chroot SSH with pam_chroot!

这个做法很简单的chroot源自Debian的文档,在RHEL3和4上分别试验之后得到的结果是RHEL4上完全没有问题,RHEL3上问题出在Session不能持久,如果ssh执行命令则也算正常。
这个问题一直得不到解答。
Redhat EL4 下实现ssh chroot 登陆



查证了一些资料和文档,没见有显然说明此问题的地方,因为用的RHEL3为TaoLinux,所以未敢包票这个不行,况RHEL3上可以执行ssh命令的。

以下是一些佐证和连接。
OpenSSH上的FAQ,关于UsePAM的支持。RHEL4的Openssh显然已经支持UsePAM,RHEL3的版本显然不支持,但是已经打开了PAMAuthenticationViaKbdInt的。

3.15 OpenSSH不同版本与PAM行为


Portable OpenSSH has a configure-time option to enable sshd's use of the
PAM
(Pluggable Authentication Modules) interface.

./configure --with-pam [options]

To use PAM at all, this option must be provided at build time.

这里说编译时一定要加上--with-pam的选项,相信RHEL3的版本也也是有的。

The run-time behaviour when PAM is built in varies with the version of
Portable OpenSSH, and on later versions it must also be enabled by setting
UsePAM to yes in sshd_config.
最新版本的OpenSSH使用UsePAM来支持PAM,而老的就没有这个选项,猜想可能的问题在这里,但是不合乎逻辑。

The behaviour of the relevant authentications options when PAM support is built
in is summarised by the following table.































VersionUsePAMPasswordAuthenticationChallengeResponseAuthentication
<=3.6.1p2Not applicableUses PAMUses PAM if PAMAuthenticationViaKbdInt is enabled
3.7p1 - 3.7.1p1Defaults to yesDoes not use PAMUses PAM if UsePAM is enabled
3.7.1p2 - 3.8.1p1Defaults to noDoes not use PAM [1]Uses PAM if UsePAM is enabled
3.9p1Defaults to noUses PAM if UsePAM is enabledUses PAM if UsePAM is enabled

[1] Some vendors, notably Redhat/Fedora, have
backported the PasswordAuthentication from 3.9p1 to their 3.8x based
packages. If you're using a vendor-supplied package then consult their
documentation.
特别的是Redhat的反向移植。

OpenSSH Portable's PAM interface still has problems with a few modules,
however we hope that this number will reduce in the future. As at the
3.9p1 release, the known problems are:

  • Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
    may fail to correctly establish credentials (bug #688) when
    authenticating via ChallengeResponseAuthentication.
    PasswordAuthentication with 3.9p1 and above should work.


You can also check bugzilla for current PAM issues 臭虫列表

Comments

Post a Comment

Popular posts from this blog

Freeware Software Top 300 from winAddons.Com!

来自winAddons.Com的推荐,最好的300款免费软件,其中当然不乏Open Source的品牌产品,如OpenOffice,Firefox等,也包含了Windows平台下常用的不花钱的玩意儿,如Adobe Acrobat Reader等。 全文摘录如下, 对我个人经常使用和熟悉的一些产品进行了评价!! Office 办公软件 OpenOffice - 最著名的免费的办公套件 PC Suite 602 - office suite AbiWord - text editor Atlantis Nova - text editor Microsoft PowerPoint Viewer - power point files viewer Adobe Reader - pdf reader Foxit PDF Reader - pdf reader PDFCreator - 优秀的PDF制作引擎,用于直接打印到PDF文件 Doc Convertor - document convertor Convert - unit convertor Converber - unit convertor Sunbird - calendar/organizer EssentialPIM Free - calendar/organizer PhraseExpress - speed up your writing ATnotes - create notes on the desktop Archive managers 压缩文件管理器 7-Zip - 最流行的免费压缩工具 IZArc - compression program TugZIP - compression program CabPack - compression program Universal Extractor - extract files from any type of archive Internet 因特网 Firefox - 火狐,火狐 Internet Explorer - web browser Maxthon - web browser Opera - web browser Avant Browser - web browser Thu...
Read more

What is DevOPS?

Image
What is DevOPS? As be a DevOPS engineer more than five years in the past, I was always asked what is DevOPS or what is a DevOPS role or what should a DevOPS Engineer do? Or even question like how to be a good DevOPS? What? How? should be the most two frequently questions from almost all organizations. As I am working with  Amazon Web Service  for a long time with my DevOPS career, I tried to get answers from AWS guys frist as they have a special section about AWS DevOPS, also they have AWS DevOPS certificate cources, even though I never try such cources. This is the first page said about DevOPS on AWS DevOPS to answer "What is DevOPS?", DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enable...
Read more

RPM Build Tips!

Now, I am trying to build a Linux system based on the Fedora Core Release! Working with the RPM system in deep.The unpackaged file terminate the build process under RPM 4.x! Unpackaged files message in RPM-4.1 and following RPM version 4.1 and following demonstrate a new behaviour in the rpmbuild process. Previously, a build process might place any number of files, say in the %install stanza, when running the make install part of a Makefile , in the customary /var/tmp/%{name}-root/ BuildRoot (the RPM_BUILD_ROOT ). Once through that part of the Makefile , it can then completely ignore these files in the %files binary packaging stanza. This often happens when an upstream maintainer adds, or deletes items from new directory spurs in the make install , and the change might be missed during an unattended or automated rebuild. This option permits careful packagers to cross check the quality of their packaging. So as a cross check, /usr/lib/rpm/check-files is now enabled during ...
Read more