Home / server / Questions / 576609
Accepted
CSchulz
Asked: 2014-02-19 14:39:23 +0800 CST

Chroot with SSH connections doesn't work

  • 772

I have found How can I chroot ssh connections? and a lot of different blog articles and similar (http://undeadly.org/cgi?action=article&sid=20080220110039, https://unix.stackexchange.com/q/14398/57364, etc). I am using the internal sftp subsystem like described in the articles.

Subsystem     sftp   internal-sftp

Match Group www-data
  ChrootDirectory %h
  AllowTcpForwarding no

I can connect and authenticate with the server, but the SSH session is instantly closed.

Here is a part of the auth.log:

Feb 18 23:36:21 w sshd[358]: Accepted publickey for network from xxx port 50280 ssh2
Feb 18 23:36:21 w sshd[358]: debug1: monitor_read_log: child log fd closed
Feb 18 23:36:21 w sshd[358]: debug1: monitor_child_preauth: network has been authenticated by privileged process
Feb 18 23:36:21 w sshd[358]: debug1: PAM: establishing credentials
Feb 18 23:36:21 w sshd[358]: pam_unix(sshd:session): session opened for user network by (uid=0)
Feb 18 23:36:21 w sshd[358]: User child is on pid 363
Feb 18 23:36:21 w sshd[363]: debug1: SELinux support disabled
Feb 18 23:36:21 w sshd[363]: debug1: PAM: establishing credentials
Feb 18 23:36:21 w sshd[358]: debug1: session_new: session 0
Feb 18 23:36:21 w sshd[358]: debug1: SELinux support disabled
Feb 18 23:36:21 w sshd[358]: debug1: session_by_tty: session 0 tty /dev/pts/1
Feb 18 23:36:21 w sshd[358]: debug1: session_pty_cleanup: session 0 release /dev/pts/1
Feb 18 23:36:21 w sshd[358]: debug1: PAM: cleanup
Feb 18 23:36:21 w sshd[358]: debug1: PAM: closing session
Feb 18 23:36:21 w sshd[358]: pam_unix(sshd:session): session closed for user network
Feb 18 23:36:21 w sshd[358]: debug1: PAM: deleting credentials

What is wrong?

EDIT:
I got following message on the client side:

/bin/bash: No such file or directory

I don't understand why it is a problem.
I thought with the "new" version of OpenSSH the copy part is past?

ssh

1 Answers

  1. Best Answer

    It feels like you're trying to get an interactive shell into a chroot jail. The SFTP subsystem has nothing to do with that because you're not SFTP'ing.

    You do need to populate the jail with the necessary files to allow the user to execute a shell. That means creating a /bin directory relative to the jail root and populating it with a copy of /bin/bash (among other things).

    The Jailkit utility is capable of building up chroot jails automatically and is being actively maintained. You may want to have a look there.

    If you're into doing things manually have a look at the following (particularly the first, since you're using Debian):

    • 4