File: README.Debian

package info (click to toggle)
libpam-chroot 0.9-5
  • links: PTS
  • area: main
  • in suites: bullseye
  • size: 136 kB
  • sloc: ansic: 738; sh: 104; makefile: 56
file content (182 lines) | stat: -rw-r--r-- 6,939 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
 
libpam-chroot for Debian
------------------------

This package has not been thoroughly tested by Debian (security wise),
however, it is provided in the hope that it will be useful for some
environments.

RedHat distributes a pam_chroot.so module along with its PAM modules
(last I looked version 0.74) however the source code is not the same
(but might be derived from the same base).

To use this module you need to:

a) modify a PAM-aware application by editing it's file in /etc/pam.d/
For local access this application could be login, xdm, kdm, su or
sudo.  For remote access this application could be ssh, ftp..  Try
adding (as the last line):

# Test Chroot features
session    required   pam_chroot.so debug
 
(the debug option will printout progress of the module to syslog. Debug
messages go to authpriv.notice)

b) Set the proper chroot environment for each user.
(this is quite tricky if you ask me :) For an example of how
to setup an environment for 'login' take a look at the files under 
/usr/share/doc/libpam-chroot/examples/.

Other applications might be more difficult to setup (the more complex
the application the worst).

If you find it difficult to setup a complex chroot you might want to
setup a minimal version of a Debian installation (using 'debootstrap')
and then removing those applications unneded for your environment
(specifically, remove _all_ setuid applications). You might even want
to use some automatic systems to setup chroots like 'makejail'.

c) Configure /etc/security/chroot.conf

Detailed info:
--------------
(based on the RedHat's README for Linux-PAM 0.74)

Operation:
When the calling application attempts to open a session, pam_chroot
opens /etc/security/chroot.conf and searches for a line of the form:

user directory

where the "user" listed can be either a real username or a 
regular expression (if you are using the 'use_regex' option).  If the
PAM_USER for whom the session is being opened matches, 
the module will attempt to chroot() to the given directory.

Optional arguments:
"debug"		Log debug messages to syslog.
"onerr="	Values can be "succeed" or "fail".  The action to take if
		the configuration file cannot be opened, the chroot()
		fails, or the user does not match any of the expressions
		listed in the configuration file.  Default is "succeed".

(for more options see /usr/share/doc/libpam-chroot/options)

Other Notes: The calling application must be executing with root
privileges in order to be able to chroot() at all (see the chroot(2)
manpage).

Warning: If configured incorrectly, this module may potentially render
the service unusable and, under some circumstances, pose a security
risk.

Setting up OpenSSH with libpam-chroot
-------------------------------------

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NOTE: OpenSSH supports, since the 4.9 release, the definition of
chrooted enviroments. For more information see the 'ChrootDirectory'
directive in sshd_config (5). 

Setting up OpenSSH libpam-chroot is *not* recommended and most likely will not
work. The following information is provided for those users that want to tinker
with pam-chroot and SSH.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Many systems want to setup a restricted remote access to a system in
which users are confined to their user directories, but are unable to
"see" the whole system. If you want to develop this using OpenSSH 
and libpam-chroot you will need to:

0) Setup a chroot environment for your users. Make sure that
environment includes the standard tools they will need (like their
shell) and that it also includes a /dev directory with the /dev/ptmx
and /dev/pty* devices and the /dev/pts/ subdirectory (runnig MAKEDEV
in the /dev directory of the chrooted environment should be
sufficient).

Note: This environment is similar to the 'login' environment detailed
under /usr/share/doc/libpam-chroot/examples

1) Add this line to /etc/pam.d/ssh (should be the last line)
 session     required     pam_chroot.so debug 

2) Configure /etc/security/chroot.conf so that the users you determine
  are chrooted to the directory you setup previously. You might want to have
  independent directories for different users so that they will not be
  able to see neither the whole system nor each other's.

3) Depending on your OpenSSH version it might work or not. Since 3.6.1p2
   the do_pam_session() function is called after sshd has dropped privs,
   since chroot() needs root priviledges it will not work with
   Privilege separation on. In newer OpenSSH versions, however, the
   PAM code has been modified and do_pam_session is called before
   dropping priviledges so it will work even with Privilege separation.

If you don't need to disable Privilege Separation you will need an /etc/passwd
with the user's UID inside the chroot for Privilege Separation to work
properly.

If you have Privilege Separation set to on and your OpenSSH version
does not behave properly you will need to disable it. If you don't,
users that try to connect to your server and would be chrooted by 
this module will see this:

 $ ssh -l user server
 user@server's password:
 Connection to server closed by remote host.
 Connection to server closed. 

 This is because the ssh daemon, which is running as 'sshd', is not
 be able to make the chroot() system call. To disable Privilege separation
 you have to modify the /etc/ssh/sshd_config configuration file.
 Change the (default) line:

 UsePrivilegeSeparation yes

 to

 UsePrivilegeSeparation no

Notice that this will lower the security of your system since the
OpenSSH server will run as 'root' user. This means that if a remote
attack is found against OpenSSH an attacker will get 'root'
priviledges instead of 'sshd', thus compromising the whole system.

If you are using a kernel that implements Mandatory Access Control
(RSBAC/SElinux) you can avoid changing this configuration just by
granting the 'sshd' user priviledges to make the chroot() system call.

Of course, you could just chroot() the daemon in the init.d script to
the chroot environment you have setup, but then you wouldn't need
pam-chroot at all.

4) In order for chroots to work with newer OpenSSH versions the chroot
directory of a user needs to include both the /proc filesystem and
the /dev/pts

    - If /proc is not mounted in the chroot, SSH access will be interrupted
      with the message:

      Connection reset by peer
      Connection to <server-ip> closed.

      To mount /proc do the following:
      mount -t proc /proc <chroot_directory>/proc

    - If /dev/pts is not mounted, the SSH login will freeze after
      authentication with the message:

     PTY allocation request failed on channel 0

      To mount /dev do the following:
      mount --rbind /dev <chroot_directory>/dev


 --
 Javier Fernandez-Sanguino <jfs@debian.org>
 Thu, 03 Jun 2021 13:26:58 +0200