[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Does ChrootDirectory disable port forwarding?

What I am trying to accomplish:
* Chroot environment for file transfer isolation
* Port forwarding on specific ports to allow vnc to be used under uids
which are not allowed ssh access
  This provides an isolation between the interactive users and the file
transfer users

The problem:
If ChrootDirectory is set for a given end user, port forwarding no
longer works.  The love letter from ssh is that it is "administratively
prohibited".  I tried using match blocks and specifying the port
forwarding and ChrootDirectory in various combinations and still it does
not work.

The enduser experience:
$ ssh -L5901:localhost:5901 ssh_host
// In a separate window (just for clarity)
$ vncviewer localhost:1 (or localhost:5901)
// The ssh session returns the following:
channel 3: open failed: administratively prohibited: open failed

The system configuration:
*	/opt/sshjail is created to act as the file transfer depot
*	All ssh user accounts are in the same group, and that group has
write permissions in /opt/sshjail
*	Accounts were created under which the vnc servers run.  The are
*not* in the same group as the ssh users.  This prevents them from
      putting files in /opt/sshjail for later download.
*	The shell for the ssh users is a binary which simply goes to
sleep for a period of time.  A copy of this (static) is placed in
/opt/sshjail/bin.  Links for bash, csh, &c. are created in
/opt/sshjail/bin to this binary.

The sshd configuration:
Port 22
Protocol 2
SyslogFacility AUTHPRIV
LogLevel DEBUG1
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
Compression delayed
PermitTunnel no
AllowUsers groucho chico harpo zeppo gummo
#PermitOpen localhost:5901 localhost:5902 localhost:5903 localhost:5904
localhost:5905 localhost:5906 localhost:5907 localhost:5908
localhost:5909 localhost:5910
Subsystem       sftp    internal-sftp
Match user groucho
#   ChrootDirectory /opt/sshjail
   AllowTcpForwarding yes
   PermitOpen localhost:5901
Match user chico
   ChrootDirectory /opt/sshjail
Match user harpo
   ChrootDirectory /opt/sshjail
Match user zeppo
   ChrootDirectory /opt/sshjail
Match user gummo
   ChrootDirectory /opt/sshjail

The environment:
Openssh 5.2p1 (also tried 5.1p1)
Redhat Enterprise Linux (rhel5u3)
   Not that it matters, but iptables and tcp wrappers are not used.

[Index of Archives]     [Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux