Re: openssh v5.0p1 chroot/sftp mac os x 10.4 errors

On Jul 11, 2008, at 10:46 PM, Dirk H. Schulz wrote:

> Hi Luke,
>
> --On 10. Juli 2008 17:52:12 -0700 Luke Brannon  
> <brannon@gseis.ucla.edu> wrote:
>
> > I've been attempting to set up a chroot jail for a group of sftp  
> > users on
> > a Mac OS X 10.4.11 server.
>
> First of all, how did you get OS X' ssh to chroot? Did you apply the  
> chroot patch to the darwin source OpenSSH?

I failed to mention that I compiled openssh v5.0p1 (which I understand  
to have native chroot support) in /opt/openssh.  It's running in  
daemon mode at the moment as I have not integrated it with launchd  
yet.  (/System/Library/LaunchDaemons/ssh.plist has been unloaded with  
launchctl)


> > Unfortunately when any of the users login,
> > they get kicked out with the following error in my /var/log/ 
> > secure.log:
> >
> > "fatal: bad ownership or modes for chroot directory component "/""
> >
> > Here are my configuration settings:
> >
> > /etc/sshd_config
> > # override default of no subsystems
> > Subsystem       sftp    internal-sftp
> >
> > Match Group webgroup
> >         ChrootDirectory %h
> >         ForceCommand internal-sftp
> >         AllowTcpForwarding no
> >
> > (note: I've also tried: ChrootDirectory /webhome/web)
> >
> > Users are from an OpenDirectory Master.  Shells are currently set to
> > /bin/bash (no /bin/false as some write-ups suggest to use) and  
> > their home
> > directories are set to /webhome/web.
> >
> > Permissions and ownership on the chroot home (/webhome/web/) are:
> >
> > $ ls -alG /webhome/
> > total 0
> > drwxr-xr-x +  3 root  wheel   102 Jul 10 11:10 .
> > drwxrwxr-t + 33 root  admin  1224 Jul 10 11:10 ..
> > drwxr-xr-x    6 root  wheel   204 Jul  7 11:32 web
> >
> > Within web, users have access to write to different directories:
> >
> > $ ls -alG /webhome/web/
> > total 8
> > drwxr-xr-x + 6 root      wheel     204 Jul  7 11:32 .
> > drwxr-xr-x + 3 root      wheel     102 Jul 10 11:10 ..
> > -rw-r--r--   1 root      admin       7 Jul  2 15:48 index.html
> > drwxrwxr-x   3 user1  web1grp  102 Jul  7 12:07 site1
> > drwxrwxr-x   3 user2  web2grp  102 Jul  7 12:18 site2
> > drwxrwxr-x   2 user3  web3grp   68 Jul  7 11:32 site3
> >
> > (note: web1grp, web2grp, web3grp are nested into webgroup)
> > (note: acls are used on the site directories to deny read access to
> > specific groups)
> >
> > Users not in the webgroup are able to login to the server with no
> > problems.
>
> Are those users chrooted as well?

No.

> I do not see any binaries in your chroot environment. Do you supply  
> any?

No.  Ultimately users will have only sftp access.  I was under the  
impression I'd only need to include binaries if shell access was  
granted.  The error message is generated when I attempt either ssh or  
sftp logins.

> Dirk
>
> --------------------------------------------------------------
> Dirk H. Schulz
> IT Systems Service
> Wiesenweg 12, 85567 Grafing
> Tel. 0 80 92/86 25 68
> Fax. 0 80 92/86 25 72
> --------------------------------------------------------------
> Technik vom Feinsten - und das nötige Tuning

Regards,

Luke