Pam_chroot

Ed Schmollinger schmolli at frozencrow.org
Fri Mar 24 19:17:26 UTC 2006


On Thu, Mar 23, 2006 at 07:25:27AM -0500, Kevin Alford wrote:
> I am trying to configure pam_chroot on Redhat ES4.  My log files are
> really not giving me any information regarding chroot.
> What am I doing wrong?  Does anyone have any documentation on how to
> setup chroot for SSH on RedHat?  
> I haven't been able to find any  good documentation regarding
> pam_chroot.  Any help is greatly appreciated.
> 
> 
> My etc/pam.d/sshd configuration is below:
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     /lib/security/pam_chroot.so debug
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so

you should be seeing at least some debug messages in syslog.  iirc, the
pam_chroot redhat uses doesn't say much, but there should be something.
maybe check your syslog.conf settings to make sure you're capturing
DEBUG level messages.

also, you *probably* want pam_chroot to be the last session module you
run, unless you have duplicated all the support for the rest of the
modules inside the chroot jail.

> My /etc/security/chroot.conf looks like this
> more chroot.conf
> # /etc/security/chroot.conf
> # format:
> # username_regex        chroot_dir
> jdoe            /home/jdoe
> 
> /home/jdoe looks like this:
> 
> -rw-------   1 root root   92 Mar 19 23:13 .bash_history
> -rw-r--r--   1 root root   41 Mar 16 15:55 .bash_login
> -rw-r--r--   1 root root   20 Mar 16 13:58 .bash_logout
> -rw-r--r--   1 root root  131 Mar 16 16:21 .bash_profile
> -rw-r--r--   1 root root  124 Mar 16 13:51 .bashrc
> drwxr-xr-x   2 root root 4096 Mar 22 11:53 bin
> drwxr-xr-x   2 root root 4096 Mar 22 11:56 home
> drwxr-xr-x   2 root root 4096 Mar 22 11:58 lib
> -rw-r--r--   1 root root   27 Mar 16 16:16 .profile
> drwx------   2 jdoe jdoe 4096 Mar 16 13:56 .ssh
> -rw-------   1 jdoe jdoe  426 Mar 22 12:36 .Xauthority

what's in /home/jdoe/{bin,lib}/ ?  is this set up as a full chroot?

another thing you can do to debug is to start up a debugging instance of
sshd and strace it:

# strace -fv /usr/sbin/sshd -p 8022 -d -d -d -D

and then from a seperate window, try sshing in on port 8022.

% ssh -p 8022 jdoe at localhost


cheers,
-- 
Ed Schmollinger - schmolli at frozencrow.org - http://frozencrow.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060324/76142b80/attachment.sig>


More information about the Pam-list mailing list