SSHd chroot and PAM
SSH with chroot patch has been working fine for a number of years. Since PAM v0.99 things have broken though, if users are chrooted with the "/home/username/./" syntax as their homedir.
SSH sessions will just terminate immediately after successful logon. Doh.
Two solutions exist:
- Put UsePAM no into /etc/ssh/sshd_config and use the chroot patch and /./ in users homedirs
- Keep UsePAM yes. Emerge sys-auth/pam_chroot and add session required pam_chroot.so to /etc/pamd.d/sshd setup /etc/security/chroot.conf or add a chroot_dir=/home/username/ to the pam_chroot.so line.
This will currently not work for amd64 though as the Gentoo bug regarding pam_chroot has not cought any attention from the arch testers. Since July...
Bugging the arch testers in #Gentoo-amd64 didn't help either:
17:16 - Sie sind nun in #gentoo-amd64
17:16 - Topic: The Gentoo/AMD64 Channel || FAQ: http://tinyurl.com/8zb58 || Looking for Arch Testers: http://amd64.gentoo.org/at/ || Command of the week: herdstat
17:16 - Das Topic wurde von angelos am 07.11.2007 um 22:11:59 Uhr gesetzt
17:17 <DLange>Hi. Is there any reason pam_chroot is not ~amd64 per http://bugs.gentoo.org/show_bug.cgi?id=185205 ?
17:18 <krushia_>because Ken69267 is a slacker
17:19 <Ken69267>I don't touch pam things
17:20 <Ken69267>if I did we'd all be compromised
17:20 <Ken69267>:P
17:21 <krushia_>angelos: your powers are needed
17:21 - krushia_ hat sich zu krushia umbenannt
17:22 <angelos>I don't touch pam things
17:22 <krushia>i'm just gonna go down the whole list then
17:22 <Ken69267>ask the mighty taco!
17:22 <krushia>dang: your turn
[...]
19:14 <DLange>Try #2: Is there any reason pam_chroot is not ~amd64 per http://bugs.gentoo.org/show_bug.cgi?id=185205 ?
19:17 <Ken69267>DLange: I said to ask taco!
19:18 <krushia>huhwaht
19:18 <DLange>^KingTaco: You you look at bug #185205 and mark ~amd64 please? See ^.
19:18 <jeeves>DLange: https://bugs.gentoo.org/185205 nor, P2, All, flameeyes@gentoo.org->hawking@gentoo.org, NEW, pending, sys-auth/pam_chroot testing request
19:19 <krushia>didn't i ask dang that
19:19 <Ken69267>krushia: indeed
19:20 <DLange>Ken69267, krushia: No update so far. See bugzilla.
19:21 <krushia>angelos dang drac KingTaco malc Philantrop Tester_ welp: poke
19:21 <krushia>DLange did it
19:21 - krushia hides
19:21 <Philantrop>krushia: Hm?
19:22 <krushia>pam thingy needs to be ~amd64
19:22 <krushia>everyone is too wussy to do it
19:23 <krushia>https://bugs.gentoo.org/185205
19:25 <rushfan>Anyone here have an ATSC PCI Tv tuner?
19:25 <krushia>i will if you buy me one
19:28 <rushfan>krushia: I cant even figure out which ones are linux compatible
19:28 <angelos>become AT and test it or stop bugging us
19:28 <rushfan>angelos: I was only wondering if anyone happened to own one
19:28 <tomboy64>rushfan: have a look at the drivers
19:29 <rushfan>tomboy64: yeah Ive been digging. ITs also hard to find the ones that work on salke
19:29 <tomboy64>rushfan: asking in here is kinda ... impolite
19:29 <angelos>uhm, I was talking to krushia : P
19:29 <tomboy64>lol
19:29 <rushfan>tomboy64: impolite?
19:29 <rushfan>angelos: oh lol
19:29 - tomboy64 was trying to translate angelos to some more polite words :- P
19:30 <rushfan>God damn
19:30 <rushfan>Im confused lol
19:30 <rushfan>I clearly read comments not directed at me and thought they were
19:30 - rushfan goes back under rock
19:31 <krushia>i'm just the messenger who enjoys the thrill of poking devs while risking banishment
19:31 <tomboy64>krushia: might happen to take some bashing to ^^
O.k. Thanks krushia for trying. As always: you get what you pay for. Copying ebuild sys-auth/pam_chroot/pam_chroot-0.9.2.ebuild to portage/local/ ... 
Update
18.11.07: Krushia doesn't give up. I blog
21:00 <krushia>hparker: poke
21:01 <hparker>ouch!
21:01 <krushia>https://bugs.gentoo.org/185205
21:01 - krushia left (Mit folgendem Grund von angelos herausgeworfen: it's enough now)
21:01 - krushia joined
21:01 <krushia>hehe
[...]
22:48 <DLange>angelos, krushia: pam_chroot emerges fine with ~amd64, works as advertised. BTW bug #185205 has been waiting for amd64 for over four months now.
22:48 <jeeves>DLange: {https://bugs.gentoo.org/185205} nor, P2, All, flameeyes@gentoo.org->hawking@gentoo.org, NEW, pending, sys-auth/pam_chroot testing request
22:49 <angelos><@angelos> become AT and test it or stop bugging us
22:49 <angelos>applies to you too : P
22:49 <Ken69267>oh I have the first part!
22:49 <angelos>yay!
22:49 <angelos>and you never bugged us about pam_chroot
22:49 <angelos>good boy
22:49 - angelos feeds Ken69267 with cookies
22:49 - Ken69267 eats
22:52 <DLange>angelos: I tested it, 'cause I needed it. I'm always happy to give feedback. I do not need another job.
22:52 <angelos>part one and three are still valid
[...]
22:56: angelos: Part one: I said, I don't need another job. Part three: Nah, I'll just blog about it.
22:57 <angelos>haha, have fun
22:58 - angelos puts DLange in one corner with fefe
22:58 <angelos>wonder what's up with those emo kids, "uh you didn't do what I want, so I'll blog about it!"
23:00 <angelos>btw instead of that hacky ebuild copy method you might wanna read man portage, that part about package.keywords
Oh, Christoph, thanks for that. That would never have crossed my mind, never, ever... 
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded
krushia on :
Congrats, this page was at the top of a random google search by our beloved yet mentally challenged snackb0t, although the search query had no mention of my name.
Thanks for the snippet of old IRC fun. This bug still isn't resolved