internal-sftp stuck on 'ls' with chrootdirectory

Brian Rosenberger brian at brutex.de
Wed Mar 19 18:25:31 EST 2014


Hi Damien,

Actually I am connecting mysql via IP, so I assume it is not the connection
causing the problem, but maybe some dependencies issues. I have to say that
on another linux box (same configuration but older debian version) the
chroot setup including libnss-mysql does work. So I am missing something
else here.

Cheers
Brian

-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org] 
Sent: Dienstag, 18. März 2014 22:16
To: Brian Rosenberger
Cc: openssh-unix-dev at mindrot.org
Subject: Re: internal-sftp stuck on 'ls' with chrootdirectory

On Mon, 17 Mar 2014, Brian Rosenberger wrote:

> Hi all,
> 
> I am using Match directive and internal-sftp to chroot sftp users into 
> their directory. Connection and login works. I can change directories 
> and put/get files. Also logging of the internal sftp-process works 
> (created a /dev/log socket inside the chroot). As soon as I use the 
> 'ls' command, nothing happens and the the process gets stuck. Listing 
> files does work as soon as I remove the chrootdirectory directive.
...

> I am using PAM with libnss-mysql.

This is likely the problem - the chrooted process is probably trying to
connect to your MySQL server and failing. You could either arrange for MySQL
to listen at the path it is expecting inside the chroot or see if you can
trick nss-mysql into giving up by creating a stale socket at the path it is
expecting.

The first approach would give you correct usernames for 'ls -l' at the cost
of potentially exposing sensitive data inside the chroot. The latter loses
usernames but keeps the chroot clean.

(all assuming this is indeed the problem)

-d



More information about the openssh-unix-dev mailing list