Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Description of problem: When correctly using ChrootDirectory directive openssh closes connection # ll -d /chroot drwxr-xr-x. 2 root root 4096 Mar 1 07:48 /chroot/ # cat /etc/sshd_config | grep ChrootDirectory ChrootDirectory /chroot/ # sftp root@localhost Connecting to localhost... Connection closed Version-Release number of selected component (if applicable): openssh-5.3p1-40.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Add ChrootDirectory /chroot/ to sshd_config 2. mkdir /chroot 3. ssh root@localhost Actual results: Connection closed Expected results: Connection successful Additional info: This is a regression as this passes with openssh-5.3p1-20.el6.x86_64
The repro steps from comment 2 are wrong! Correct repro steps are: ================ Repro steps ================ 1. add ChrootDirectory to sshd_config # echo "ChrootDirectory /chroot/" >> /etc/ssh/sshd_config 2. Change sftp subsystem to internal-sftp # sed -i 's/^Subsystem.*sftp.*/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config 3. Add test user # useradd tester # echo "redhat" | passwd --stdin tester 4. Restart ssh server # service sshd restart 5. Create /chroot dir and turn off selinux # mkdir /chroot # setenforce 0 6. Try to sftp as test user (password is redhat) # sftp tester@localhost Actual results: Connection closed Connecting to localhost... tester@localhost's password: subsystem request failed on channel 0 Couldn't read packet: Connection reset by peer Expected results: Connection successful sftp> ================= Important note: ================= Connecting as root works as expected!
This can be still reproduced with latest openssh-5.3p1-41.el6.x86_64
I can see a difference in /var/log/secure for buggy -41.el6 revision and working -20.el6 revision: openssh-5.3p1-41.el6.x86_64 =========================== Mar 3 04:50:25 dell-pesc440-01 sshd[2671]: Accepted password for tester from ::1 port 41595 ssh2 Mar 3 04:50:25 dell-pesc440-01 sshd[2672]: fatal: mm_request_receive: read: Connection reset by peer Mar 3 04:50:25 dell-pesc440-01 sshd[2671]: pam_unix(sshd:session): session opened for user tester by (uid=0) Mar 3 04:50:25 dell-pesc440-01 sshd[2675]: subsystem request for sftp Mar 3 04:50:25 dell-pesc440-01 sshd[2675]: error: do_exec_no_pty: open(/dev/null): No such file or directory Mar 3 04:50:25 dell-pesc440-01 sshd[2675]: subsystem request for sftp failed, subsystem not found Mar 3 04:50:25 dell-pesc440-01 sshd[2671]: pam_unix(sshd:session): session closed for user tester openssh-5.3p1-20.el6.x86_64 =========================== Mar 3 04:52:32 dell-pesc440-01 sshd[2733]: Accepted password for tester from ::1 port 39063 ssh2 Mar 3 04:52:32 dell-pesc440-01 sshd[2733]: pam_unix(sshd:session): session opened for user tester by (uid=0) Mar 3 04:52:32 dell-pesc440-01 sshd[2737]: subsystem request for sftp Mar 3 04:52:33 dell-pesc440-01 sshd[2737]: Received disconnect from ::1: 11: disconnected by user Mar 3 04:52:33 dell-pesc440-01 sshd[2733]: pam_unix(sshd:session): session closed for user tester
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0598.html