Topic
3 replies Latest Post - ‏2013-02-21T10:05:19Z by flodstrom
SystemAdmin
SystemAdmin
6907 Posts
ACCEPTED ANSWER

Pinned topic Setup Chroot in AIX to limit users to access home directory through SSH

‏2013-01-27T18:02:07Z |
I follow the KB from IBM website to setup chroot environment to limit users to access their home directory.

http://www-01.ibm.com/support/docview.wss?uid=isg3T1012883

I create /home/chroot for chroot environment.

The path home directory for chroot user account "user1" is:
/home/chroot/home/user1

The entry for chroot use account "user1" in /etc/passwd is as below:
user1:!:210:205:chroot user:/home/chroot/home/user1:/usr/bin/ksh

The entry for chroot use account "user1" in /home/chroot/etc/passwd is as below:
user1:!:210:205:chroot user:/home/user1:/usr/bin/ksh

The content of /etc/ssh/sshd_config
Match User user1
ChrootDirectory /home/chroot
When I tried to login AIX through SSH but failed to login even the password is correct and the connection closed immediately.

I turned on SSH debug. Some errors are as follow:

debug3: AIX/setauthdb set registry 'files'

debug3: aix_restoreauthdb: restoring old registry ''

debug3: AIX/setauthdb set registry 'files'

debug3: aix_restoreauthdb: restoring old registry ''

debug1: TMP*****************:/home/chroot

debug1: CHROOT_PATH*********:/home/chroot

debug1: pw->pw_name:acedlusr::pw->pw_dir:/home/chroot/./home/user1

debug3: safely_chroot: checking '/'

debug3: safely_chroot: checking '/home/'

debug3: safely_chroot: checking '/home/chroot'

chroot("/home/chroot"): Operation not permitted.

debug1: do_cleanup

Do anyone what the meaning of "chroot("/home/chroot"): Operation not permitted." ?

Also, I found some article mention that setup home directory for chroot user account as follow:

For exmaple for creating user account:
The entry for chroot use account "user1" in /etc/passwd is as below:
user1:!:210:205:chroot user:/home/chroot/./home/user1:/usr/bin/ksh
Are Both /home/chroot/home/user1 and /home/chroot/./home/user1 same?

Also, another article mention the content of /etc/passwd and /home/chroot/etc/passwd are the same.

user1:!:210:205:chroot user:/home/chroot/home/user1:/usr/bin/ksh

But according to the KB, the content of /etc/passwd and /home/chroot/etc/passwd are different.
http://www-01.ibm.com/support/docview.wss?uid=isg3T1012883
The content of /etc/passwd:
user1:!:210:205:chroot user:/home/chroot/home/user1:/usr/bin/ksh
The content of /home/chroot/etc/passwd:
user1:!:210:205:chroot user:/home/user1:/usr/bin/ksh

Which setting is correct?
Also, are there any minimum requirement for chroot? OS version (AIX 5.3 and AI 6.3)? SSH version?
Updated on 2013-02-21T10:05:19Z at 2013-02-21T10:05:19Z by flodstrom
  • flodstrom
    flodstrom
    113 Posts
    ACCEPTED ANSWER

    Re: Setup Chroot in AIX to limit users to access home directory through SSH

    ‏2013-01-30T17:18:25Z  in response to SystemAdmin
    Although I suspect what you are trying to do here, but just to be sure.

    Are you trying to set-up a chroot'ed FTP account or are you trying to apply chroot to a "normal" system user?
    • SystemAdmin
      SystemAdmin
      6907 Posts
      ACCEPTED ANSWER

      Re: Setup Chroot in AIX to limit users to access home directory through SSH

      ‏2013-02-01T03:30:27Z  in response to flodstrom
      Hi flodstrom,

      I am trying to apply chroot to a "normal" user account
      • flodstrom
        flodstrom
        113 Posts
        ACCEPTED ANSWER

        Re: Setup Chroot in AIX to limit users to access home directory through SSH

        ‏2013-02-21T10:05:19Z  in response to SystemAdmin
        You do know what chroot is and what it does, right?

        What you are trying to do is not really what chroot is meant for. Also if you read the instructions you followed a bit more carefull you will see that it is for setting up a chroot'ed FTP account. FTP daemons do have support for chroot'ed enviroments and they can easily be made to work well in a restricted chroot environment, which is not the case for a user with an interactive shell environment.

        That said, I think the very latest versions of SSH do support a chroot'ed shell environment to some degree, but as mentioned I think you really need a recent version of SSH. Still I would not recommend using this to acomplish what you want (to much work and most likely to many odd things happening all the time).

        In case you have AIX 6.1 or 7.1 I would recommend setting up a wpar for the users you want to control. If you have a limited number of those users you may even want to give them their own/private wpar?

        You might also want to look at a restricted shell (rksh, etc.), perhaps that may be suitable for your needs?