chroot SSH with pam_chroot!
这个做法很简单的chroot源自Debian的文档,在RHEL3和4上分别试验之后得到的结果是RHEL4上完全没有问题,RHEL3上问题出在Session不能持久,如果ssh执行命令则也算正常。
这个问题一直得不到解答。
Redhat EL4 下实现ssh chroot 登陆
查证了一些资料和文档,没见有显然说明此问题的地方,因为用的RHEL3为TaoLinux,所以未敢包票这个不行,况RHEL3上可以执行ssh命令的。
以下是一些佐证和连接。
OpenSSH上的FAQ,关于UsePAM的支持。RHEL4的Openssh显然已经支持UsePAM,RHEL3的版本显然不支持,但是已经打开了PAMAuthenticationViaKbdInt的。
Portable OpenSSH has a configure-time option to enable sshd's use of the
PAM
(Pluggable Authentication Modules) interface.
./configure --with-pam [options]
To use PAM at all, this option must be provided at build time.
这里说编译时一定要加上--with-pam的选项,相信RHEL3的版本也也是有的。
The run-time behaviour when PAM is built in varies with the version of
Portable OpenSSH, and on later versions it must also be enabled by setting
UsePAM to yes in sshd_config.
最新版本的OpenSSH使用UsePAM来支持PAM,而老的就没有这个选项,猜想可能的问题在这里,但是不合乎逻辑。
The behaviour of the relevant authentications options when PAM support is built
in is summarised by the following table.
[1] Some vendors, notably Redhat/Fedora, have
backported the PasswordAuthentication from 3.9p1 to their 3.8x based
packages. If you're using a vendor-supplied package then consult their
documentation.
特别的是Redhat的反向移植。
OpenSSH Portable's PAM interface still has problems with a few modules,
however we hope that this number will reduce in the future. As at the
3.9p1 release, the known problems are:
You can also check bugzilla for current PAM issues 臭虫列表
这个问题一直得不到解答。
Redhat EL4 下实现ssh chroot 登陆
查证了一些资料和文档,没见有显然说明此问题的地方,因为用的RHEL3为TaoLinux,所以未敢包票这个不行,况RHEL3上可以执行ssh命令的。
以下是一些佐证和连接。
OpenSSH上的FAQ,关于UsePAM的支持。RHEL4的Openssh显然已经支持UsePAM,RHEL3的版本显然不支持,但是已经打开了PAMAuthenticationViaKbdInt的。
3.15 OpenSSH不同版本与PAM行为
Portable OpenSSH has a configure-time option to enable sshd's use of the
PAM
(Pluggable Authentication Modules) interface.
./configure --with-pam [options]
To use PAM at all, this option must be provided at build time.
这里说编译时一定要加上--with-pam的选项,相信RHEL3的版本也也是有的。
The run-time behaviour when PAM is built in varies with the version of
Portable OpenSSH, and on later versions it must also be enabled by setting
UsePAM to yes in sshd_config.
最新版本的OpenSSH使用UsePAM来支持PAM,而老的就没有这个选项,猜想可能的问题在这里,但是不合乎逻辑。
The behaviour of the relevant authentications options when PAM support is built
in is summarised by the following table.
Version | UsePAM | PasswordAuthentication | ChallengeResponseAuthentication |
---|---|---|---|
<=3.6.1p2 | Not applicable | Uses PAM | Uses PAM if PAMAuthenticationViaKbdInt is enabled |
3.7p1 - 3.7.1p1 | Defaults to yes | Does not use PAM | Uses PAM if UsePAM is enabled |
3.7.1p2 - 3.8.1p1 | Defaults to no | Does not use PAM [1] | Uses PAM if UsePAM is enabled |
3.9p1 | Defaults to no | Uses PAM if UsePAM is enabled | Uses PAM if UsePAM is enabled |
[1] Some vendors, notably Redhat/Fedora, have
backported the PasswordAuthentication from 3.9p1 to their 3.8x based
packages. If you're using a vendor-supplied package then consult their
documentation.
特别的是Redhat的反向移植。
OpenSSH Portable's PAM interface still has problems with a few modules,
however we hope that this number will reduce in the future. As at the
3.9p1 release, the known problems are:
- Modules relying on module-private data (eg pam_dhkeys, pam_krb5, AFS)
may fail to correctly establish credentials (bug #688) when
authenticating via ChallengeResponseAuthentication.
PasswordAuthentication with 3.9p1 and above should work.
You can also check bugzilla for current PAM issues 臭虫列表
Comments