Maybe I focused too much on describing the solution I found to fix the issue rather than the problem itself. Please find a description of the problem / symptoms below.
After setting up the rssh chroot environment with the 'mkchroot.sh' script I tried to login with 'sftp' and always got 'Connection closed'. I inspected the logs on the server and noticed the following log entries (each time I made a login attempt): <DATE> <HOST> sshd[9324]: Accepted keyboard-interactive/pam for <USER> from <IP> port <PORT> ssh2 <DATE> <HOST> sshd[9328]: (pam_unix) session opened for user <USER> by (uid=0) <DATE> <HOST> sshd[9328]: subsystem request for sftp <DATE> <HOST> rssh[9329]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server" <DATE> <HOST> sshd[9328]: (pam_unix) session closed for user rssh-erich No error, no indication what might be wrong. I then googled to see what might be the reason for this and came across an RSSH FAQ [1] which described the problem as being related to an incorrectly setup chroot environment. I then compared the chroot environment created by 'mkchroot.sh' on the lenny system with the one on the 'squeeze' system and found out that 'mkchroot.sh' didn't copy the same libraries into the chroot environment. After manually copying said libraries to the chroot environment it started to work. Hence, we can conclude that the error 'Connection closed' is caused by a failure to invoke /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server" which is due to missing library dependencies. [1] http://www.pizzashack.org/rssh/faq.shtml#6 > -----Original Message----- > From: Russ Allbery [mailto:r...@debian.org] > Sent: Thursday, 24 February, 2011 12:39 > To: Erich Liebmann > Cc: 611...@bugs.debian.org > Subject: Re: Bug#611878: rssh mkchroot.sh sample script broken > > "Erich Liebmann" <erich.liebm...@gmx.net> writes: > > > As mentioned in my previous email, I got the chroot > environment working > > by manually copying over a number of _required_ libraries. > Please note > > that "required libraries" in this context refers to > libraries required > > by the chroot environment to work properly and not > necessarily (only) > > the dependencies of the binaries passed to 'ldd' in the > 'mkchroot.sh' > > script. So maybe the 'mkchroot.sh' script simply passes an > an incomplete > > list of binaries to 'ldd'? > > In the absence of any sort of error message or clue as to what problem > you're encountering, it's kind of hard to tell. > > > Would be great if the 'mkchroot.sh' script could copy _all_ required > > libraries into the chroot environment, hence produce a > _working_ chroot > > environment (as it used to be on lenny). > > Yes, absolutely, that's the goal. > > > Unfortunately, I am unable to suggest or provide a fix since I don't > > fully understand why 'mkchroot.sh' or 'ldd' do not correctly detect > > _all_ required libraries on squeeze. > > I don't need you to come up with that, although of course > that would be > great. But I'd settle for just an explanation of what wasn't > working, how > you found that it wasn't working, and what the symptoms were. :) > > > I still believe it might have to do with the fact that ssh > libraries are > > already loaded and cached when logging in remotely. Did you log in > > remotely via ssh to the systems you checked? > > I was really kind of hoping, given that you already had this > all set up > and were encountering a problem, that I could get you to at > least send me > an error message or something. :) But sure, I went ahead > and set up a > test environment for a chroot and found one problem: the nss > libraries now > are linked with libnsl, and the current script doesn't find that. > > Once I copied libnsl into the chroot, and I'll fix > mkchroot.sh to look for > that case, scp worked fine with a chroot created by mkchroot.sh. > > If you're having other problems beyond needing that one additional > library, you're going to have to throw me a bone here and > give me at least > *some* clue about exactly what's failing for you.... > > -- > Russ Allbery (r...@debian.org) > <http://www.eyrie.org/~eagle/> > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.872 / Virus Database: 271.1.1/3440 - Release > Date: 02/24/11 03:34:00 > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
