Skip to content

SSHd chroot and PAM

Gentoo

SSH with chroot patch has been working fine for a number of years. Since PAM v0.99 things have broken though, if users are chrooted with the "/home/username/./" syntax as their homedir.

SSH sessions will just terminate immediately after successful logon. Doh.

Two solutions exist:

  1. Put UsePAM no into /etc/ssh/sshd_config and use the chroot patch and /./ in users homedirs
  2. Keep UsePAM yes. Emerge sys-auth/pam_chroot and add session required pam_chroot.so to /etc/pamd.d/sshd setup /etc/security/chroot.conf or add a chroot_dir=/home/username/ to the pam_chroot.so line.
    This will currently not work for amd64 though as the Gentoo bug regarding pam_chroot has not cought any attention from the arch testers. Since July...

Bugging the arch testers in #Gentoo-amd64 didn't help either:

17:16 - Sie sind nun in #gentoo-amd64
17:16 - Topic: The Gentoo/AMD64 Channel || FAQ: http://tinyurl.com/8zb58 || Looking for Arch Testers: http://amd64.gentoo.org/at/ || Command of the week: herdstat
17:16 - Das Topic wurde von angelos am 07.11.2007 um 22:11:59 Uhr gesetzt
17:17 <DLange>Hi. Is there any reason pam_chroot is not ~amd64 per http://bugs.gentoo.org/show_bug.cgi?id=185205 ?
17:18 <krushia_>because Ken69267 is a slacker
17:19 <Ken69267>I don't touch pam things
17:20 <Ken69267>if I did we'd all be compromised
17:20 <Ken69267>:P
17:21 <krushia_>angelos: your powers are needed
17:21 - krushia_ hat sich zu krushia umbenannt
17:22 <angelos>I don't touch pam things
17:22 <krushia>i'm just gonna go down the whole list then
17:22 <Ken69267>ask the mighty taco!
17:22 <krushia>dang: your turn

[...]

19:14 <DLange>Try #2: Is there any reason pam_chroot is not ~amd64 per http://bugs.gentoo.org/show_bug.cgi?id=185205 ?
19:17 <Ken69267>DLange: I said to ask taco!

19:18 <krushia>huhwaht
19:18 <DLange>^KingTaco: You you look at bug #185205 and mark ~amd64 please? See ^.
19:18 <jeeves>DLange: https://bugs.gentoo.org/185205 nor, P2, All, flameeyes@gentoo.org->hawking@gentoo.org, NEW, pending, sys-auth/pam_chroot testing request
19:19 <krushia>didn't i ask dang that
19:19 <Ken69267>krushia: indeed
19:20 <DLange>Ken69267, krushia: No update so far. See bugzilla.
19:21 <krushia>angelos dang drac KingTaco malc Philantrop Tester_ welp: poke
19:21 <krushia>DLange did it
19:21 - krushia hides
19:21 <Philantrop>krushia: Hm?
19:22 <krushia>pam thingy needs to be ~amd64
19:22 <krushia>everyone is too wussy to do it
19:23 <krushia>https://bugs.gentoo.org/185205
19:25 <rushfan>Anyone here have an ATSC PCI Tv tuner?
19:25 <krushia>i will if you buy me one
19:28 <rushfan>krushia: I cant even figure out which ones are linux compatible
19:28 <angelos>become AT and test it or stop bugging us
19:28 <rushfan>angelos: I was only wondering if anyone happened to own one
19:28 <tomboy64>rushfan: have a look at the drivers
19:29 <rushfan>tomboy64: yeah Ive been digging. ITs also hard to find the ones that work on salke
19:29 <tomboy64>rushfan: asking in here is kinda ... impolite
19:29 <angelos>uhm, I was talking to krushia : P
19:29 <tomboy64>lol
19:29 <rushfan>tomboy64: impolite?
19:29 <rushfan>angelos: oh lol
19:29 - tomboy64 was trying to translate angelos to some more polite words :- P
19:30 <rushfan>God damn
19:30 <rushfan>Im confused lol
19:30 <rushfan>I clearly read comments not directed at me and thought they were
19:30 - rushfan goes back under rock
19:31 <krushia>i'm just the messenger who enjoys the thrill of poking devs while risking banishment
19:31 <tomboy64>krushia: might happen to take some bashing to ^^

O.k. Thanks krushia for trying. As always: you get what you pay for. Copying ebuild sys-auth/pam_chroot/pam_chroot-0.9.2.ebuild to portage/local/ ... :-)

Update

18.11.07: Krushia doesn't give up. I blog :-)
21:00 <krushia>hparker: poke
21:01 <hparker>ouch!
21:01 <krushia>https://bugs.gentoo.org/185205
21:01 - krushia left (Mit folgendem Grund von angelos herausgeworfen: it's enough now)
21:01 - krushia joined
21:01 <krushia>hehe
[...]
22:48 <DLange>angelos, krushia: pam_chroot emerges fine with ~amd64, works as advertised. BTW bug #185205 has been waiting for amd64 for over four months now.
22:48 <jeeves>DLange: {https://bugs.gentoo.org/185205} nor, P2, All, flameeyes@gentoo.org->hawking@gentoo.org, NEW, pending, sys-auth/pam_chroot testing request
22:49 <angelos><@angelos> become AT and test it or stop bugging us
22:49 <angelos>applies to you too : P
22:49 <Ken69267>oh I have the first part!
22:49 <angelos>yay!
22:49 <angelos>and you never bugged us about pam_chroot
22:49 <angelos>good boy
22:49 - angelos feeds Ken69267 with cookies
22:49 - Ken69267 eats
22:52 <DLange>angelos: I tested it, 'cause I needed it. I'm always happy to give feedback. I do not need another job.
22:52 <angelos>part one and three are still valid
[...]
22:56: angelos: Part one: I said, I don't need another job. Part three: Nah, I'll just blog about it.
22:57 <angelos>haha, have fun
22:58 - angelos puts DLange in one corner with fefe
22:58 <angelos>wonder what's up with those emo kids, "uh you didn't do what I want, so I'll blog about it!"
23:00 <angelos>btw instead of that hacky ebuild copy method you might wanna read man portage, that part about package.keywords


Oh, Christoph, thanks for that. That would never have crossed my mind, never, ever... :-(

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

krushia on :

Congrats, this page was at the top of a random google search by our beloved yet mentally challenged snackb0t, although the search query had no mention of my name.

Thanks for the snippet of old IRC fun. This bug still isn't resolved :-P

Add Comment

Markdown format allowed
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options

Submitted comments will be subject to moderation before being displayed.