Apply openssh sftp-chroot patch to openssh-server

Bug #24777 reported by Daniel Hahler
24
Affects Status Importance Assigned to Milestone
portable OpenSSH
Fix Released
Unknown
openssh (Ubuntu)
Fix Released
Medium
Colin Watson

Bug Description

There is a patch to allow chrooting users that have the patched sftp-server as login shell and a '/./' magic in their
home directory.

This only affects sftp-server and does not require to setup a chroot environment with libs for anything.

http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.diff: http://mail.incredimail.com/howto/openssh/addons/sftp-chroot.diff

Revision history for this message
Daniel Hahler (blueyed) wrote :

Created an attachment (id=4827)
sftp-server.c: Allow chrooting of a user if he has a magic "/./" in his path

Revision history for this message
Colin Watson (cjwatson) wrote :

Please push this upstream if you're interested in it; it is unlikely that I will
apply this in Debian or Ubuntu without them.

As you said on IRC, this seems to have been rejected by the Portable OpenSSH
team so far, so their objections need to be addressed. I don't want to be in a
position where I'm the person people go to when they want to do an end-run
around upstream objections.

Revision history for this message
Daniel Hahler (blueyed) wrote :

This is the upstream bug: http://bugzilla.mindrot.org/show_bug.cgi?id=177

It's about adding chroot functionality not only to sftp-server. I've attached the patch there.

Colin Watson (cjwatson)
Changed in openssh:
assignee: kamion → nobody
Changed in openssh:
status: Unknown → Confirmed
Changed in openssh:
status: Confirmed → Unknown
Changed in openssh:
status: Unknown → Confirmed
Changed in openssh:
status: Unknown → Fix Released
Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

This has been fixed upstream and will be in openssh-4.8.

Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

(it has been fixed by adding support for an in-process sftp-server to avoid the need to configure the chroot with support files.)

Revision history for this message
Nicolas Valcarcel (nvalcarcel) wrote :

This fix is included on openssh 4.8, marking as fix commited

Changed in openssh:
status: New → In Progress
Changed in openssh:
status: In Progress → Fix Committed
Changed in openssh:
status: Fix Committed → Confirmed
Revision history for this message
Yann (lostec) wrote :

Will the version of OpenSSH server included in Gutsy be 4.8?

Otherwise, applying this patch to the version of OpenSSH included in Gutsy should be considered for an LTS version (used in enterprise, lots of them trying to get rid of unsecured FTP servers without the hassle to handle a chroot setup/mainenance by hand).

Regards

Revision history for this message
Yann (lostec) wrote :

Oupsss... On my last post I wrote Gutsy but was of course thinking of Hardy...

Regards

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 24777] Re: Apply openssh sftp-chroot patch to openssh-server

You can view current package versions here:
    http://packages.ubuntu.com/hardy/allpackages

Currently:
    openssh-server (1:4.7p1-4ubuntu1)

That would probably NOT move up to 4.8 at this point since Hardy has
already moved past Feature Freeze. Bug fixes only at this point.

:-Dustin

Revision history for this message
Colin Watson (cjwatson) wrote :

This change was only recently applied to OpenSSH portable mainline, and I want to let it be shaken out in the 4.8 release process before applying it. As such I'm afraid I think it's too late for Hardy.

Revision history for this message
Yann (lostec) wrote :

I understand... maybe it could be in the backports short list after the release? Cause it's really a missing feature a lot of people was expecting for long, especially for an LTS version that targets servers/enterprises (that will live for next 5 years)...

Regards

Revision history for this message
Colin Watson (cjwatson) wrote :

Back to fix committed; I'll be aiming to get this into Intrepid. (What the backports folks do is up to them. :-) )

Changed in openssh:
assignee: nobody → kamion
status: Confirmed → Fix Committed
Revision history for this message
Daniel Hahler (blueyed) wrote :

JFI: there's something on OpenSSH for it since February already.. don't know if it's in a released version though.

