HOW TO CHROOT SSH Users on Debian Etch / Mepis 7

		LinuxQuestions.org > Linux Answers > Security
HOW TO CHROOT SSH Users on Debian Etch / Mepis 7

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

Are you new to LinuxQuestions.org? Visit the following links:
Site Howto | Site FAQ | Sitemap | Register Now

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

GNU/Linux Basic Guide

This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.

Click Here to receive this Complete Guide absolutely free.

By cam34 at 2008-07-21 18:33

This HOW-TO Should be used as a guide, While I have tried to cover everything I have just retraced my steps after I got it all working. I haven't gone through this with a fine tooth comb.

This HOW-TO is based on Mepis 7 which is basically Debian Etch (For all the googlers :-P ) and presumes you have ssh server up and running already.

Install the PAM Module for SSH Chroot

Code:

apt-get install libpam-chroot

Create the user (if you havent already)

Code:

adduser testuser

Add the user (or users) you want to Chroot via SSH into /etc/security/chroot.conf like:

Code:

# username    chroot_dir
testuser	/home/testuser

add lines to /etc/pam.d/ssh like: (debug is optional)

Code:

#Setup CHROOT Enviroment for users who SSH in
session    required     pam_chroot.so debug

Setup the virtual file system for the chroot jail, Run the following commands as root:

Code:

mkdir -p /home/testuser/home/
cd /home/testuser
mkdir etc
mkdir bin
mkdir lib
mkdir -p usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Now setup a basic passwd file for the chroot jail: (I'm not 100% sure if this step is required any longer)

Code:

touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
grep /etc/passwd -e "^testuser" > etc/passwd
touch etc/group
grep /etc/group -e "^root" -e "^users" > etc/group
grep /etc/group -e "^testuser" -e "^users" > etc/group

Now we need to copy the applications we want to run into the chrooted jail, Create a txt file called makeapps.sh, add the following to it:

Code:

#!/bin/bash
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir -p ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

*** Note if you require other programs etc add the absolute path to them in the APPS line ***

now run the above script:

Code:

sh makeapps.sh

One thing that happens when you try log via SSH at present is you type in the password and recieve:
/bin/bash: No such file or directory
Connection to SSH-SERVER closed.

The makeapps.sh hasn't copied one of the libraries across, we are actually missing a copy of: ld-linx.so.2
So as root:

Code:

cp /lib/ld-linux.so.2 /home/testuser/lib/

Now you should be able log into a chrooted home.
Happy tweaking! - Cam McKenzie aka cAm34

Guide derived from: http://www.howtoforge.com/chrooted_ssh_howto_debian

See Mepis Wiki Entry Here: http://www.mepis.org/docs/en/index.p...t_jail_for_SSH

1 comment

by Billy Makk on Sat, 2009-12-05 20:09

I have been trying to find out my ISP address. My acct. is with Charter Communications. I have looked into my "phone and modem", (in the control panel). I found a couple of addresses, IPV6 local link, (blocked my Putty app), IPV4 default gateway, (refused), IPV4 DHCP server, (refused).
I dont know if these addresses are correct or not.
I run P2P sharing, and am trying to encrypt my info through my ISP, as they are able to track what I am threading in and out.
If anyone has any suggestions on where I might find my ISP add., it would be much appreciated. Or, a better encryption app.
Also, this is my first post on LQ. I was not able to find the right forum for a new thread.
Sorry for posting incorrectly.
My user name is Billy Makk. Please post to me exactly how or where the correct forum for the new thread is.
Thank you for your help, Bill

Read full thread
Login or register to post comments

All times are GMT -5. The time now is 04:17 AM.

Main Menu

(Con't)

My LQ

Write for LQ

LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.

Main Menu

Syndicate

Latest Threads

LQ News

Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions