Has anyone got the pam_chroot module to successfully work in FreeBSD? I have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and libraries into my chroot, I can chroot -u test -g test /home/test /usr/local/bin/bash and it works perfectly. So now I am trying to get the pam module to work. I added session required pam_chroot.so debug into the /etc/pam.d/sshd file. I changed my passwd file so my home dir is /home/test/./ when I try to login as that user, it just kicks me right now. There are no errors in the log :( Connection to wp1 closed by remote host. Connection to wp1 closed. Maybe someone in here can help. Nick ---------------------------------------------------------------------------- -------- Nick Twaddell Web Space Solutions Ph: (805) 704-4038 Fx: (805) 434-2477
On Tue, Jan 13, 2004 at 12:38:28AM -0800, Nick Twaddell wrote:> Has anyone got the pam_chroot module to successfully work in FreeBSD? I > have FreeBSD 5.2-RELEASE installed. I copied the appropriate binaries and > libraries into my chroot, I can chroot -u test -g test /home/test > /usr/local/bin/bash and it works perfectly. So now I am trying to get the > pam module to work. I added > session required pam_chroot.so debug > into the /etc/pam.d/sshd file. I changed my passwd file so my home dir is > /home/test/./ > > when I try to login as that user, it just kicks me right now. There are no > errors in the log :( > > Connection to wp1 closed by remote host. > Connection to wp1 closed. > > Maybe someone in here can help.What do you mean 'try to login as that user' - try to login as 'test', or something else? Do you have passwd, master.passwd, group, pwd.db and spwd.db files in the /home/test/etc/ directory? If not, copy the passwd, master.passwd and group files from your /etc/ directory, remove the entries you do not really need, then run pwd_mkdb /home/test/etc/master.passwd to build the pwd.db and spwd.db files. If that doesn't work, can you post the output of 'find /home/test -ls' G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040113/e85d6acd/attachment.bin
"Nick Twaddell" <nick@webspacesolutions.com> writes:> Has anyone got the pam_chroot module to successfully work in FreeBSD?Yes. However, there seems to be a bug in OpenSSH 3.7.1 which prevents it from calling pam_open_session(). DES -- Dag-Erling Sm?rgrav - des@des.no
I do have PrivilegeSeparation off :( Whats the next idea? :) -----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Tuesday, January 13, 2004 8:50 AM To: Nick Twaddell Subject: Re: pam_chroot On Tue, Jan 13, 2004 at 01:24:18AM -0800, Nick Twaddell wrote:> Hey Peter, > Yes I have all those files in my /home/user/etc/ dir > > -su-2.05b# pwd > /home/nick/etc > -su-2.05b# ls > group master.passwd passwd pwd.db spwd.db > > attached is the list of files you requested.All of this looks fine... Could you try turning off the 'privilege separation' feature of OpenSSH, as per Dag-Erling's suggestion in another message? Edit your /etc/sshd_config file, find the line that says 'PrivilegeSeparation', uncomment it if needed, and make sure it says 'off'. After that, restart your master sshd server, e.g. using the following command: kill -HUP `cat /var/run/sshd.pid` G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I had to translate this sentence into English because I could not read the original Sanskrit.