chroot SSH with pam_chroot!

这个做法很简单的chroot源自Debian的文档,在RHEL3和4上分别试验之后得到的结果是RHEL4上完全没有问题,RHEL3上问题出在Session不能持久,如果ssh执行命令则也算正常。
这个问题一直得不到解答。
Redhat EL4 下实现ssh chroot 登陆



查证了一些资料和文档,没见有显然说明此问题的地方,因为用的RHEL3为TaoLinux,所以未敢包票这个不行,况RHEL3上可以执行ssh命令的。

以下是一些佐证和连接。
OpenSSH上的FAQ,关于UsePAM的支持。RHEL4的Openssh显然已经支持UsePAM,RHEL3的版本显然不支持,但是已经打开了PAMAuthenticationViaKbdInt的。

3.15 OpenSSH不同版本与PAM行为


Portable OpenSSH has a configure-time option to enable sshd's use of the
PAM
(Pluggable Authentication Modules) interface.

./configure --with-pam [options]

To use PAM at all, this option must be provided at build time.

这里说编译时一定要加上--with-pam的选项,相信RHEL3的版本也也是有的。

The run-time behaviour when PAM is built in varies with the version of
Portable OpenSSH, and on later versions it must also be enabled by setting
UsePAM to yes in sshd_config.
最新版本的OpenSSH使用UsePAM来支持PAM,而老的就没有这个选项,猜想可能的问题在这里,但是不合乎逻辑。

The behaviour of the relevant authentications options when PAM support is built
in is summarised by the following table.































VersionUsePAMPasswordAuthenticationChallengeResponseAuthentication
<=3.6.1p2Not applicableUses PAMUses PAM if PAMAuthenticationViaKbdInt is enabled
3.7p1 - 3.7.1p1Defaults to yesDoes not use PAMUses PAM if UsePAM is enabled
3.7.1p2 - 3.8.1p1Defaults to noDoes not use PAM [1]Uses PAM if UsePAM is enabled
3.9p1Defaults to noUses PAM if UsePAM is enabledUses PAM if UsePAM is enabled

[1] Some vendors, notably Redhat/Fedora, have
backported the PasswordAuthentication from 3.9p1 to their 3.8x based
packages. If you're using a vendor-supplied package then consult their
documentation.
特别的是Redhat的反向移植。

OpenSSH Portable's PAM interface still has problems with a few modules,
however we hope that this number will reduce in the future. As at the
3.9p1 release, the known problems are:

  • Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
    may fail to correctly establish credentials (bug #688) when
    authenticating via ChallengeResponseAuthentication.
    PasswordAuthentication with 3.9p1 and above should work.


You can also check bugzilla for current PAM issues 臭虫列表

Comments

Popular posts from this blog

Freeware Software Top 300 from winAddons.Com!

What is DevOPS?

RPM Build Tips!