Hello, I have feature request for OpenSSH package - could you include OpneSSH-chroot patch into openssh package? regards, Mikhail.
This seems like it might be a good candidate for the chroot USE flag previously discussed on the mailing list. Comments?
Yes, that would be great to use with chroot flag together (although I did not know/think of chroot flag until now). Do you plan to add it to openssh ebuild in near future? Which list did you mean? gentoo-dev? regards, Mikhail.
As we don't really have guidelines for the chroot use flag yet, I'll say what comes to mind. Unfortunately this might break on all grsec enabled boxes if we trigger on the chroot use flag when priv separation is used due to double chrooting (this is a good thing). As I'm not familiar with that patch myself I'd request that it be tested with grsec's chroot permissions enabled before using the USE="chroot" as a trigger. Hopefully no problems will be encountered.
I have 2 servers running with GRSecurity (ACLs enabled) and openssh patched with this chroot patch - I have no problems with using both. I suggest that you look here - http://chrootssh.sourceforge.net/ , the first paragraph on the main page pretty sums what the patch is about: "...What this patch does is looks for a '.' in the users home directory, then calls chroot(2) to whatever directory was before the . and continues with the normal ssh functionality. E.G. If your home directory was /chroot/./home/bob, you'd be chrooted to /chroot and /chroot/home/bob would actually appear as /home/bob to you. Check the documentation for further explanations." So basically if you want user to be chroot'ed, you simple modify /etc/passwd, and of course make sure sshd is allowed to use chroot if running with GRSecurity (+CAP_SYS_CHROOT as I remember now). Mikhail.
Please attach a ebuild patch if you would like to see this feature added to openssh
Created attachment 20889 [details] Adds chroot patch to OpenSSH if 'chroot' is in USE This seems to work fine with grsec chroot restrictions in place. Looks like this is a good place to start with the chroot USE flag that was discussed awhile back. OpenSSH maintainers please take a look.
Created attachment 20890 [details, diff] OpenSSH Chroot Patch This is the patch as available from http://chrootssh.sourceforge.net/ It should be placed in ${FILESDIR}
Tried and tested, works fine here.
Ok. Looks like it's about time to add this. Upstream maintainers of the patch to doing a good job of rolling new patches for new versions. Some testing is now being done at hardened for this and if all goes well you should see this in before newyears.
Usefull link for those wondering about setting it up and taking advantage. http://mail.incredimail.com/howto/openssh/
Still waiting on some testing.. We need a supporting developer.
The indentation of this patch looks incorect or it's lacking in a close an open brace { + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory % s", user_dir); + pw->pw_dir = new_root; + break; + } Also from the c source perspective every chroot should always call a chdir("/"); right after a chroot(); The patch is so simple I suppose we dont really need a supporting maintainer. However please correct this these minor changes & test and attach an update and I'll add this sucker.
Created attachment 23366 [details, diff] Another chroot patch for openssh 3.7.1p2 This is another chroot patch for openssh. It adds the following sshd_config options: #ChrootAll yes #ChrootDir %h/chome/ #ChrootUsers a,b,c #NoChrootUsers root
Please note: The patch "Another chroot patch for openssh 3.7.1p2" only applies correctly after having patched the source with the X509 patch included in the current ebuild. It seems as if they overlap.... this needs some further investigations.
Ok second patch fails pretty bad for me.. So for now we will run with the first patch proposed. Amir if you can clean up the offsets or think of a creative way where we can get the best of both worlds that would be great (the "another" patch is much cleaner overall imo)
chroot patch is in portage.
Seems like nobody is really using this patch :) exci@nemo exci $ scp log monnik@server: Password: Read from remote host server: Connection reset by peer lost connection I could give a strace and scp -vvvvv but I already found the fix I'll attach a new patch from the chrootssh mailing list credit for making the patch goes too "lee fellows" :)
Created attachment 28499 [details, diff] new openssh patch that works for me
The above patch 'new openssh patch that works for me' is the user/./path patch. It's a ugly solution to the problem! Changing the home path to user/./path is no good solution in my eyes. The patch "Another chroot patch for openssh 3.7.1p2" is the best one as far as I can see. Someone will need to clean it up and make it apply since it overlaps with the x509 patch.
Amir, Unless that "someone" is "you" I don't think it's going to get done.
why isn't the new patch in yet ? the old one just doesn;t work like I commented in comment #17 the fix in comment #18 works link with the patch from comment #18 https://sourceforge.net/mailarchive/forum.php?thread_id=4000662&forum_id=9491
Lesley van Zijl These chroot patches don't seem to spark the interest of us. As I've stated a few times somebody will have to accept the responsibility maintaining this. Which clearly nobody seems interested in doing. If you wish to see this funcitonality in OpenSSH push it upstream to the OpenSSH maintainers.
Check the openssh ebuild on https://gentoo.datacore.ch in the section 'DataCore's Ebuilds'. You will always find a ebuild containing one of the chroot-patches. Since I need them in production I provide an ebuild there.
Hey! I do use this chroot patch! I am posting a new updated patch for you (I hope you don't remove this feature anymore!): --- session.c.orig 2008-06-16 10:29:18.000000000 -0300 +++ session.c 2009-02-20 14:15:13.000000000 -0300 @@ -91,6 +91,8 @@ #include "monitor_wrap.h" #include "sftp.h" +#define CHROOT + #if defined(KRB5) && defined(USE_AFS) #include <kafs.h> #endif @@ -1452,6 +1454,10 @@ do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_SELINUX /* Cache selinux status for later use */ @@ -1471,6 +1477,27 @@ # ifdef __bsdi__ setpgid(0, 0); # endif + +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user's directory %s", user_dir); + pw->pw_dir = new_root; + break; + } + + new_root += 2; + } +#endif /* CHROOT */ + # ifdef USE_PAM if (options.use_pam) { do_pam_setcred(use_privsep);
Ooops, the working patch is the following (now tested!): --- session.c.orig 2008-06-16 10:29:18.000000000 -0300 +++ session.c 2009-02-20 14:38:50.000000000 -0300 @@ -91,6 +91,8 @@ #include "monitor_wrap.h" #include "sftp.h" +#define CHROOT + #if defined(KRB5) && defined(USE_AFS) #include <kafs.h> #endif @@ -1452,12 +1454,36 @@ do_setusercontext(struct passwd *pw) { char *chroot_path, *tmp; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_SELINUX /* Cache selinux status for later use */ (void)ssh_selinux_enabled(); #endif +#ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while ((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if (strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user's directory %s", user_dir); + pw->pw_dir = new_root; + break; + } + + new_root += 2; + } +#endif /* CHROOT */ + #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ @@ -1471,6 +1497,7 @@ # ifdef __bsdi__ setpgid(0, 0); # endif + # ifdef USE_PAM if (options.use_pam) { do_pam_setcred(use_privsep);
Currently this patch (and idea) are hardly deprecated. The USE flag, some time added to openssh ebuild was removed. Use sys-auth/pam_chroot instead of this patch.