openssh v5.0p1 chroot/sftp mac os x 10.4 errors - openssh

This is a discussion on openssh v5.0p1 chroot/sftp mac os x 10.4 errors - openssh ; I've been attempting to set up a chroot jail for a group of sftp users on a Mac OS X 10.4.11 server. Unfortunately when any of the users login, they get kicked out with the following error in my /var/log/ ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: openssh v5.0p1 chroot/sftp mac os x 10.4 errors

  1. openssh v5.0p1 chroot/sftp mac os x 10.4 errors

    I've been attempting to set up a chroot jail for a group of sftp users
    on a Mac OS X 10.4.11 server. Unfortunately when any of the users
    login, they get kicked out with the following error in my /var/log/
    secure.log:

    "fatal: bad ownership or modes for chroot directory component "/""

    Here are my configuration settings:

    /etc/sshd_config
    # override default of no subsystems
    Subsystem sftp internal-sftp

    Match Group webgroup
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

    (note: I've also tried: ChrootDirectory /webhome/web)

    Users are from an OpenDirectory Master. Shells are currently set to /
    bin/bash (no /bin/false as some write-ups suggest to use) and their
    home directories are set to /webhome/web.

    Permissions and ownership on the chroot home (/webhome/web/) are:

    $ ls -alG /webhome/
    total 0
    drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
    drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
    drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web

    Within web, users have access to write to different directories:

    $ ls -alG /webhome/web/
    total 8
    drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
    drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
    -rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
    drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
    drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
    drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3

    (note: web1grp, web2grp, web3grp are nested into webgroup)
    (note: acls are used on the site directories to deny read access to
    specific groups)

    Users not in the webgroup are able to login to the server with no
    problems.

    From the documentation I've read, the permissions on /webhome and /
    webhome/web should be okay. I don't suspect the acl's as they are
    only set on the sub directories within web and not web itself. Also
    the documentation I've read states to chown the chroot home to
    root:root which is root:wheel (0:0) in Mac OS X.

    Many thanks in advance...

    Regards,

    Luke


  2. Re: openssh v5.0p1 chroot/sftp mac os x 10.4 errors

    Hi Luke,

    --On 10. Juli 2008 17:52:12 -0700 Luke Brannon
    wrote:

    > I've been attempting to set up a chroot jail for a group of sftp users on
    > a Mac OS X 10.4.11 server.


    First of all, how did you get OS X' ssh to chroot? Did you apply the chroot
    patch to the darwin source OpenSSH?

    > Unfortunately when any of the users login,
    > they get kicked out with the following error in my /var/log/secure.log:
    >
    > "fatal: bad ownership or modes for chroot directory component "/""
    >
    > Here are my configuration settings:
    >
    > /etc/sshd_config
    ># override default of no subsystems
    > Subsystem sftp internal-sftp
    >
    > Match Group webgroup
    > ChrootDirectory %h
    > ForceCommand internal-sftp
    > AllowTcpForwarding no
    >
    > (note: I've also tried: ChrootDirectory /webhome/web)
    >
    > Users are from an OpenDirectory Master. Shells are currently set to
    > /bin/bash (no /bin/false as some write-ups suggest to use) and their home
    > directories are set to /webhome/web.
    >
    > Permissions and ownership on the chroot home (/webhome/web/) are:
    >
    > $ ls -alG /webhome/
    > total 0
    > drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
    > drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
    > drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web
    >
    > Within web, users have access to write to different directories:
    >
    > $ ls -alG /webhome/web/
    > total 8
    > drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
    > drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
    > -rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
    > drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
    > drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
    > drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3
    >
    > (note: web1grp, web2grp, web3grp are nested into webgroup)
    > (note: acls are used on the site directories to deny read access to
    > specific groups)
    >
    > Users not in the webgroup are able to login to the server with no
    > problems.


    Are those users chrooted as well?

    I do not see any binaries in your chroot environment. Do you supply any?

