Bug 681202

Description of problem:
When correctly using ChrootDirectory directive openssh closes connection

# ll -d /chroot
drwxr-xr-x. 2 root root 4096 Mar  1 07:48 /chroot/

# cat /etc/sshd_config | grep ChrootDirectory
ChrootDirectory /chroot/

# sftp root@localhost
Connecting to localhost...
Connection closed

Version-Release number of selected component (if applicable):
openssh-5.3p1-40.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Add ChrootDirectory /chroot/ to sshd_config
2. mkdir /chroot
3. ssh root@localhost

Actual results:
Connection closed

Expected results:
Connection successful

Additional info:
This is a regression as this passes with openssh-5.3p1-20.el6.x86_64

The repro steps from comment 2 are wrong! Correct repro steps are:

================
Repro steps
================

1. add ChrootDirectory to sshd_config
# echo "ChrootDirectory /chroot/" >> /etc/ssh/sshd_config

2. Change sftp subsystem to internal-sftp
# sed -i 's/^Subsystem.*sftp.*/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config

3. Add test user
# useradd tester
# echo "redhat" | passwd --stdin tester

4. Restart ssh server
# service sshd restart

5. Create /chroot dir and turn off selinux
# mkdir /chroot
# setenforce 0

6. Try to sftp as test user (password is redhat)
# sftp tester@localhost

Actual results:
Connection closed
Connecting to localhost...
tester@localhost's password: 
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer

Expected results:
Connection successful
sftp>

=================
Important note:
=================
Connecting as root works as expected!

This can be still reproduced with latest openssh-5.3p1-41.el6.x86_64

I can see a difference in /var/log/secure for buggy -41.el6 revision and working -20.el6 revision:

openssh-5.3p1-41.el6.x86_64
===========================
Mar  3 04:50:25 dell-pesc440-01 sshd[2671]: Accepted password for tester from ::1 port 41595 ssh2
Mar  3 04:50:25 dell-pesc440-01 sshd[2672]: fatal: mm_request_receive: read: Connection reset by peer
Mar  3 04:50:25 dell-pesc440-01 sshd[2671]: pam_unix(sshd:session): session opened for user tester by (uid=0)
Mar  3 04:50:25 dell-pesc440-01 sshd[2675]: subsystem request for sftp
Mar  3 04:50:25 dell-pesc440-01 sshd[2675]: error: do_exec_no_pty: open(/dev/null): No such file or directory
Mar  3 04:50:25 dell-pesc440-01 sshd[2675]: subsystem request for sftp failed, subsystem not found
Mar  3 04:50:25 dell-pesc440-01 sshd[2671]: pam_unix(sshd:session): session closed for user tester

openssh-5.3p1-20.el6.x86_64
===========================
Mar  3 04:52:32 dell-pesc440-01 sshd[2733]: Accepted password for tester from ::1 port 39063 ssh2
Mar  3 04:52:32 dell-pesc440-01 sshd[2733]: pam_unix(sshd:session): session opened for user tester by (uid=0)
Mar  3 04:52:32 dell-pesc440-01 sshd[2737]: subsystem request for sftp
Mar  3 04:52:33 dell-pesc440-01 sshd[2737]: Received disconnect from ::1: 11: disconnected by user
Mar  3 04:52:33 dell-pesc440-01 sshd[2733]: pam_unix(sshd:session): session closed for user tester

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0598.html