openssh 3.9-1 + chroot - was Re: [WBEL-users] How to uninstall
an rpm package which has dependencies?
Jean Lee
jean.lee@free.fr
Mon, 15 Nov 2004 09:55:17 +0100
Hi bishop,
Thank you for your answer. It was not the setup of the home directory
because ssh ( which works with bash) works fine. It was only sftp which
had a problem to find a library.
As I didn't find the answer, I tried with Jail which is a binary that
chroots a user during the login (and is not ssh dependant). I had the
same problem. ssh worked fine but sftp didn't want to start.
To import a binary in a chrooted environnement, we have to copy the
binary then execute ldd to this binary to find the correct libraries to
import.
Well, for sftp, I have to import the sftp-server binary then the
associated libraries and I'm sure that I've done it correctly with your
Openssh version and Jail.
The problem is that we need to import another library which is
/etc/ld.so.cache and which is not returned by the ldd function. I found
it on the Jail mailing list. I don't know what this library provides but
now, it works fine with Jail. I didn't have the time to test this
solution with your Openssh version but I'm quite sure that this was the
same problem and that it should work with this library
(/etc/ld.so.cache). If I have the time, I will try soon.
Thanks a lot for all your help. It was really a good job and without
you, I wouldn't have succeed so fast. I have another question (if you
have the time) for my experience :
How did you do to start from the official Openssh tarball
(Openssh-3.9p1.tar.gz) and the chroot patch (osshChroot-3.9p1.diff) to
recreate the patched srpms (Openssh-3.9p1-1chroot.src.rpm) which can
give the patched rpms? You made it so fast..... It is very interesting :
Can you give me the general steps that you followed ? I would like to be
able to do it by myself.
Thank you one more time.
Jean
bishop wrote:
> Jean,
>
> Do you do the setup on the sftp-server shell? I thought that one does
> it on the user's homedir:
>
> moduser -d /home/bishop/./
>
> No?
>
> If 'path-to-chroot' is, for example, /var/chroot/, then did you mkdir
> -p /var/chroot/usr/kerberos/lib and cp -a
> /usr/kerberos/lib/{some,libs} to /var/chroot/usr/kerberos/lib ? I
> think that is what you have to do.
>
> Unfortunately, I don't have any experience with that software; I just
> know how to package it. :-) Like I said, I use scponly(.sf.net) for
> my login shells, and it provides just enough security.
>
> - bish
>
> Jean Lee wrote:
>
>> Hi bishop,
>>
>> OK I tried your rpms. The installation is OK and I succeed to create
>> a jail which works for ssh.
>> I follow the manual which is available here :
>>
>> http://www.netadmintools.com/art294.html
>>
>> The problem is that it doesn't work with sftp-server.
>>
>>
>> During the creation of the chroot environnement, I made a copy of
>> /usr/libexec/openssh/sftp-server to
>> "path-to-chroot"/./usr/libexec/openssh/sftp-server
>> then :
>> cd "path-to-chroot"/./usr/libexec/openssh/
>> ldd sftp-server
>>
>> The output gives some libraries which I copied into the correct folders.
>>
>> When I tried : sftp jean@ServeurLinux
>> I am asked for a password and then I have an error saying me that a
>> library related to kerberos is not found.
>> I verified and this library is at the place which is telled by ldd
>> (+the "path-to-chroot")......
>>
>> It is related to this kerberos library because I tried to supress
>> libz.so.1 (which is also needed by sftp-server) and the error message
>> was then that it didn't find libz.so.1. I suppose so than when this
>> library is well placed, sftp-server can find it.
>>
>> Do you have any idea why sftp-server doesn't find this kerberos
>> library ?
>>
>> Thank you for your support.
>>
>> Jean
>>
>> bishop wrote:
>>
>>>
>>> Hey Jean,
>>>
>>> The SRPM (Source RPM) contains the necessary code to build RPMs.
>>> It's really just a cpio of the tar.gz, some diffs and a build script
>>> (.spec).
>>>
>>> Building the RPMs is done with
>>> rpm -i openssh.src.rpm
>>> rpmbuild -ba openssh.spec
>>>
>>> Here's the current patch for the spec file to integrate the chroot
>>> diff:
>>>
>>>> --- /home/bishop/RPM/SPECS/openssh.spec~ 2004-11-09
>>>> 03:35:49.000000000 -0800
>>>> +++ /home/bishop/RPM/SPECS/openssh.spec 2004-11-09
>>>> 10:15:59.000000000 -0800
>>>> @@ -86,7 +86,7 @@
>>>> %if %{rescue}
>>>> Release: %{rel}rescue
>>>> %else
>>>> -Release: %{rel}
>>>> +Release: %{rel}%{?_with_chroot:chroot}
>>>> %endif
>>>> URL: http://www.openssh.com/portable.html
>>>> Source0:
>>>> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
>>>>
>>>> @@ -98,6 +98,7 @@
>>>> Patch4: openssh-3.9p1-skip-initial.patch
>>>> Patch11:
>>>> http://www.sxw.org.uk/computing/patches/openssh-3.6.1p2-gssapi-20030430.diff
>>>>
>>>> Patch12: openssh-selinux.patch
>>>> +Patch15:
>>>> http://chrootssh.sourceforge.net/download/osshChroot-3.6.1.diff
>>>> License: BSD
>>>> Group: Applications/Internet
>>>> BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
>>>> @@ -150,6 +150,7 @@
>>>> %if ! %{build6x}
>>>> Requires: /etc/pam.d/system-auth
>>>> %endif
>>>> +%{?_with_chroot:Provides: ssh-server-chroot}
>>>>
>>>> %package askpass
>>>> Summary: A passphrase dialog for OpenSSH and X.
>>>> @@ -226,6 +227,10 @@
>>>> %patch12 -p1 -b .selinux
>>>> %endif
>>>>
>>>> +%if %{?_with_chroot:1}%{?!_with_chroot:0}%{?commentish:These
>>>> constructs suck}
>>>> +%patch15 -p1 -b .chroot
>>>> +%endif
>>>> +
>>>> %build
>>>> CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
>>>> %if %{rescue}
>>>
>>>
>>>
>>>
>>> (yes, I hate line 89 too)
>>>
>>> Okay, I'm in my meeting now, so I can't test/examine the RPMs at
>>> all, but if you want to test something, grab these:
>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/SRPMS.extras/openssh-3.9p1-1chroot.src.rpm
>>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-3.9p1-1chroot.i386.rpm
>>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-clients-3.9p1-1chroot.i386.rpm
>>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-server-3.9p1-1chroot.i386.rpm
>>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-askpass-3.9p1-1chroot.i386.rpm
>>>>
>>>> Wrote:
>>>> /home/bishop/public_html/apt/i386/wb30/RPMS.extras/openssh-askpass-gnome-3.9p1-1chroot.i386.rpm
>>>>
>>>
>>>
>>>
>>>
>>> They may work. I have them here (but get the right ones!) :
>>>
>>> http://apt.platypus.bc.ca/~bis hop/apt/i386/wb30/RPMS.extras/
>>> http://apt.platypus.bc.ca/~bis hop/apt/i386/wb30/SRPMS.extras/
>>>
>>> I'll examine the RPM later today, as I mentioned.
>>>
>>> To examine all the changes I've made to the SRPMS:
>>> install one SRPM
>>> move the dirname away (`mv RPM{,1}`)
>>> install the other SRPM
>>> compare them:
>>> diff -uNr --exclude-from=openssh3.*gz RPM{1,}
>>>
>>> I can send these diffs to you if you are interested.
>>>
>>> - bish
>>>
>>> Jean Lee wrote:
>>>
>>>> Well, I really made something wrong.
>>>>
>>>> I was on the openssh website and didn't find the tar.gz files for
>>>> openssh-client, openssh-server, openssh-askpass and
>>>> openssh-askpass-gnome. :) sorry, I'm a newbie.
>>>> Bishop, how did you do to produce these files ? Is it something
>>>> with this srpms file?
>>>> If the rpm files are produced by the srpms one. How can I apply a
>>>> patch to the tar.gz file and then create the srpms file from this
>>>> patched tar.gz file and then finally obtain my rpm files?
>>>>
>>>> What do I have installed (Installation explained in my previous
>>>> mail)?
>>>>
>>>> Thank you for your answers because I think that I'm a bit lost.
>>>>
>>>> Jean
>>>>
>>>> Jean Lee wrote:
>>>>
>>>>> Thank to all of you for your great help.
>>>>> This mail is just to give a back and keep a trace,
>>>>>
>>>>> I have created an rpm of the patched openssh
>>>>> (openssh-3.9p1-chroot.tar.gz) with the checkinstall binary. I
>>>>> called it openssh-3.9p1-1.i386.rpm and checkinstall automatically
>>>>> installed it.
>>>>> I didn't do a 'yum remove openssh-3.6.1p2' because I didn't want
>>>>> to brake some dependencies.
>>>>>
>>>>> When I type 'rpm -q openssh', I have a good return : openssh-3.9p1-1
>>>>> but if I try to erase it 'rpm -e openssh', I have the following
>>>>> return :
>>>>>
>>>>> error: Failed dependencies :
>>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>>> openssh-askpass-3.6.1p2-33.30.1
>>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>>> openssh-askpass-gnome-3.6.1p2-33.30.1
>>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>>> openssh-client-3.6.1p2-33.30.1
>>>>> openssh = 3.6.1p2-33.30.1 is needed by (installed)
>>>>> openssh-server-3.6.1p2-33.30.1
>>>>>
>>>>> Another thing : If I type 'whereis sshd', the return is :
>>>>> /usr/sbin/sshd and /usr/local/sbin/sshd .
>>>>> It doesn't seem to be very good..
>>>>>
>>>>> I will try now to upgrade these 4 tools with standard
>>>>> openssh-3.9p1 and see what will come.....
>>>>>
>>>>> Jean
>>>>>
>>>>> Randy Kelsoe wrote:
>>>>>
>>>>>> Jean Lee wrote:
>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I think that what I want is not so hard but I really don't know
>>>>>>> how to do it.
>>>>>>>
>>>>>>> My problem is that I want to unintsall openssh-3.6.1p2 which is
>>>>>>> installed as an rpm package and then install
>>>>>>> openssh-3.9p1-chroot which is a tarball (it is a patched version
>>>>>>> of Openssh-3.9p1 with added chroot functionnality).
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> As I suggested in a previous thread of yours, get the
>>>>>> checkinstall package and install it. Then you can untar the
>>>>>> openssh-3.9p1-chroot package, do your './configure', then 'make'
>>>>>> and then instead of doing your normal 'make install', run
>>>>>> 'checkinstall' which will create and install an RPM package for
>>>>>> you. That way, if you have problems with the new package, you can
>>>>>> remove it with the 'rpm -e' command. When you need to upgrade the
>>>>>> package, it will be a lot easier to let rpm do the upgrade and
>>>>>> keep track of the files.
>>>>>>
>>>>>>>
>>>>>>> Well, I tried first to uninstall openssh-3.6.1p2 with :
>>>>>>> rpm -e openssh
>>>>>>> and this command failed due to dependencies to other packages :
>>>>>>> openssh-server, openssh-client, netdump and a few others related
>>>>>>> to openssh...
>>>>>>>
>>>>>>> I'm sure that I am doing something wrong. Perhaps that I can
>>>>>>> firstly uninstall the packages related to openssh but the one
>>>>>>> with netdump is probably not recommended.. Moreover, I tried to
>>>>>>> uninstall openssh-server and it failed due to a dependency to
>>>>>>> netdump-server.
>>>>>>>
>>>>>>> What is the right way? Do I have really to uninstall every
>>>>>>> package which has a dependency before uninstalling openssh or is
>>>>>>> there another way which ensure that nothing will be broken?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> In your case, I would recommend trying the checkinstall method
>>>>>> above first. If you really want to get rid of the dependencies,
>>>>>> you can rpm -e more than one package at a time:
>>>>>>
>>>>>> rpm -e openssh openssh-server openssh-client netdump
>>>>>>
>>>>>> yum is also handy for this:
>>>>>>
>>>>>> yum remove packagename
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks for any help,
>>>>>>>
>>>>>>> Jean
>>>>>>
>>>>>>
>>>>>>
>>>
>>>
>>
>> _______________________________________________
>> Whitebox-users mailing list
>> Whitebox-users@beau.org
>> http://beau.org/mailman/listinfo/whitebox-users
>
>