Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
Does ChrootDirectory disable port forwarding?
sean_boyle at mentor
May 12, 2009, 10:15 AM
Post #1 of 3 (3257 views)
Permalink
What I am trying to accomplish:
* Chroot environment for file transfer isolation
* Port forwarding on specific ports to allow vnc to be used under uids
which are not allowed ssh access



The environment:
Openssh 5.2p1
Redhat Enterprise Linux (rhel5u3)
Does ChrootDirectory disable port forwarding? [ In reply to ]
sean_boyle at mentor
May 12, 2009, 10:38 AM
Post #2 of 3 (3101 views)
Permalink
What I am trying to accomplish:
* Chroot environment for file transfer isolation
* Port forwarding on specific ports to allow vnc to be used under uids
which are not allowed ssh access
This provides an isolation between the interactive users and the file
transfer users

The problem:
If ChrootDirectory is set for a given end user, port forwarding no
longer works. The love letter from ssh is that it is "administratively
prohibited". I tried using match blocks and specifying the port
forwarding and ChrootDirectory in various combinations and still it does
not work.

The enduser experience:
$ ssh -L5901:localhost:5901 ssh_host
// In a separate window (just for clarity)
$ vncviewer localhost:1 (or localhost:5901)
// The ssh session returns the following:
channel 3: open failed: administratively prohibited: open failed

The system configuration:
* /opt/sshjail is created to act as the file transfer depot
* All ssh user accounts are in the same group, and that group has
write permissions in /opt/sshjail
* Accounts were created under which the vnc servers run. The are
*not* in the same group as the ssh users. This prevents them from
putting files in /opt/sshjail for later download.
* The shell for the ssh users is a binary which simply goes to
sleep for a period of time. A copy of this (static) is placed in
/opt/sshjail/bin. Links for bash, csh, &c. are created in
/opt/sshjail/bin to this binary.

The sshd configuration:
Port 22
Protocol 2
SyslogFacility AUTHPRIV
LogLevel DEBUG1
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
Compression delayed
PermitTunnel no
AllowUsers groucho chico harpo zeppo gummo
#PermitOpen localhost:5901 localhost:5902 localhost:5903 localhost:5904
localhost:5905 localhost:5906 localhost:5907 localhost:5908
localhost:5909 localhost:5910
Subsystem sftp internal-sftp
Match user groucho
# ChrootDirectory /opt/sshjail
AllowTcpForwarding yes
PermitOpen localhost:5901
Match user chico
ChrootDirectory /opt/sshjail
Match user harpo
ChrootDirectory /opt/sshjail
Match user zeppo
ChrootDirectory /opt/sshjail
Match user gummo
ChrootDirectory /opt/sshjail



The environment:
Openssh 5.2p1 (also tried 5.1p1)
Redhat Enterprise Linux (rhel5u3)
Not that it matters, but iptables and tcp wrappers are not used.
Re: Does ChrootDirectory disable port forwarding? [ In reply to ]
dtucker at zip
May 12, 2009, 2:43 PM
Post #3 of 3 (3101 views)
Permalink
Boyle, Sean wrote:
[...]
> The problem:
> If ChrootDirectory is set for a given end user, port forwarding no
> longer works. The love letter from ssh is that it is "administratively
> prohibited". I tried using match blocks and specifying the port
> forwarding and ChrootDirectory in various combinations and still it does
> not work.
[...]
> PermitOpen localhost:5901

I suspect the problem is that the process inside the chroot can't
resolve "localhost" to an IP address. If you change this to
"127.0.0.1:5901" does it make a difference?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal