From owner-FreeBSD-users-jp@jp.FreeBSD.org Thu May 19 16:13:11 2011
Received: (from daemon@localhost)
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) id p4J7DBt93292;
	Thu, 19 May 2011 16:13:11 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from blackpearl.kawasaki3.org (moto-1-pt.tunnel.tserv3.fmt2.ipv6.he.net [2001:470:1f04:f28::2])
	by castle.jp.FreeBSD.org (8.11.6p2+3.4W/8.11.3) with ESMTP/inet6 id p4J7D9Y93284
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 19 May 2011 16:13:10 +0900 (JST)
	(envelope-from moto@kawasaki3.org)
Received: from localhost (unknown [113.157.198.194])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: moto)
	by blackpearl.kawasaki3.org (Postfix) with ESMTPSA id 926E88173
	for <FreeBSD-users-jp@jp.FreeBSD.org>; Thu, 19 May 2011 16:13:07 +0900 (JST)
Message-Id: <20110519.161348.00796424.moto@kawasaki3.org>
To: FreeBSD-users-jp@jp.FreeBSD.org
From: moto kawasaki <moto@kawasaki3.org>
X-Mailer: Mew version 6.3 on Emacs 22.3 / Mule 5.0 (SAKAKI)
X-Face: )._4~w!_D$r6qNS0+;nS|]WNeI4f3o)QnH[ItB[esXuc$~hQ$.,?}$SnLe/[24Hao%^q/Is
 'SJtZe#21h;7z;q+iyj[^%7\46.Gg-t7.px<}L-f_:P+6i4-a{DIL[
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Reply-To: FreeBSD-users-jp@jp.FreeBSD.org
Precedence: list
Date: Thu, 19 May 2011 16:13:48 +0900
X-Sequence: FreeBSD-users-jp 93433
Subject: [FreeBSD-users-jp 93433] Q: /dev/tty ownership with OpenSSH ChrootDirectory
Sender: owner-FreeBSD-users-jp@jp.FreeBSD.org
X-Originator: moto@kawasaki3.org
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+060209


$B@n:j$H?=$7$^$9!#(B
$B:$$C$?;~$N(B ML $BMj$_$G$9$_$^$;$s$,!"$h$m$7$/$*4j$$$7$^$9!#D9$/$F:Q$_$^$;(B
$B$s!#2<$NJ}$K(B [$BCN$j$?$$$3$H(B] $B$r$^$H$a$F$*$j$^$9!#(B

[$BGX7J(B]
$B$"$k%N!<%I(B A $B$K(B ssh $B$G%m%0%$%s$7$F!"$3$3$+$i$5$i$K(B ssh $B$GJL$N%N!<%I$X(B
$B%m%0%$%s$9$k$h$&$K$7$F$$$^$9!#$$$o$f$kF'$_Bf%5!<%P$G!"$3$3$^$G$OLdBj$J(B
$B$/F0:n$7$F$$$^$9!#(B($BEv$?$jA0$G$9$,(B)
$B:#!"%N!<%I(B A $B$rF'$_Bf$H$7$F;H$&$@$1$N%f!<%6$K$D$$$F!"(BOpenSSH $B$N(B
ChrootDirectory $B$N5!G=$r;H$C$F!"%N!<%I(B A $B$N%G%#%l%/%H%j%D%j!<$X$N%"%/(B
$B%;%9$r@)8B$7$?$$$b$N$H;W$C$F!"@_Dj$r;n$7$F$$$^$9!#(B
$B4D6-$O0J2<$NDL$j$G$9!#(B
  FreeBSD 8.2-RELEASE-p1 i386
  OpenSSH_5.2p1 FreeBSD-openssh-portable-5.2.p1_3,1, OpenSSL 1.0.0d 8 Feb 2011
  (ports $B$N(B security/openssh-portable $B$+$i:G6aF~$l$?$b$N(B)

[$B$d$C$?$3$H(B]
$B%N!<%I(B A $B>e$N%f!<%6(B user1 $B$K$D$$$F!"(BChrootDirectory $B$NBP>]$K$9$k$?$a!"(B
/usr/local/etc/ssh/sshd_config $B$K0J2<$rDI2C$7$^$7$?!#(B

    Match User user1
      ChrootDirectory /home/user1
      AllowTcpForwarding no
      X11Forwarding no

$B$5$i$K!"(Buser1 $B$N%[!<%`%G%#%l%/%H%j(B (/home/user1) $B$K!"I,MW$H;W$o$l$k%U%!(B
$B%$%k72$r=`Hw$7$^$7$?!#F0:n$7$F$+$iITMW%U%!%$%k$r>C$9$D$b$j$G!"B?$a$K%3(B
$B%T!<$7$F$$$^$9!#$^$?!"(B/home/user1 $B$H(B /usr/home/user1 $B$,:.:_$7$F$$$k$h(B
$B$&$K8+$($^$9$,!"%7%s%\%j%C%/%j%s%/(B (/home@ -> usr/home) $B$G<BBN$OF1$8$G(B
$B$9!#(B

    # cd /home/user1
    # chown root:wheel .
    # cp -pr /bin /sbin /lib /libexec /etc /tmp .
    # mkdir usr
    # cp -pr /usr/bin /usr/sbin /usr/lib /usr/libexec usr
    # mkdir dev
    # mount -t devfs devfs /usr/home/user1/
    # mkdir -p home/user1
    # chown user1:group1 home/user1

$B$3$N(B user1 $B$N(B /usr/home/user1/etc/passwd $B$N9T$O<!$NDL$j$G$9!#(B
    user1:*:10000:10000:User &:/home/user1:/bin/tcsh
$B$D$$$G$K(B /usr/home/user1/etc/group $B$K$O(B group1 $B$,$"$j$^$9!#(B
    group1:*:10000:
ChrootDirectory $B$N30B&$G$O!"(Buser1 $B$O(B LDAP $B>e$K%(%s%H%j$,$"$C$F(B
/etc/passwd $B$J$I$K$O%(%s%H%j$,$"$j$^$;$s$,(B `id user1` $B$d(B `finger
user1` $B$G>pJs$rI=<($G$-$F$$$^$9!#(B
$BFbB&$G$b(B /var/run/utmp $B$r(B /usr/home/var/run/utmp $B$K%3%T!<$9$l$P(B id $B$d(B
finger $B$,@5$7$$Ez$($rJV$7$^$9!#(B

$B$3$l$G!"%N!<%I(B A $B$K(B user1 $B$H$7$F%m%0%$%s$7$F!"(B(/usr/home/kawasaki)/bin
$B$N2<$N%3%^%s%I$J$I$r<B9T$9$k$3$H$,$G$-$^$9!#(B($BA4It$O;n$7$F$$$^$;$s$,(B)

[$B:$$C$F$$$k$3$H(B]
$B$H$3$m$,!"$3$N>uBV$G%N!<%I(B A $B>e$N(B user1 $B$H$7$F!"(B/usr/bin/ssh ($B$b$H$b$H(B
FreeBSD $B$KIU$$$F$-$?J}$N$b$N!#0YG0(B) $B$r;H$C$F$5$i$KJL$N%N!<%I(B B $B$X%m%0(B
$B%$%s$7$h$&$H$9$k$H!"2<5-$N%(%i!<$,=P$F$&$^$/9T$-$^$;$s!#(B

  nodeA-user1-tcsh> ssh -vvv another.node.example.jp
              ($BCfN,(B)
  debug1: read_passphrase: can't open /dev/tty: Permission denied
  Host key verification failed.

$B$3$N;~$K!"(B(/usr/home/user1)/dev/tty $B$O!"$?$7$+$K(B user1 $B$+$i$OFI$_=q$-(B
$B$G$-$^$;$s!#(B
  > ls -l /dev/tty
  crw--w----  1 root  tty    0,  93 May 19 15:58 /dev/tty

ChrootDirectory $B$N@_Dj$rF~$l$J$1$l$P!"(B/dev/tty $B$N%*!<%J!<$,(B user1 $B$K$J$C(B
$B$F$$$k$N$G!"$=$N>uBV$G$"$l$P%N!<%I(B A $B$+$i$N(B ssh $B$,@.8y$7$^$9!#(B

[$B;n$7$F$_$?$3$H(B]
devfs $B$r;H$C$F(B /usr/home/user1/dev/tty $B$N%*!<%J!<$r(B user1 $B$K$7$?$j!"(B
$B%b!<%I$r(B 0666 $B$K$7$F$_$?$j$7$^$7$?$,!"(B

  ChrootDirectory $B$N30B&$+$i8+$k$H;XDjDL$j$N%*!<%J!<$d%b!<%I$K$J$k$,(B
  $BFbB&(B(user1)$B$+$i8+$k$H(B root:tty 0640 $B$N$^$^$K$J$C$F$$$k!#(B

$B$H$$$&$A$g$C$HIT;W5D$J$3$H$K$J$C$F$$$^$9!#(B

[$BCN$j$?$$$3$H(B]
ChrootDirectory $B$NFbB&$N(B user1 $B$+$i8+$F!"(B/dev/tty $B$NFI$_=q$-$,$G$-$k$h(B
$B$&$K$9$k$?$a$K$O!"$I$&$9$l$PNI$$$G$7$g$&$+!)(B
$B$"$k$$$O!"$3$&$$$&!VF'$_Bf!W$r:n$kJL$NJ}K!$,$"$l$P65$($F$/$@$5$$!#(B



$B$h$m$7$/$*4j$$$7$^$9!#(B

-- 
moto kawasaki <moto@kawasaki3.org>


