Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


Search this Thread
Old 09-17-2006, 05:24 PM   #1
Registered: Aug 2002
Location: St Louis, MO
Distribution: Xubuntu, RHEL, Solaris 10
Posts: 927

Rep: Reputation: 30
Chrooted sftp - complete list of things to do?

A regular ftpserver isn't working with my firewall, due to a really stupid router configuration among other problems. And because sftp beats ftp all hollow anyway, I'd like to start work on it. My users would need to be chrooted and relatively unpriviledged, mainly because I have equally geeky friends who aren't above testing my limits...and reinstalling my OS when it doesn't need it is a pain

The list of Things ToDo seems to be this:
1. Install and update OpenSSH (done)
2. Install rssh
3. Install and configure Chrootssh
4. Patching up with GRSecurity isn't a bad idea
5. Create/alter my ftp-only users to use /bin/rssh
6. ???
7. Profit!!

Does anyone see any holes in this plan, or have any tips to add? Constructive criticism is most definitely welcomed, as I admit that network security isn't my strong point, and that makes this fairly dangerous. My distro is Slack 10.2 with 2.4.31.

Old 09-24-2006, 11:24 AM   #2
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Rep: Reputation: 30

is it just SFTP access they need? If so, this is what I recommend:

1. Install SSH and scponly. scponly is a cut down shell which only allows the user access to logging in with an SCP client (like WinSCP). Importantly, scponly also comes with a shell called scponlyc, which allows it to run as a chroot environment.

2. With the most recent version of scponly, the home directory of the user must be owned by root. this is for security reasons, but can be a pain. You need to make a folder inside the user's home folder which is owned by the user. This is the folder which they can use.

3. Download and use scpjailer ( This is a really handy binary which will set up all of the correct files inside the user's home folder to make it chrooted. (As it is chrooted, you can probably imagine that some important files (for example, the authentication details, binaries and their libraries) need to be stored in the user's home folder.) Scpjailer will copy across everything you need.

4. Once you have done this, modify each user to make his shell /usr/sbin/scponlyc (this may not be the correct path. you will need to check it).

The result is:
1. User's home folder is (for example) /home/user . This is owned by root:root .
2. There is a folder called /home/user/data which is owned by user:user .
3. Give the user the link to WinSCP. Tell them to log in with their username and password to your server using WinSCP.
4. When they log in, they will not be able to access files outwith their home folder.
5. If you do try to login with putty or with a terminal, they will not have access to a shell.

This is waht I remember doing when I did it. I ahve it all written down at the office, but I'm not there.

Let me know how you get on

Old 09-26-2006, 07:30 PM   #3
Registered: Aug 2002
Location: St Louis, MO
Distribution: Xubuntu, RHEL, Solaris 10
Posts: 927

Original Poster
Rep: Reputation: 30
Thanks for the suggestions! I'm working on it now (had a couple of busy days when I just couldn't sit down and work on this), and am wondering whether scpjailer can do what I need. I don't want to jail users into their home directory - I need to jail them into *a* directory, i.e. /multimedia/ which is where I have all of my mp3s, movies, etc. My current setup allows write permissions only for that top-level directory; all subdirectories are read-only for anyone but me, to help minimize accidents.

Aside from that, I've been trying it out on a test user, just jailing them into what I thought was their own home directory. I can't ssh in, I've tried that and it fails (which is good). I can sftp in, and I think I can transfer files (haven't tried yet). But - I can also get out of that directory, and I don't think that I should be able to do that, so clearly I'm doing something wrong.

This is the setup so far:
[502:root@cleopatra /home/laura/Download/security/scpjailer-0.3]# ./scpjailer-i386 -u laurat3st /home/laurat3st/
What is the name of the directory inside of "/home/laurat3st/" that "laurat3st" 
should have write access to?  Use blank to skip.
Extracting files into /home/laurat3st/...done.
Generating /home/laurat3st//etc/passwd...done.
Generating /home/laurat3st//etc/group...done.
[503:root@cleopatra /home/laura/Download/security/scpjailer-0.3]# ll /home/laurat3st/
total 12K
drwxr-xr-x  2 root      root 4.0K 2004-03-15 11:26 bin
lrwxrwxrwx  1 root      root    1 2006-09-26 17:31 usr -> .
lrwxrwxrwx  1 root      root    1 2006-09-26 17:31 local -> .
lrwxrwxrwx  1 root      root    3 2006-09-26 17:31 libexec -> bin
lrwxrwxrwx  1 root      root    3 2006-09-26 17:31 lib -> bin
drwxr-xr-x  2 laurat3st root 4.0K 2006-09-26 17:31 files
drwxr-xr-x  2 root      root 4.0K 2006-09-26 17:31 etc
[504:root@cleopatra /home/laura/Download/security/scpjailer-0.3]# 

From /etc/passwd:

A sample sftp session:
[501:laura@cleopatra ~]$ sftp -oPort=60 laurat3st@localhost
Connecting to localhost...
laurat3st@localhost's password: 
sftp> ls
bin      etc      files    lib      libexec  local    usr      
sftp> cd ../
sftp> ls
user1  ftp           laura         laurat3st     user2          lost+found    
sftp> exit
[502:laura@cleopatra ~]$
Theoretically, I shouldn't have been able to do that 'cd ../' ...should I?
Thanks for your help!


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with Scponly and chrooted SFTP kicko Mandriva 2 07-14-2006 02:10 PM
How can I make a complete harware list ? noware Linux - Hardware 5 05-30-2006 11:20 AM
Need complete repository list sly_guy69 Ubuntu 12 10-27-2005 09:52 AM
FC3 : Failing to configure a chrooted sftp gmuller Linux - Software 3 06-28-2005 02:39 AM
List Current SFTP users smurf Linux - Networking 0 02-12-2004 03:02 AM

All times are GMT -5. The time now is 06:33 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration