Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package libpam-chroot
[ Reason ]
This version includes fixes to build properly the package including:
- Installing the PAM module in the correct location (#980047)
- Supporting cross bulding of source (949080)
- Document that libpam-chroot is not recommended to be used with OpenSSH as it
is difficult to setup and there are better alternatives (527564)
[ Impact ]
Users cannot use the package as it is as the pam_chroot library is not
installed in the correct location.
Users trying to follow the instructions in the README file to setup OpenSSH
will end up with a non-working setup.
If the unblock is not granted this is not, however, a major issue as not many
users use this package and chroot functionalities are, in general, not that
much used anymore as people have in general now moved to containers.
[ Tests ]
Tested locally in the developer's machine.
[ Risks ]
Very low risk changes introduced in the package.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock libpam-chroot/0.9-5
Thank you for your support,
Javier
diff -u libpam-chroot-0.9/Makefile libpam-chroot-0.9/Makefile
--- libpam-chroot-0.9/Makefile
+++ libpam-chroot-0.9/Makefile
@@ -5,6 +5,8 @@
CPPFLAGS=-I.
LDFLAGS=-shared
DESTDIR=/
+LIBDIR=$(DESTDIR)/lib/security
+INSTALL?=install
OUT=pam_chroot.so
CONF=chroot.conf
@@ -20,3 +22,3 @@
install:
- install -s -o0 -g0 -m755 $(OUT) $(DESTDIR)/lib/security
+ $(INSTALL) -s -o0 -g0 -m755 $(OUT) $(LIBDIR)
install -m640 $(CONF) $(DESTDIR)/etc/security
diff -u libpam-chroot-0.9/debian/README.Debian
libpam-chroot-0.9/debian/README.Debian
--- libpam-chroot-0.9/debian/README.Debian
+++ libpam-chroot-0.9/debian/README.Debian
@@ -73,15 +73,22 @@
Setting up OpenSSH with libpam-chroot
-------------------------------------
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NOTE: OpenSSH supports, since the 4.9 release, the definition of
chrooted enviroments. For more information see the 'ChrootDirectory'
-directive in sshd_config (5).
+directive in sshd_config (5).
+
+Setting up OpenSSH libpam-chroot is *not* recommended and most likely will not
+work. The following information is provided for those users that want to tinker
+with pam-chroot and SSH.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Many systems want to setup a restricted remote access to a system in
which users are confined to their user directories, but are unable to
-"see" the whole system. If you want to develop this using OpenSSH you
-will need to:
+"see" the whole system. If you want to develop this using OpenSSH
+and libpam-chroot you will need to:
0) Setup a chroot environment for your users. Make sure that
environment includes the standard tools they will need (like their
@@ -147,7 +154,29 @@
pam-chroot at all.
+4) In order for chroots to work with newer OpenSSH versions the chroot
+directory of a user needs to include both the /proc filesystem and
+the /dev/pts
+
+ - If /proc is not mounted in the chroot, SSH access will be interrupted
+ with the message:
+
+ Connection reset by peer
+ Connection to <server-ip> closed.
+
+ To mount /proc do the following:
+ mount -t proc /proc <chroot_directory>/proc
+
+ - If /dev/pts is not mounted, the SSH login will freeze after
+ authentication with the message:
+
+ PTY allocation request failed on channel 0
+
+ To mount /dev do the following:
+ mount --rbind /dev <chroot_directory>/dev
+
+
--
Javier Fernandez-Sanguino <j...@debian.org>
- Wed, 27 Oct 2010 02:01:26 +0200
+ Thu, 03 Jun 2021 13:26:58 +0200
diff -u libpam-chroot-0.9/debian/changelog libpam-chroot-0.9/debian/changelog
--- libpam-chroot-0.9/debian/changelog
+++ libpam-chroot-0.9/debian/changelog
@@ -1,3 +1,19 @@
+libpam-chroot (0.9-5) unstable; urgency=high
+
+ * debian/rules: Install the PAM module in the right location
+ (Closes: #980047)
+ * Fix FTCBFS: (Closes: #949080, #437385)
+ + Let dh_auto_build pass cross tools to make.
+ + Make install substitutable.
+ + Pass a non-stripping install to make install.
+ Thanks Helmut Grohne for the patch
+ * debian/README.Debian: discourage users from using this module with
+ OpenSSH as this feature is available already in the daemon (see option
+ ChrootDirectory) and the setup might not work due to changes in OpenSSH
+ (Closes: #527564)
+
+ -- Javier Fernandez-Sanguino Pen~a <j...@debian.org> Thu, 03 Jun 2021
12:57:43 +0200
+
libpam-chroot (0.9-4.3) unstable; urgency=medium
* Non-maintainer upload.
diff -u libpam-chroot-0.9/debian/dirs libpam-chroot-0.9/debian/dirs
--- libpam-chroot-0.9/debian/dirs
+++ libpam-chroot-0.9/debian/dirs
@@ -1,2 +1 @@
etc/security
-lib/security
diff -u libpam-chroot-0.9/debian/rules libpam-chroot-0.9/debian/rules
--- libpam-chroot-0.9/debian/rules
+++ libpam-chroot-0.9/debian/rules
@@ -8,13 +8,16 @@
# This is the debhelper compatability version to use.
# export DH_COMPAT=5
+DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
+
+
build: build-arch build-indep
build-arch: build-stamp
build-indep: build-stamp
build-stamp:
dh_testdir
- $(MAKE)
+ dh_auto_build
touch build-stamp
clean:
@@ -28,9 +31,9 @@
dh_testdir
dh_testroot
dh_installdirs
-
+ mkdir -p $(CURDIR)/debian/libpam-chroot/lib/$(DEB_HOST_MULTIARCH)
# Add here commands to install the package into debian/libpam-chroot
- $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot
+ $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-chroot
LIBDIR=$(CURDIR)/debian/libpam-chroot/lib/$(DEB_HOST_MULTIARCH)
INSTALL="install --strip-program=true"
# Build architecture-independent files here.
