Chroot avec OpenSSH : connexion impossible

Support Debian
#1

Bonjour,

J’essaye de chrooter un utilisateur SSH et SFTP sur son home, mais j’ai ce message :

$ ssh bb_festival@prod.uuneek.com bb_festival@prod.uuneek.com's password: Connection to prod.uuneek.com closed by remote host. Connection to prod.uuneek.com closed. $

Voila mon /etc/ssh/sshd_config

[code]# Package generated configuration file

See the sshd_config(5) manpage for details

What ports, IPs and protocols we listen for

Port 22

Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600
ServerKeyBits 768

Logging

SyslogFacility AUTH
LogLevel INFO

Authentication:

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

Don’t read the user’s ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Change to no to disable tunnelled clear text passwords

PasswordAuthentication yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

Match User bb_festival
ChrootDirectory /var/www/festival.bb.com
ForceCommand internal-sftp
[/code]

les droits de /var/www/festival.bb.com :

les droits de /var/www :

Une idée du souci ? ssh -v ne m’indique rien de plus.

Merci !

#2

Salut,

Commences donc par décommenter cette ligne.

Relances le service, de part et d’autre.

Et quel est donc son retour dans son intégralité.

ps: d’après ce que je comprends il s’agit d’une clé avec passphrase.

#3

Pour les essais, commente aussi ces deux lignes :

PermitRootLogin no StrictModes yes
Quitte à les décommenter ensuite si pas de résultat.
Question:
jeu de clefs avec passphrase ou seulement MDP ?

#4

Par définition, une passphrase et le fait d’y inclure un mot de pass.

[code]…
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:
…[/code]

#5

[quote=“BelZéButh”]Salut,

Commences donc par décommenter cette ligne.

Relances le service, de part et d’autre.

Et quel est donc son retour dans son intégralité.

[/quote]
Voici :

[code]$ ssh -vvv bb_festival@prod.uuneek.com
OpenSSH_5.2p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to prod.uuneek.com [80.74.68.157] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 9963 ms remain after connect
debug1: identity file /Users/theredled/.ssh/identity type -1
debug3: Not a RSA1 key file /Users/theredled/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN’
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END’
debug3: key_read: missing keytype
debug1: identity file /Users/theredled/.ssh/id_rsa type 1
debug1: identity file /Users/theredled/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze2
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 138/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /Users/theredled/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /Users/theredled/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host ‘prod.uuneek.com’ is known and matches the RSA host key.
debug1: Found key in /Users/theredled/.ssh/known_hosts:2
debug2: bits set: 514/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/theredled/.ssh/identity (0x0)
debug2: key: /Users/theredled/.ssh/id_rsa (0x100125690)
debug2: key: /Users/theredled/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/theredled/.ssh/identity
debug3: no such identity: /Users/theredled/.ssh/identity
debug1: Offering public key: /Users/theredled/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/theredled/.ssh/id_dsa
debug3: no such identity: /Users/theredled/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
bb_festival@prod.uuneek.com’s password:
debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 5/6 cfd -1)

debug3: channel 0: close_fds r 5 w 6 e 7 c -1
Connection to prod.uuneek.com closed by remote host.
Connection to prod.uuneek.com closed.
Transferred: sent 1648, received 1800 bytes, in 0.0 seconds
Bytes per second: sent 458156.9, received 500414.1
debug1: Exit status -1
$
[/code]

Je ne pense pas (je ne sais pas ce que c’est), je rentre un MDP tout simple.

[quote=“ricardo”]Pour les essais, commente aussi ces deux lignes :

PermitRootLogin no StrictModes yes
Quitte à les décommenter ensuite si pas de résultat.[/quote]
Pas de changement…

#6

[quote=“theredled”]debug1: Connection established.
debug3: timeout: 9963 ms remain after connect

debug1: ssh_rsa_verify: signature correct

debug1: Authentication succeeded (password).

[/quote]

Ton pare-feu la_bas autorise-t’il cette connexion ?

/etc/hosts.allow la_bas ?
/etc/hosts.deny la_bas ?

[quote=“theredled”]Je ne pense pas (je ne sais pas ce que c’est), je rentre un MDP tout simple.

[/quote]

[quote]Par définition, une passphrase et le fait d’y inclure un mot de pass.

[code]…
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:
…[/code][/quote]

#7

Précision : lorsque j’enlève les directives :

Match User bb_festival ChrootDirectory /var/www/festival.bar-bars.com ForceCommand internal-sftp
Tout marche bien.
Donc il n’y a pas de pare-feu bloquant.

[quote]Par définition, une passphrase et le fait d’y inclure un mot de pass.

[code]…
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:
…[/code][/quote][/quote]
Je n’ai jamais vu ça, donc la réponse est probablement non.

#8

Dans quel cas … seeks.hsbp.org/search?q=ssh+chr … fr&ui=stat