SSH ChrootDirectory on Mac OS X Lion (not Server edition)

mac-osxssh

I'm trying to setup a remote-only user account on my MacBook Pro that is chrooted to /chroot/tmux. I've followed the steps outlined here (http://thefragens.com/blog/2011/12/chrootd-sftp-on-mac-os-x-server/), but when I try to login in with (on my local network):

ssh tmux@10.0.1.140

… I get an immediate connection closed:

❯ ssh tmux@10.0.1.140                                                                                                        
Password:
Connection to 10.0.1.140 closed by remote host.
Connection to 10.0.1.140 closed.

Removing this line in /etc/sshd_config allows me to login fine, but my tmux user is no longer chrooted:

Match User tmux
  # ...
  ChrootDirectory /chroot/tmux # removing this allows me to login

What do I have to do to get this to work?

This is what I get after the password prompt when I try to login from the client with ssh -vv tmux@10.0.1.140:

debug2: input_userauth_info_req 
debug2: input_userauth_info_req: num_prompts 0 
debug1: Authentication succeeded (keyboard-interactive). 
Authenticated to 10.0.1.140 ([10.0.1.140]:22). 
debug1: channel 0: new [client-session] 
debug2: channel 0: send open 
debug1: Requesting no-more-sessions@openssh.com 
debug1: Entering interactive session. 
debug1: channel 0: free: client-session, nchannels 1 
Connection to 10.0.1.140 closed by remote host.
Connection to 10.0.1.140 closed.
Transferred: sent 1872, received 1880 bytes, in 0.0 seconds
Bytes per second: sent 100689.1, received 101119.4
debug1: Exit status -1

Encouragingly, Mac's Console reports this:

6/15/12 9:57:42.679 AM sshd: fatal: bad ownership or modes for chroot directory "/chroot/tmux"

My current directory permissions:

~ ❯ ls -al /chroot/tmux                                                                                                                      
total 8
drwxr-xr-x  7 tmux  wheel  238 Jun 14 11:18 .
drwxr-xr-x  3 root  wheel  102 Jun 14 10:34 ..

Best Answer

The problem here is the ownership and permissions on the directory /chroot/tmux.

The SSHD manpage states:

ChrootDirectory

         Specifies the pathname of a directory to chroot(2) to after
         authentication.  All components of the pathname must be root-
         owned directories that are not writable by any other user or
         group.  After the chroot, sshd(8) changes the working directory
         to the user's home directory.

I believe the specific path given to ChrootDirectory (in your case /home/tmux) must be root:root and at most 755 permissions, it looks like your directory is owned by 'tmux'.

Also note however, the ChrootDirectory command works best with SFTP, which doesn't require a specific shell, if you're trying to run interactive SSH command-line sessions (and a shell) from this directory, you'll need to add some files to the chroot first, as described in the sshd_config manpage:

The ChrootDirectory must contain the necessary files and directo-ries to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no additional configuration of the environment is nec-essary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details).

Related Topic