Ubuntu
openssh package

Server Upgrade to Hardy causes ssh to fail on connect

Asked by Andrew Gee

I've just upgraded my server to hardy. Booted up all fine.

Attempted to ssh in. It showed the whole signon message and then cuts out with:
"Connection to 192.168.0.100 closed."

This happens the instant it connects.

Using webmin, I have found this in auth.log:
May 20 18:51:53 fileserver1 sshd[6237]: Connection from 192.168.0.102 port 46872
May 20 18:51:53 fileserver1 sshd[6237]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 20 18:51:53 fileserver1 sshd[6237]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 20 18:51:53 fileserver1 sshd[6237]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 20 18:51:53 fileserver1 sshd[6237]: PAM unable to dlopen(/lib/security/pam_chroot.so)
May 20 18:51:53 fileserver1 sshd[6237]: PAM [error: /lib/security/pam_chroot.so: undefined symbol: __stack_chk_fail_local]
May 20 18:51:53 fileserver1 sshd[6237]: PAM adding faulty module: /lib/security/pam_chroot.so
May 20 18:51:53 fileserver1 sshd[6237]: Found matching RSA key: 31:7f:21:b2:60:ce:b2:31:d2:1a:22:4a:12:44:eb:15
May 20 18:51:53 fileserver1 sshd[6237]: Found matching RSA key: 31:7f:21:b2:60:ce:b2:31:d2:1a:22:4a:12:44:eb:15
May 20 18:51:53 fileserver1 sshd[6237]: Accepted publickey for andrew from 192.168.0.102 port 46872 ssh2
May 20 18:51:53 fileserver1 sshd[6239]: pam_unix(sshd:session): session opened for user andrew by (uid=0)
May 20 18:51:53 fileserver1 sshd[6239]: error: PAM: pam_open_session(): Module is unknown
May 20 18:51:53 fileserver1 sshd[6239]: Connection closed by 192.168.0.102
May 20 18:51:53 fileserver1 sshd[6239]: Closing connection to 192.168.0.102

Does anyone have any ideas?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Solved by:
peterh
Solved:
Last query:
Last reply:
Revision history for this message
Andrew Gee (andrewgee) said : 		#1

I've managed to be able to login by changing the chroot PAM module to optional on webmin. I'm not sure if this is a security risk to remain unloaded, however.

Can someone help me in getting the chroot module working?

Revision history for this message
Best peterh (peter-holik) said : 		#2

recompile libpam_chroot with following patch

--- Makefile.orig 2008-06-04 11:57:39.000000000 +0200
+++ Makefile 2008-06-04 11:57:42.000000000 +0200
@@ -1,7 +1,7 @@
 # $Id: Makefile,v 1.1.1.1 2004/05/05 00:07:47 schmolli Exp $

 CC=gcc
-CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
+CFLAGS=-fPIC -O2 -Wall -Werror -pedantic -fno-stack-protector
 CPPFLAGS=-I.
 LDFLAGS=-x --shared -lpam
 DESTDIR=/

Revision history for this message
Adam Bolte (boltronics) said : 		#3

This patch appears to correct the problem for me (Ubuntu server 8.04.1, i686). Thanks!

Now on to the next problem.
sshd[4471]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed

Bug 237557 it seems. This chroot business on Hardy is not easy...

Revision history for this message
Andrew Gee (andrewgee) said : 		#4

Thanks peterh, that solved my question.

