ssh with Active Directory and chroot

tagross · November 7, 2011, 11:13pm

I am trying to set up an OpenSUSE 11.4 server with ssh running. I installed openssh, kerberos & samba as per the instructions and I have been successful getting ssh to authenticate against Active directory and can limit login to certain AD groups but when I try and turn on chroot in sshd_config I get some strange results. It appears to be authenticating the client ok and I don’t receive any error messages with LogLevel set to DEBUG3 but it just disconnects the client with the following message:
Connection to 192.168.1.5 closed by remote host.
Connection to 192.168.1.5 closed.

Here’s my sshd_config file:
LogLevel DEBUG3
PasswordAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
ChrootDirectory /home/chroot
AllowGroups “MyDomain\sshallowed”
Banner /etc/ssh/banner.txt
Subsystem sftp internal-sftp
ForceCommand internal-sftp
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes

Here are the results in /var/log/messages:
Nov 7 15:02:21 sshServer vmsvc[1797]: warning] [guestinfo] Failed to get vmstats.
Nov 7 15:02:24 sshServer sshd[20506]: debug3: fd 5 is not O_NONBLOCK
Nov 7 15:02:24 sshServer sshd[20506]: debug1: Forked child 20705.
Nov 7 15:02:24 sshServer sshd[20506]: debug3: send_rexec_state: entering fd = 8 config len 610
Nov 7 15:02:24 sshServer sshd[20506]: debug3: ssh_msg_send: type 0
Nov 7 15:02:24 sshServer sshd[20705]: debug3: oom_adjust_restore
Nov 7 15:02:24 sshServer sshd[20506]: debug3: send_rexec_state: done
Nov 7 15:02:24 sshServer sshd[20705]: Set /proc/self/oom_score_adj to 0
Nov 7 15:02:24 sshServer sshd[20705]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Nov 7 15:02:24 sshServer sshd[20705]: debug1: inetd sockets after dupping: 3, 3
Nov 7 15:02:24 sshServer sshd[20705]: Connection from 192.168.1.10 port 46730
Nov 7 15:02:24 sshServer sshd[20705]: debug1: Client protocol version 2.0; client software version OpenSSH_5.2
Nov 7 15:02:24 sshServer sshd[20705]: debug1: match: OpenSSH_5.2 pat OpenSSH*
Nov 7 15:02:24 sshServer sshd[20705]: debug1: Enabling compatibility mode for protocol 2.0
Nov 7 15:02:24 sshServer sshd[20705]: debug1: Local version string SSH-2.0-OpenSSH_5.8
Nov 7 15:02:24 sshServer sshd[20705]: debug2: fd 3 setting O_NONBLOCK
Nov 7 15:02:24 sshServer sshd[20705]: debug2: Network child is on pid 20707
Nov 7 15:02:24 sshServer sshd[20705]: debug3: preauth child monitor started
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:24 sshServer sshd[20705]: debug3: monitor_read: checking request 0
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_request_send entering: type 1
Nov 7 15:02:24 sshServer sshd[20705]: debug2: monitor_read: 0 used once, disabling now
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:24 sshServer sshd[20705]: debug3: monitor_read: checking request 4
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_answer_sign
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_answer_sign: signature 0x7f5b4c015810(143)
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_request_send entering: type 5
Nov 7 15:02:24 sshServer sshd[20705]: debug2: monitor_read: 4 used once, disabling now
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:24 sshServer sshd[20705]: debug3: monitor_read: checking request 6
Nov 7 15:02:24 sshServer sshd[20705]: debug3: mm_answer_pwnamallow
Nov 7 15:02:24 sshServer sshd[20705]: debug3: Trying to reverse map address 192.168.1.10.
Nov 7 15:02:24 sshServer sshd[20705]: debug2: parse_server_config: config reprocess config len 610
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_send entering: type 7
Nov 7 15:02:25 sshServer sshd[20705]: debug2: monitor_read: 6 used once, disabling now
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: monitor_read: checking request 45
Nov 7 15:02:25 sshServer sshd[20705]: debug1: PAM: initializing for “testuser@mydomain.com”
Nov 7 15:02:25 sshServer sshd[20705]: debug1: PAM: setting PAM_RHOST to “192.168.1.10”
Nov 7 15:02:25 sshServer sshd[20705]: debug1: PAM: setting PAM_TTY to “ssh”
Nov 7 15:02:25 sshServer sshd[20705]: debug2: monitor_read: 45 used once, disabling now
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: monitor_read: checking request 3
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_answer_authserv: service=ssh-connection, style=
Nov 7 15:02:25 sshServer sshd[20705]: debug2: monitor_read: 3 used once, disabling now
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: monitor_read: checking request 8
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_send entering: type 9
Nov 7 15:02:25 sshServer sshd[20705]: debug2: monitor_read: 8 used once, disabling now
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: monitor_read: checking request 48
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_answer_pam_init_ctx
Nov 7 15:02:25 sshServer sshd[20705]: debug3: PAM: sshpam_init_ctx entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_send entering: type 49
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: monitor_read: checking request 50
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_answer_pam_query
Nov 7 15:02:25 sshServer sshd[20705]: debug3: PAM: sshpam_query entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: ssh_msg_recv entering
Nov 7 15:02:25 sshServer sshd[20712]: debug3: PAM: sshpam_thread_conv entering, 1 messages
Nov 7 15:02:25 sshServer sshd[20712]: debug3: ssh_msg_send: type 1
Nov 7 15:02:25 sshServer sshd[20712]: debug3: ssh_msg_recv entering
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_send entering: type 51
Nov 7 15:02:25 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: monitor_read: checking request 52
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pam_respond
Nov 7 15:02:33 sshServer sshd[20705]: debug2: PAM: sshpam_respond entering, 1 responses
Nov 7 15:02:33 sshServer sshd[20705]: debug3: ssh_msg_send: type 6
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 53
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: monitor_read: checking request 50
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pam_query