See http://undeadly.org/cgi?action=article&sid=20080220110039

Revision history for this message
Daniel Hahler (blueyed) wrote :

Oh, sorry. Missed the point / previous comments - that's exactly it.
Please ignore my previous comment (and this one).

Revision history for this message
Yann (lostec) wrote :

It seems internal sftp-server added to ease chroot suffer from a big missing feature as of 4.8: It is impossible to use sftp logging as with usual external sftp-server.

So open-ssh 5.1 should be considered for Intrepid as logging users is required in many environments (corporate, legal aspects in some countries).

Otherwise I think users will stay with current restricted shell + chroot as usual.

To ease the process, scponly is easy to use but to be able to log sftp users it's version should be upgraded to 4.8, keeping the creation of /chroot_path/dev/null mknod as of current 4.6_ubuntu version as this null device creation is still missing upstream. Automatically adding -a /chroot_path/dev/log to syslogd for chrooted installs should also be a good idea.

On Hardy, compiling from my own scponly 4.8 was the easiest way I found to handle the problem.

Revision history for this message
Yann (lostec) wrote :

See this link for openssh 5.1 and internal chrooted sftp server logging ability added in this version:
https://bugzilla.mindrot.org/show_bug.cgi?id=1488

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.9 KiB)

This bug was fixed in the package openssh - 1:5.1p1-1ubuntu1

---------------
openssh (1:5.1p1-1ubuntu1) intrepid; urgency=low

  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.

openssh (1:5.1p1-1) unstable; urgency=low

  * New upstream release (closes: #474301). Important changes not previously
    backported to 4.7p1:
    - 4.9/4.9p1 (http://www.openssh.com/txt/release-4.9):
      + Added chroot(2) support for sshd(8), controlled by a new option
        "ChrootDirectory" (closes: #139047, LP: #24777).
      + Linked sftp-server(8) into sshd(8). The internal sftp server is used
        when the command "internal-sftp" is specified in a Subsystem or
        ForceCommand declaration. When used with ChrootDirectory, the
        internal sftp server requires no special configuration of files
        inside the chroot environment.
      + Added a protocol extension method "<email address hidden>" for
        sftp-server(8) to perform POSIX atomic rename() operations; sftp(1)
        prefers this if available (closes: #308561).
      + Removed the fixed limit of 100 file handles in sftp-server(8).
      + ssh(8) will now skip generation of SSH protocol 1 ephemeral server
        keys when in inetd mode and protocol 2 connections are negotiated.
        This speeds up protocol 2 connections to inetd-mode servers that
        also allow Protocol 1.
      + Accept the PermitRootLogin directive in a sshd_config(5) Match
        block. Allows for, e.g. permitting root only from the local network.
      + Reworked sftp(1) argument splitting and escaping to be more
        internally consistent (i.e. between sftp commands) and more
        consistent with sh(1). Please note that this will change the
        interpretation of some quoted strings, especially those with
        embedded backslash escape sequences.
      + Support "Banner=none" in sshd_config(5) to disable sending of a
        pre-login banner (e.g. in a Match block).
      + ssh(1) ProxyCommands are now executed with $SHELL rather than
        /bin/sh.
      + ssh(1)'s ConnectTimeout option is now applied to both the TCP
        connection and the SSH banner exchange (previously it just covered
        the TCP connection). This allows callers of ssh(1) to better detect
        and deal with stuck servers that accept a TCP connection but don't
        progress the protocol, and also makes ConnectTimeout useful for
        connections via a ProxyCommand.
      + scp(1) incorrectly reported "stalled" on slow copies (closes:
        #140828).
      + scp(1) date underflow for timestamps before epoch.
      + ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS,
        instead of the current standard RRSIG.
      + Correctly drain ACKs when a sftp(1) upload write fails midway,
        avoids a fatal() exit from what should be a recoverable condition.
      + Fixed ssh-keygen(1) selective host key hashing (i.e. "ssh...

Changed in openssh:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.