Server Upgrade to Hardy causes ssh to fail on connect

Asked by Andrew Gee on 2008-05-20

I've just upgraded my server to hardy. Booted up all fine.

Attempted to ssh in. It showed the whole signon message and then cuts out with:
"Connection to 192.168.0.100 closed."

This happens the instant it connects.

Using webmin, I have found this in auth.log:
May 20 18:51:53 fileserver1 sshd[6237]: Connection from 192.168.0.102 port 46872
May 20 18:51:53 fileserver1 sshd[6237]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
May 20 18:51:53 fileserver1 sshd[6237]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
May 20 18:51:53 fileserver1 sshd[6237]: PAM adding faulty module: /lib/security/pam_smbpass.so
May 20 18:51:53 fileserver1 sshd[6237]: PAM unable to dlopen(/lib/security/pam_chroot.so)
May 20 18:51:53 fileserver1 sshd[6237]: PAM [error: /lib/security/pam_chroot.so: undefined symbol: __stack_chk_fail_local]
May 20 18:51:53 fileserver1 sshd[6237]: PAM adding faulty module: /lib/security/pam_chroot.so
May 20 18:51:53 fileserver1 sshd[6237]: Found matching RSA key: 31:7f:21:b2:60:ce:b2:31:d2:1a:22:4a:12:44:eb:15
May 20 18:51:53 fileserver1 sshd[6237]: Found matching RSA key: 31:7f:21:b2:60:ce:b2:31:d2:1a:22:4a:12:44:eb:15
May 20 18:51:53 fileserver1 sshd[6237]: Accepted publickey for andrew from 192.168.0.102 port 46872 ssh2
May 20 18:51:53 fileserver1 sshd[6239]: pam_unix(sshd:session): session opened for user andrew by (uid=0)
May 20 18:51:53 fileserver1 sshd[6239]: error: PAM: pam_open_session(): Module is unknown
May 20 18:51:53 fileserver1 sshd[6239]: Connection closed by 192.168.0.102
May 20 18:51:53 fileserver1 sshd[6239]: Closing connection to 192.168.0.102

Does anyone have any ideas?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Solved by:
peterh
Solved:
2008-11-02
Last query:
2008-11-02
Last reply:
2008-09-11
Andrew Gee (andrewgee) said : #1

I've managed to be able to login by changing the chroot PAM module to optional on webmin. I'm not sure if this is a security risk to remain unloaded, however.

Can someone help me in getting the chroot module working?

Best peterh (peter-holik) said : #2

recompile libpam_chroot with following patch

--- Makefile.orig 2008-06-04 11:57:39.000000000 +0200
+++ Makefile 2008-06-04 11:57:42.000000000 +0200
@@ -1,7 +1,7 @@
 # $Id: Makefile,v 1.1.1.1 2004/05/05 00:07:47 schmolli Exp $

 CC=gcc
-CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
+CFLAGS=-fPIC -O2 -Wall -Werror -pedantic -fno-stack-protector
 CPPFLAGS=-I.
 LDFLAGS=-x --shared -lpam
 DESTDIR=/

Adam Bolte (boltronics) said : #3

This patch appears to correct the problem for me (Ubuntu server 8.04.1, i686). Thanks!

Now on to the next problem.
sshd[4471]: fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed

Bug 237557 it seems. This chroot business on Hardy is not easy...

Andrew Gee (andrewgee) said : #4

Thanks peterh, that solved my question.

asphalt (asphalt123) said : #5

Hello Experts,
i have the same problem, but i don't now how can i patch ibpam_chroot in ubuntu.
Can maybe helb me?

thx

peterh (peter-holik) said : #6

apt-get source libpam_chroot
sudo apt-get build-dep libpam-chroot

cd libpam_chroot...

change Makefile

dpkg-buildpackage -uc -us

cd ..

sudo dpkg -i libpam-chroot_0.9-3_i386.deb

asphalt (asphalt123) said : #7

thx for your workout, but i can't login. the error messages are away.

this is my log in auth.log

Nov 12 16:00:52 esel sshd[13180]: Accepted password for gast from xxx.xxx.xxx.xxx port 3504 ssh2
Nov 12 16:00:52 esel sshd[13182]: pam_unix(sshd:session): session opened for user gast by (uid=0)
Nov 12 16:00:52 esel pam_chroot[13182]: session: reading config file (/etc/security/chroot.conf)
Nov 12 16:00:52 esel pam_chroot[13182]: session: expanded path "/home/chroot" -> "/home/chroot"
Nov 12 16:00:52 esel pam_chroot[13182]: session: found chroot_dir "/home/chroot" for user "gast"
Nov 12 16:00:52 esel pam_chroot[13182]: session: preparing to chroot()

do you have an idea?

peterh (peter-holik) said : #8

My logs are:

Nov 12 16:16:59 XXX pam_chroot[1103]: session: reading config file (/etc/security/chroot.conf)
Nov 12 16:16:59 XXX pam_chroot[1103]: session: expanded path "/var/chroot/sshd" -> "/var/chroot/sshd"
Nov 12 16:16:59 XXX pam_chroot[1103]: session: chroot(/var/chroot/sshd) ok
Nov 12 16:16:59 XXX pam_chroot[1103]: session: found chroot_dir "/var/chroot/sshd" for user "gast"
Nov 12 16:16:59 XXX pam_chroot[1103]: session: returning success
Nov 12 16:16:59 XXX pam_chroot[1103]: session: preparing to chroot()

cat /etc/security/chroot.conf
gast /var/chroot/sshd

Does /home/chroot exist?

Did you build a chroot with libpam-chroot-0.9/example/setup-chrootdir-shell.sh

asphalt (asphalt123) said : #9

cat /etc/security/chroot.conf
gast /home/chroot

/home/chroot does exist

maybe here is an mistake, this are entries from a sooner ubuntu version
in orig /etc/passwd
gast:x:1007:1003:chroot:/home/gast:/bin/bash

and in /home/chroot/etc/passwd
gast:x:1007:1003:chroot:/home/gast:/bin/bash

peterh (peter-holik) said : #10

no mistake, i've also the same user in both /etc/passwd's

do you have this directories

/home/chroot/bin
/home/chroot/dev
/home/chroot/etc
/home/chroot/home
/home/chroot/lib
/home/chroot/proc
/home/chroot/usr

also with some files like

/home/chroot/bin/bash
/home/chroot/lib/libc-2.7.so

peterh (peter-holik) said : #11

no mistake, i've also the same user in both /etc/passwd's

do you have these directories

/home/chroot/bin
/home/chroot/dev
/home/chroot/etc
/home/chroot/home
/home/chroot/lib
/home/chroot/proc
/home/chroot/usr

also with some files like

/home/chroot/bin/bash
/home/chroot/lib/libc-2.7.so

asphalt (asphalt123) said : #12

yes, i have all this files. i need the chroot for remoie ssh access.
you too? do you have also ubuntu 8.04?

peterh (peter-holik) said : #13

yes

I suggest running sshd -ddd on the server side to get clear messages (with ssh stopped before)

asphalt (asphalt123) said : #14

what do you mean with ssh -ddd?

i checked my files in chroot directory and i saw that the file libc-2.7.so is not here
/tls │ 72│12. Nov 18.07 ●
 libacl.so.1 │ 22544│12. Nov 18.18 ▒
 libattr.so.1 │ 13592│12. Nov 18.18 ▒
 libcom_err.so.2 │ 7444│12. Nov 18.18 ▒
 libkeyutils.so.1 │ 5644│12. Nov 18.18 ▒
 libncurses.so.5 │ 190584│12. Nov 18.18 ▒
 libselinux.so.1