Revision history for this message
asphalt (asphalt123) said : 		#5

Hello Experts,
i have the same problem, but i don't now how can i patch ibpam_chroot in ubuntu.
Can maybe helb me?

thx

Revision history for this message
peterh (peter-holik) said : 		#6

apt-get source libpam_chroot
sudo apt-get build-dep libpam-chroot

cd libpam_chroot...

change Makefile

dpkg-buildpackage -uc -us

cd ..

sudo dpkg -i libpam-chroot_0.9-3_i386.deb

Revision history for this message
asphalt (asphalt123) said : 		#7

thx for your workout, but i can't login. the error messages are away.

this is my log in auth.log

Nov 12 16:00:52 esel sshd[13180]: Accepted password for gast from xxx.xxx.xxx.xxx port 3504 ssh2
Nov 12 16:00:52 esel sshd[13182]: pam_unix(sshd:session): session opened for user gast by (uid=0)
Nov 12 16:00:52 esel pam_chroot[13182]: session: reading config file (/etc/security/chroot.conf)
Nov 12 16:00:52 esel pam_chroot[13182]: session: expanded path "/home/chroot" -> "/home/chroot"
Nov 12 16:00:52 esel pam_chroot[13182]: session: found chroot_dir "/home/chroot" for user "gast"
Nov 12 16:00:52 esel pam_chroot[13182]: session: preparing to chroot()

do you have an idea?

Revision history for this message
peterh (peter-holik) said : 		#8

My logs are:

Nov 12 16:16:59 XXX pam_chroot[1103]: session: reading config file (/etc/security/chroot.conf)
Nov 12 16:16:59 XXX pam_chroot[1103]: session: expanded path "/var/chroot/sshd" -> "/var/chroot/sshd"
Nov 12 16:16:59 XXX pam_chroot[1103]: session: chroot(/var/chroot/sshd) ok
Nov 12 16:16:59 XXX pam_chroot[1103]: session: found chroot_dir "/var/chroot/sshd" for user "gast"
Nov 12 16:16:59 XXX pam_chroot[1103]: session: returning success
Nov 12 16:16:59 XXX pam_chroot[1103]: session: preparing to chroot()

cat /etc/security/chroot.conf
gast /var/chroot/sshd

Does /home/chroot exist?

Did you build a chroot with libpam-chroot-0.9/example/setup-chrootdir-shell.sh

Revision history for this message
asphalt (asphalt123) said : 		#9

cat /etc/security/chroot.conf
gast /home/chroot

/home/chroot does exist

maybe here is an mistake, this are entries from a sooner ubuntu version
in orig /etc/passwd
gast:x:1007:1003:chroot:/home/gast:/bin/bash

and in /home/chroot/etc/passwd
gast:x:1007:1003:chroot:/home/gast:/bin/bash

Revision history for this message
peterh (peter-holik) said : 		#10

no mistake, i've also the same user in both /etc/passwd's

do you have this directories

/home/chroot/bin
/home/chroot/dev
/home/chroot/etc
/home/chroot/home
/home/chroot/lib
/home/chroot/proc
/home/chroot/usr

also with some files like

/home/chroot/bin/bash
/home/chroot/lib/libc-2.7.so

Revision history for this message
peterh (peter-holik) said : 		#11

no mistake, i've also the same user in both /etc/passwd's

do you have these directories

/home/chroot/bin
/home/chroot/dev
/home/chroot/etc
/home/chroot/home
/home/chroot/lib
/home/chroot/proc
/home/chroot/usr

also with some files like

/home/chroot/bin/bash
/home/chroot/lib/libc-2.7.so

Revision history for this message
asphalt (asphalt123) said : 		#12

yes, i have all this files. i need the chroot for remoie ssh access.
you too? do you have also ubuntu 8.04?

Revision history for this message
peterh (peter-holik) said : 		#13

yes

I suggest running sshd -ddd on the server side to get clear messages (with ssh stopped before)

Revision history for this message
asphalt (asphalt123) said : 		#14

what do you mean with ssh -ddd?

i checked my files in chroot directory and i saw that the file libc-2.7.so is not here
/tls │ 72│12. Nov 18.07 ●
 libacl.so.1 │ 22544│12. Nov 18.18 ▒
 libattr.so.1 │ 13592│12. Nov 18.18 ▒
 libcom_err.so.2 │ 7444│12. Nov 18.18 ▒
 libkeyutils.so.1 │ 5644│12. Nov 18.18 ▒
 libncurses.so.5 │ 190584│12. Nov 18.18 ▒
 libselinux.so.1