    Dirk

    --------------------------------------------------------------
    Dirk H. Schulz
    IT Systems Service
    Wiesenweg 12, 85567 Grafing
    Tel. 0 80 92/86 25 68
    Fax. 0 80 92/86 25 72
    --------------------------------------------------------------
    Technik vom Feinsten - und das n├Âtige Tuning


  3. Re: openssh v5.0p1 chroot/sftp mac os x 10.4 errors


    On Jul 11, 2008, at 10:46 PM, Dirk H. Schulz wrote:

    > Hi Luke,
    >
    > --On 10. Juli 2008 17:52:12 -0700 Luke Brannon
    > wrote:
    >
    >> I've been attempting to set up a chroot jail for a group of sftp
    >> users on
    >> a Mac OS X 10.4.11 server.

    >
    > First of all, how did you get OS X' ssh to chroot? Did you apply the
    > chroot patch to the darwin source OpenSSH?


    I failed to mention that I compiled openssh v5.0p1 (which I understand
    to have native chroot support) in /opt/openssh. It's running in
    daemon mode at the moment as I have not integrated it with launchd
    yet. (/System/Library/LaunchDaemons/ssh.plist has been unloaded with
    launchctl)


    >> Unfortunately when any of the users login,
    >> they get kicked out with the following error in my /var/log/
    >> secure.log:
    >>
    >> "fatal: bad ownership or modes for chroot directory component "/""
    >>
    >> Here are my configuration settings:
    >>
    >> /etc/sshd_config
    >> # override default of no subsystems
    >> Subsystem sftp internal-sftp
    >>
    >> Match Group webgroup
    >> ChrootDirectory %h
    >> ForceCommand internal-sftp
    >> AllowTcpForwarding no
    >>
    >> (note: I've also tried: ChrootDirectory /webhome/web)
    >>
    >> Users are from an OpenDirectory Master. Shells are currently set to
    >> /bin/bash (no /bin/false as some write-ups suggest to use) and
    >> their home
    >> directories are set to /webhome/web.
    >>
    >> Permissions and ownership on the chroot home (/webhome/web/) are:
    >>
    >> $ ls -alG /webhome/
    >> total 0
    >> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 .
    >> drwxrwxr-t + 33 root admin 1224 Jul 10 11:10 ..
    >> drwxr-xr-x 6 root wheel 204 Jul 7 11:32 web
    >>
    >> Within web, users have access to write to different directories:
    >>
    >> $ ls -alG /webhome/web/
    >> total 8
    >> drwxr-xr-x + 6 root wheel 204 Jul 7 11:32 .
    >> drwxr-xr-x + 3 root wheel 102 Jul 10 11:10 ..
    >> -rw-r--r-- 1 root admin 7 Jul 2 15:48 index.html
    >> drwxrwxr-x 3 user1 web1grp 102 Jul 7 12:07 site1
    >> drwxrwxr-x 3 user2 web2grp 102 Jul 7 12:18 site2
    >> drwxrwxr-x 2 user3 web3grp 68 Jul 7 11:32 site3
    >>
    >> (note: web1grp, web2grp, web3grp are nested into webgroup)
    >> (note: acls are used on the site directories to deny read access to
    >> specific groups)
    >>
    >> Users not in the webgroup are able to login to the server with no
    >> problems.

    >
    > Are those users chrooted as well?


    No.

    > I do not see any binaries in your chroot environment. Do you supply
    > any?


    No. Ultimately users will have only sftp access. I was under the
    impression I'd only need to include binaries if shell access was
    granted. The error message is generated when I attempt either ssh or
    sftp logins.

    > Dirk
    >
    > --------------------------------------------------------------
    > Dirk H. Schulz
    > IT Systems Service
    > Wiesenweg 12, 85567 Grafing
    > Tel. 0 80 92/86 25 68
    > Fax. 0 80 92/86 25 72
    > --------------------------------------------------------------
    > Technik vom Feinsten - und das n÷tige Tuning


    Regards,

    Luke


  4. Re: openssh v5.0p1 chroot/sftp mac os x 10.4 errors

    Hi Luke,

    --On 12. Juli 2008 09:46:14 -0700 Luke Brannon
    wrote:

    - snip -

    >> I do not see any binaries in your chroot environment. Do you supply
    >> any?

    >
    > No. Ultimately users will have only sftp access. I was under the
    > impression I'd only need to include binaries if shell access was granted.


    No, there is lots of shared libs and binaries you need for sftp as well. I
    have configured chrooting via pam on linux a few weeks ago (which in this
    aspect makes no difference) and needed quite some time for collecting all
    necessary things.

    Dirk


+ Reply to Thread