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: sshpam_query entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: ssh_msg_recv entering
Nov 7 15:02:33 sshServer sshd[20712]: pam_winbind(sshd:auth): getting password (0x00000190)
Nov 7 15:02:33 sshServer sshd[20712]: pam_winbind(sshd:auth): pam_get_item returned a password
Nov 7 15:02:33 sshServer sshd[20712]: pam_winbind(sshd:auth): user ‘MyDomain.COM estuser’ granted access
Nov 7 15:02:33 sshServer sshd[20712]: debug1: do_pam_account: called
Nov 7 15:02:33 sshServer sshd[20712]: pam_winbind(sshd:account): user ‘MyDomain estuser’ granted access
Nov 7 15:02:33 sshServer sshd[20712]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Nov 7 15:02:33 sshServer sshd[20712]: debug3: ssh_msg_send: type 0
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: import_environments entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: sshpam_password_change_required 0
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: num env strings 0
Nov 7 15:02:33 sshServer sshd[20705]: debug1: PAM: num PAM env strings 1
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 51
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: monitor_read: checking request 52
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pam_respond
Nov 7 15:02:33 sshServer sshd[20705]: debug2: PAM: sshpam_respond entering, 0 responses
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 53
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: monitor_read: checking request 54
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pam_free_ctx
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: sshpam_free_ctx entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: sshpam_thread_cleanup entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 55
Nov 7 15:02:33 sshServer sshd[20705]: debug2: monitor_read: 54 used once, disabling now
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive_expect entering: type 46
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug1: do_pam_account: called
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 47
Nov 7 15:02:33 sshServer sshd[20705]: Accepted keyboard-interactive/pam for testuser@mydomain.com from 192.168.1.10 port 46730 ssh2
Nov 7 15:02:33 sshServer sshd[20705]: debug1: monitor_child_preauth: testuser@mydomain.com has been authenticated by privileged process
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_get_keystate: Waiting for new keys
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive_expect entering: type 24
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_newkeys_from_blob: 0x7f5b4c043370(122)
Nov 7 15:02:33 sshServer sshd[20705]: debug2: mac_setup: found hmac-md5
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_get_keystate: Waiting for second key
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_newkeys_from_blob: 0x7f5b4c043370(122)
Nov 7 15:02:33 sshServer sshd[20705]: debug2: mac_setup: found hmac-md5
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_get_keystate: Getting compression state
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_get_keystate: Getting Network I/O buffers
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_share_sync: Share sync
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_share_sync: Share sync end
Nov 7 15:02:33 sshServer sshd[20705]: debug1: temporarily_use_uid: 10003/10000 (e=0/0)
Nov 7 15:02:33 sshServer sshd[20705]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Nov 7 15:02:33 sshServer sshd[20705]: debug1: restore_uid: 0/0
Nov 7 15:02:33 sshServer sshd[20705]: debug1: PAM: establishing credentials
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: opening session
Nov 7 15:02:33 sshServer sshd[20705]: User child is on pid 20715
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20715]: debug1: SELinux support disabled
Nov 7 15:02:33 sshServer sshd[20715]: debug1: PAM: establishing credentials
Nov 7 15:02:33 sshServer sshd[20715]: debug3: safely_chroot: checking ‘/’
Nov 7 15:02:33 sshServer sshd[20715]: debug3: safely_chroot: checking ‘/home/’
Nov 7 15:02:33 sshServer sshd[20715]: debug3: safely_chroot: checking ‘/home/chroot’
Nov 7 15:02:33 sshServer sshd[20705]: debug3: monitor_read: checking request 25
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pty entering
Nov 7 15:02:33 sshServer sshd[20705]: debug2: session_new: allocate (allocated 0 max 10)
Nov 7 15:02:33 sshServer sshd[20705]: debug3: session_unused: session id 0 unused
Nov 7 15:02:33 sshServer sshd[20705]: debug1: session_new: session 0
Nov 7 15:02:33 sshServer sshd[20705]: debug1: SELinux support disabled
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_send entering: type 26
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_answer_pty: tty /dev/pts/2 ptyfd 4
Nov 7 15:02:33 sshServer sshd[20705]: debug3: mm_request_receive entering
Nov 7 15:02:33 sshServer sshd[20705]: debug1: do_cleanup
Nov 7 15:02:33 sshServer sshd[20705]: debug1: PAM: cleanup
Nov 7 15:02:33 sshServer sshd[20705]: debug1: PAM: closing session
Nov 7 15:02:33 sshServer sshd[20705]: debug1: PAM: deleting credentials
Nov 7 15:02:33 sshServer sshd[20705]: debug3: PAM: sshpam_thread_cleanup entering
Nov 7 15:02:33 sshServer sshd[20705]: debug1: session_pty_cleanup: session 0 release /dev/pts/2

Any assistance would be helpful.

Thanks.

jthiatt08 · November 8, 2011, 5:25pm

Are you sure you are getting in with kerberos? I don’t see where you are getting a ticket.
Here is my sshd_config


PasswordAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem       sftp    /usr/lib64/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

Good luck,
Hiatt

tagross · November 8, 2011, 7:14pm

If I comment out the ChrootDirectory and change the Subsystem to “Subsystem sftp /usr/lib64/ssh/sftp-server” it works, but I’d really like to have the login be chrooted because this will be a public facing server.

jthiatt08 · November 8, 2011, 7:49pm

Does the directory “/home/chroot” exist on your system?
If it does who owns it and what are it’s permissions?

tagross · November 8, 2011, 9:04pm

It does exist. Owner is root, group is MyDomain/sshallowed, perms are 750.