DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th May 2019
sklv sklv is offline
New User
 
Join Date: May 2019
Posts: 6
Default Issues with PuTTY + ForceCommand + ChrootDirectory

Hi,

I'm on OpenBSD 6.5 and I'm trying to configure SSHD with both ChrootDirectory and ForceCommand.

As an example I'm using vim.

Unfortunatley I get this error, and I am looking for some help troubleshooting it:

First I create the directory /var/chroot/test which wil be the home dir of our test user:
Code:
#adduser -home /var/chroot
Then, use a script to copy vim binary and deps:
Code:
Copying /var/chroot/test/usr/local/lib/libiconv.so.6.0
Copying /var/chroot/test/usr/lib/libc.so.92.5
Copying /var/chroot/test/usr/local/bin/vim
Copying /var/chroot/test/usr/libexec/ld.so
Copying /var/chroot/test/usr/local/lib/libintl.so.6.0
Copying /var/chroot/test/usr/lib/libcurses.so.14.0
Copying /var/chroot/test/usr/lib/libm.so.10.1
Create devices:
Code:
#cd /var/chroot/test
#mkdir dev
#cd dev
#/dev/MAKEDEV std pty
Set chroot perms:
Code:
 
#chmod o-rx /var/chroot/test
#chown root:test /var/chroot/test
Set sshd_config:
Code:
LogLevel DEBUG
PermitTTY yes
Match User test
	ChrootDirectory /var/chroot/test
	ForceCommand /usr/local/bin/vim
Try to log in using default PuTTY:
Code:
May 11 11:56:39 totesnotmyserver sshd[53405]: Connection from 10.0.0.130 port 61006 on 10.0.1.2 port 22 rdomain "0"
May 11 11:56:46 totesnotmyserver sshd[53405]: Accepted password for test from 10.0.0.130 port 61006 ssh2
May 11 11:56:46 totesnotmyserver sshd[53405]: User child is on pid 66611
May 11 11:56:46 totesnotmyserver sshd[66611]: Changed root directory to "/var/chroot/test/"
May 11 11:56:46 totesnotmyserver sshd[66611]: Starting session: forced-command (config) '/usr/local/bin/vim' on ttyp7 for test from 10.0.0.130 port 61006 id 0
May 11 11:56:46 totesnotmyserver sshd[66611]: Close session: user test from 10.0.0.130 port 61006 id 0
May 11 11:56:46 totesnotmyserver sshd[66611]: Connection closed by 10.0.0.130 port 61006
May 11 11:56:46 totesnotmyserver sshd[66611]: Transferred: sent 2200, received 1792 bytes
May 11 11:56:46 totesnotmyserver sshd[66611]: Closing connection to 10.0.0.130 port 61006
Removing ChrootDirectory results in the login working as expected and vim being displayed.

Any ideas what is going wrong?

Last edited by sklv; 11th May 2019 at 03:57 PM. Reason: Remove server hostname
Reply With Quote
  #2   (View Single Post)  
Old 11th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Something is missing from your chroot() environment. The debug output isn't showing the root cause. To find it, try running vim in the chroot() directly.
Reply With Quote
  #3   (View Single Post)  
Old 11th May 2019
sklv sklv is offline
New User
 
Join Date: May 2019
Posts: 6
Default

Thanks for the quick reply!

You're right, the issue is that ld.so can't load a library. I have tried with different binaries:

Code:
# chroot -u test /var/chroot/test/ /usr/local/bin/vim
ld.so: vim: can't load library 'libiconv.so.6.0'
Killed
# chroot -u test /var/chroot/test/ /usr/local/bin/weechat
ld.so: weechat: can't load library 'libcurl.so.25.21'
Killed
There are a few binaries that work, but most of the ones I want don't with failing to load a library in /usr/local .

I tried researching why this is the case, but as this is the OpenBSD linker I couldn't find much info.

How can I make ld.so give more verbose output, or otherwise fix the issue?
Reply With Quote
  #4   (View Single Post)  
Old 11th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You'll need to also copy your /var/run/ld.so.hints file to your chroot structure after each boot. You could use an rc.local(8) file to do this.
Reply With Quote
  #5   (View Single Post)  
Old 11th May 2019
sklv sklv is offline
New User
 
Join Date: May 2019
Posts: 6
Default

After copying ld.so.hints, vim starts in the chroot (with a warning about ANSI encoding). Unfortunately the ssh login fails with the same log messages as in the initial post:

Code:
May 11 16:51:00 totesnotmyserver sshd[86106]: Connection from 10.0.0.130 port 61563 on 10.0.1.2 port 22 rdomain "0"
May 11 16:51:03 totesnotmyserver sshd[86106]: Accepted password for test from 10.0.0.130 port 61563 ssh2
May 11 16:51:03 totesnotmyserver sshd[86106]: User child is on pid 26149
May 11 16:51:03 totesnotmyserver sshd[26149]: Changed root directory to "/var/chroot/test/"
May 11 16:51:03 totesnotmyserver sshd[26149]: Starting session: forced-command (config) '/usr/local/bin/vim' on ttyp6 for test from 10.0.0.130 port 61563 id 0
May 11 16:51:03 totesnotmyserver sshd[26149]: Close session: user test from 10.0.0.130 port 61563 id 0
May 11 16:51:03 totesnotmyserver sshd[26149]: Connection closed by 10.0.0.130 port 61563
May 11 16:51:03 totesnotmyserver sshd[26149]: Transferred: sent 2200, received 1792 bytes
May 11 16:51:03 totesnotmyserver sshd[26149]: Closing connection to 10.0.0.130 port 61563
Reply With Quote
  #6   (View Single Post)  
Old 14th May 2019
sklv sklv is offline
New User
 
Join Date: May 2019
Posts: 6
Smile

The issue was the absence of /bin/sh inside the chroot. Once i changed /etc/passwd to use /bin/sh and put /bin/sh inside the chroot everything worked.

jggimi thanks for your help.
Reply With Quote
  #7   (View Single Post)  
Old 14th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'm glad you've got it resolved. My ssh ChrootDirectory experience is limited to using it with internal-sftp.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
authpf - putty connects really fast and then closes EverydayDiesel OpenBSD Security 1 4th June 2015 04:13 AM
Security problem in PuTTY SSH client fixed J65nko News 0 12th December 2011 04:26 PM
Fresh PuTTY J65nko News 2 15th July 2011 02:03 AM
ssh and PuTTY Configuration rtwingfield FreeBSD Security 4 8th June 2009 09:55 PM
another program like Putty mfaridi FreeBSD Security 4 7th July 2008 02:41 PM


All times are GMT. The time now is 10:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick