SSH into chroot jail (restricted SSH session)

[waz]

I can successfully run a listening Bazaar server in a chroot installation and SSH tunnel the appropriate port (using the process described below), but cannot use bzr+ssh to access the chrooted repsoitory. Does anyone know if it's possible to use bzr+ssh in a chroot environment?


Hi,

I've just spend several hours doing something that I thought would be much more simple than it was. I wanted to allow others to access my Bazaar repositories over SSH (bzr+ssh). These users may be people I don't trust much, so I didn't want them to even see what is in the other directories (setting the user's shell to rbash allows them to ls other directories). I've outlined my solution below; it may not be the simplest solution, but it seems to work and may be of use to someone. Perhaps more experienced members could suggest some improvements.

For the record, I'm using Ubuntu 10.04 LTS, GNU bash version 4.1.5 and OpenSSH_5.3p1 Debian-3ubuntu7.

I followed the instructions in [{URL}]https://help.ubuntu.com/community/BasicChroot[/{URL}] to create a chrootable Ubuntu installation. I choose to put this in /srv/chroot/lucid/bzr. Here is the relevant extract from my /etc/schroot/schroot.conf:

Code:

[lucid]
description=Ubuntu Lucid for Bazaar
directory=/srv/chroot/lucid/bzr/
users=bzr
groups=bzr
priority=3
root-groups=root

Of course, I didn't worry about the X server stuff that's discussed in the above link. I realise that a whole new install is complete overkill for what I'm trying to achieve, but, oh well.

Then I used

Code:

sudo schroot --chroot=lucid

to jump into the new installation and used

Code:

adduser bzr

to make a regular user with a regular home directory (that is /home/bzr from the perspective of the new installation, or /srv/chroot/lucid/bzr/home/bzr from the perspective of the parent installation).

Back in the main (parent) installation, I made a user called bzr and a group called chroot. I made bzr a member of the chroot group (I set bzr's uid to less than 1000 so it wouldn't appear in the login screen).

Code:

root:~# adduser --no-create-home --uid 999 bzr
Adding user `bzr' ...
Adding new group `bzr' (999) ...
Adding new user `bzr' (999) with group `bzr' ...
Not creating home directory `/home/bzr'.
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for bzr
Enter the new value, or press ENTER for the default
    Full Name []: Bazaar User
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] 
root:~# mkdir /home/bzr
root:~# sudo usermod -d /home/bzr/ bzr
root:~# addgroup chroot
Adding group `chroot' (GID 1006) ...
Done.
root:~# usermod -aG chroot bzr
root:~# groups bzr
bzr : bzr chroot

Note that this bzr user of the parent installation is distinct from the bzr user of the new installation, I just wanted to give it the same user name.

Next I created some configuration files in bzr's home directory:

Code:

root:~# cd ~bzr
root:/home/bzr# echo 'schroot --chroot=lucid --directory=/home/bzr --user=bzr
> exit' > .bashrc
root:/home/bzr# for i in .bash_profile .bash_login; do echo '. .bashrc' > $i; done
root:/home/bzr# echo '' > .bash_logout 
root:/home/bzr# chown root:chroot .
root:/home/bzr# chmod g+w .
root:/home/bzr# ls -lsa
total 28
4 drwxrwxr-x 2 root chroot 4096 2012-02-05 10:47 .
4 drwxr-xr-x 9 root root   4096 2012-02-05 17:19 ..
4 -rw-r--r-- 1 root root     10 2012-02-05 17:28 .bash_login
4 -rw-r--r-- 1 root root      1 2012-02-05 17:29 .bash_logout
4 -rw-r--r-- 1 root root     10 2012-02-05 17:28 .bash_profile
4 -rw-r--r-- 1 root root     61 2012-02-05 17:28 .bashrc
root:/home/bzr# head .bash*
==> .bash_login <==
. .bashrc

==> .bash_logout <==


==> .bash_profile <==
. .bashrc

==> .bashrc <==
schroot --chroot=lucid --directory=/home/bzr --user=bzr
exit

So, whenever (parent installation's) bzr user tries to log in (either with su or ssh) they will be jailed in /srv/chroot/lucid/bzr as the bzr user of the new installation. When they exit out of the schroot shell, the exit command will be executed, so they can't hang around in a non-chrooted state. Note that the config files are owned by root. I had to allow bzr to write to it's home directory (ssh likes to write a .Xauthority file there), so I did this through its chroot group membership.

But before this would work, I needed to give bzr permission to run schroot, which is normally only executable as root. This required an edition to /etc/sudoers:

Code:

root:~# echo '
# Members of chroot group can run schroot
%chroot chroot=(root) /usr/bin/schroot' >> /etc/sudoers

Now allow bzr to ssh in:

Code:

root:~# echo '
AllowUsers bzr' >> /etc/ssh/sshd_config

Finally, I made new installation's bzr user own its own home directory and installed the bzr programme:

Code:

$ sudo schroot --chroot=lucid --directory=/home/bzr --user=root
/home/bzr# chown -R bzr: .
/home/bzr# apt-get install bzr

But, I have this problem:

Code:

client$ bzr branch bzr+ssh://bzr@server/my_project/trunk test_branch
bzr@server's password: 
-bash: line 1: syntax error near unexpected token `('
-bash: line 1: `bzr message 3 (bzr 1.6)'
bzr: ERROR: Connection closed: Unexpected end of message. Please check connectivity and permissions, and report a bug if problems persist.

As a work-around I can successfully run a listening Bazaar server in the chroot installation and forward the appropriate port. To do this, I start a Bazaar server in the chrooted environment

Code:

server$ bzr server --directory=my_project
listening on port: 4155

and set up an SSH tunnel to the client computer

Code:

client$ ssh -L4155:localhost:4155 bzr@server

Now I can issue bzr commands from the client:

Code:

client$ bzr branch bzr://server:4155/trunk test_branch

It works, but not as nice as using bzr+ssh.
Does anyone know if it's possible to use bzr+ssh in a chroot environment?

[waz]

I think I've finally found a blog post explaining how to do what I wanted (in a less cumbersome way than described above): Configuring a shared repository in Bazaar for users with no shell access | Blog dot Melimato dot Com

[waz]

Maybe some kind mod could fix my links for me?

[jayd512]

Hi, waz.
As a temporary work around to posting links, check out Question #2 in this page.

[waz]

Thank you.