OpenSSH built in chroot facility


 
Thread Tools Search this Thread
Operating Systems AIX OpenSSH built in chroot facility
# 1  
Old 06-13-2011
OpenSSH built in chroot facility

Hi all,
I'm trying to set up a chroot sftp using OpenSSH.
But I'm still having problems.
I'm using AIX 5.3
My system and OpenSSH version as follows
Code:
host1:/>oslevel
5.3.0.0
host1:/>oslevel -r
5300-10
host1:/>ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
host1:/>lslpp -l | grep open
openssh.base.client     5.0.0.5301  COMMITTED  Open Secure Shell Commands
  openssh.base.server     5.0.0.5301  COMMITTED  Open Secure Shell Server
  openssh.man.en_US       5.0.0.5301  COMMITTED  Open Secure Shell
  openssl.base             0.9.8.801  COMMITTED  Open Secure Socket Layer
  openssl.man.en_US        0.9.8.801  COMMITTED  Open Secure Socket Layer
  openssh.base.client     5.0.0.5301  COMMITTED  Open Secure Shell Commands
  openssh.base.server     5.0.0.5301  COMMITTED  Open Secure Shell Server
  openssl.base             0.9.8.801  COMMITTED  Open Secure Socket Layer

OpenSSH server configuration as follows
Code:
host1:/>grep Match /etc/ssh/sshd_config
Match User sftpusr
host1:/>grep sftp /etc/ssh/sshd_config
Subsystem  sftp    internal-sftp
Match User sftpusr
ForceCommand internal-sftp
host1:/>grep Chroot /etc/ssh/sshd_config
ChrootDirectory /home/chroot

main Characteristics of sftpusr
Code:
User NAME: sftpusr
Primary GROUP [staff]
Group SET       [staff]
HOME directory                                     [/home/chroot]
Initial PROGRAM                                    [/usr/bin/ksh]


here is the debug msgs when i tried to ssh from another server
Code:
user@host2 ~ $ ssh -v sftpusr@host1
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to host1 [10.1.13.17] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'host1' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug1: Trying private key: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
sftpusr@host1's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
Connection to host1 closed by remote host.
Connection to host1 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 77 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 10743.5
debug1: Exit status -1


extra verbose debug msgs if required are below
Code:
user@host2 ~ $ ssh -vvv sftpusr@host1
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to host1 [10.1.13.17] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 509/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'host1' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug2: bits set: 508/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/identity (0)
debug2: key: /home/user/.ssh/id_rsa (0)
debug2: key: /home/user/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug3: no such identity: /home/user/.ssh/identity
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa
debug1: Trying private key: /home/user/.ssh/id_dsa
debug3: no such identity: /home/user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
sftpusr@host1's password:
debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cfd -1)

debug3: channel 0: close_fds r 5 w 6 e 7 c -1
Connection to host1 closed by remote host.
Connection to host1 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 77 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 10135.3
debug1: Exit status -1
user@host2 ~ $

# 2  
Old 06-14-2011
Quote:
Originally Posted by h@foorsa.biz
Code:
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

Seems like Kerberos authentication is configured but doesn't work - either disable Kerberos if you don't want to use it or make sure it works correctly if you indeed want to use it.

Correct and see where you get from there.

I hope this helps.

bakunin
# 3  
Old 06-14-2011
@bakunin
Thanks for your hint, but where or how can I disable Kerberos authentication
if you are referring to /etc/ssh/sshd_config entries
Code:
KerberosAuthentication

nothing were found

---------- Post updated 06-15-11 at 03:00 AM ---------- Previous update was 06-14-11 at 09:30 PM ----------

I double checked
I ran
Code:
user@host1 ~ $ lsauthent
Standard Aix

And I checked /etc/ssh/sshd_config
I ran

Code:
user@host1 ~ $ grep -i kerb /etc/ssh/sshd_config
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
user@host1 ~ $ grep -i GSS /etc/ssh/sshd_config
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
user@host1 ~ $

It seems that Kerberos is not enabled

Last edited by pludi; 06-14-2011 at 07:08 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

How to send alerts to the sysmon facility?

We are moving from using the syslog facility to sysmon. My question is what API's are used to write alerts to sysmon (2 Replies)
Discussion started by: thenrett
2 Replies

2. Shell Programming and Scripting

Assign Here Document Facility to a Variable

Hello All, I was wondering how I can assign a here document facility to a variable. I have tried the following: menu=$(<<MENU Option1 Option2 Option3 Option4 MENU ) ...but when I echo the $menu variable, the multiline list comes out in a single line such as: Option1 Option2 Option3... (14 Replies)
Discussion started by: techieg
14 Replies

3. AIX

openssh chroot facility and directory access

Good day. I currently have a request to have sftp access to a specific directory for a user(s). They can have access to that folder only, and nothing below it. Now here is the gotcha that seems to be catching me. The folder they need access to is NOT owned by root, and most of the parent... (0 Replies)
Discussion started by: smurphy_it
0 Replies

4. UNIX for Advanced & Expert Users

chroot openssh access www folder

here is the setup<br/> sshd_config: <pre> Match User sftp ChrootDirectory /chroot/sftp </pre> I connect just fine to the folder <pre>/chroot/sftp</pre> However I cannot access the website developer folder due to it being outside the scope of the defined chrootdirectory... (2 Replies)
Discussion started by: dunpealslyr
2 Replies

5. Shell Programming and Scripting

Is there a 'fuzzy search' facility in Linux?

I have over 10m documents that I want to search through against a list of know keywords, however the documents were produced using a technique that isn't perfect in how the data was presented. Is there a fuzzy keyword search available in Linux or can anyone think of a way of doing it that isn't... (5 Replies)
Discussion started by: Bashingaway
5 Replies

6. UNIX for Dummies Questions & Answers

Unable to use the CDE Facility

Hello I have a SunBlade 1000 workstation and I cannot login via CDE. All I get is a console login prompt. I then have to login via root and I just get the command line interface. I have being doing some research on the UNIX forum and the problem may lie with the content in etc/hosts file.... (7 Replies)
Discussion started by: tjwops
7 Replies

7. Solaris

openssh and chroot.

Hi all. I have installed openssh 5.3 and set up jailed root. It works almost as I want it to I cant cd to any directory above my ch root. my config : entry in passwd: test2:x:103:113::/users2/test2:/bin/false sshd_conf: Match User test2 ChrootDirectory /users2/%u # ... (4 Replies)
Discussion started by: vettec3
4 Replies

8. UNIX Desktop Questions & Answers

How to use mail facility in unix??

I'm a beginner in Unix. Please explain in short, how to send and receive mail in unix. The mail is already configured in the OS. Tell me the steps to send/receive mail in the command prompt. The platform is AIX 5.1. Thanks Karthik (1 Reply)
Discussion started by: fermisoft
1 Replies

9. OS X (Apple)

Unix email facility

Dear all, I am an inexperienced man with Macitosh and green in Apple OS X . I had tried very hard to use Unix, in fact the Terminal, with its Email function. I read some books and came to know that it has Mail, mailx or mail functions that we can use for simple mail. I have try every... (3 Replies)
Discussion started by: Larry LAM
3 Replies

10. UNIX for Dummies Questions & Answers

Using the LOG_AUTH facility

Hi, I am wanting to enable logging of all ftp sessions on my Solaris 8 host. I want to at least log all ftp logins and if possible any commands that the user executes. I have tried various settings in syslog.conf then rereading syslogd but logging still does not happen. I have... (1 Reply)
Discussion started by: blp001
1 Replies
Login or Register to Ask a Question