/openssh:
total 56
-rwxr-xr-x 1 root root 53072 Apr 7 15:05 sftp-server
{code}

I am not sure what else to do – can anyone else provide any guidance?

By: Zoltan

Zoltan — Thu, 07 Apr 2011 23:40:10 +0000

I figured it out, it works now. Actually I didn’t figure out what I did wrong but redid everything from zero and then it worked.
Altough I believe there are a few typos in the original instructions and also I needed to copy:
“cp /lib64/libnss_files.so.2 /var/www/lib64/”

Phuh, it took me 10 hours to figure out all issues,

By: Zoltan

Zoltan — Thu, 07 Apr 2011 23:00:48 +0000

I have RHEL5 64, did everything needed and still stuck at
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

I have the user in the passwd file with relative home directory as Danilo proposed.

I can run chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as root, no error message (after copied chroot/lib64/libnss_files.so.2).

Anybody has any other idea?
Naturally if I remove chrooting from rssh then sftp works fine with this user.

By: Jp

Jp — Thu, 07 Apr 2011 16:45:32 +0000

I have tried everything in RHEL5 64, bit to get this working. I have copied all the binnaries and libs to the same folder structure as vukasin. I have even used the default location in the guide. I dont see any message to do with rssh in my /var/log/messages log.

Can someone point me to some helpful troubleshooting tips? Or how to work out why users are able to go up levels and see all the folder structures I have created?