jail user to /home/user directory
i have an ssh user that i dont want to be able to navigate outside of his home directory - dont want him snooping around in /etc and so on.
Does anyone know how i can stop him doing this? much appreciated condused_user |
chroot is wat u r after.. check the following links...
http://www.linuxquestions.org/questi...598#post222598 http://www.jmcresearch.com/projects/jail/ |
|
thanks for your replies guys.
after days of strugling with chroot ssh jails i have abandoned it and moved onto ssl instead - which is extremely simple to set up and just as secure. if you want my adivce - unless you are the author of the ssh protocol, do not attempt to use chroot with sshd, its almost impossible to set up as the documentation available is pathetic. many thanks for your help. confused user. |
It is not very documented but I haven't came across special problems. I'll post my method , I have not tested the security (although the jail shows) and not tried with PAM , so call it introduction to chroot sshd. Some parts are specific to debian, refer to your distro for these.
(Everything has to be done as root) Get the sshd server: Code:
apt-get source openssh-server Code:
wget http://chrootssh.sourceforge.net/download/osshChroot-4.2p1.diff Code:
patch -p1 osshChroot-4.2p1.diff Code:
debian:~/chroot_ssh# more openssh-4.2p1/version.h Compile/Build: Code:
apt-get build-dep openssh-server Code:
cd .. Code:
adduser bush -d /home/bush/./ Code:
mkdir /home/bush/bin Code:
cp /bin/bash /home/bush/bin Code:
ldd /home/bush/bin/bash Quote:
Copy them in the jail Code:
cd /lib Code:
grep bush /etc/passwd > /home/bush/etc/passwd Code:
/etc/init/ssh restart Quote:
|
well thats more like it, i'll follow your notes and let you know how i get on, but for anyone else lookign to do this in the meantime, vsftpd has ssl support built in now and is its like a 10 minute job to set it up.
thanks for the help! |
Yes, try it, at least for fun. I'm sure it won't take you longer than 10minutes :) This post is for ssh, for sftp (part of ssh) there are a few other things to do I think, I could post it if I try it.
Cheers |
yes i will try it and post my results - i havnt had a chance yet...
i should probably restate my aims. i have a client that is insisting on a secure file tranfer solution. Being a lazy person i opted for somthing that i thought would be easiest - sshd - being present on almost every standard linux distro. i had originally wanted to use RSSH to limit what the ssh user could do, ie: not issue commands like "useradd" "chown" "chmod" and thigns like that. I only want him to be able to do a "get" "put" "mkdir" "rm" and "ls". This is all pretty easy to do. So when it came to hardening the server i realised that i was able to navigate to the true root of the file system and was able to browse (read only) to /etc and everywhere else. In theory it would be possible to look at the shadow hashes and brute force them among other things. so i want to put the user in a chroot jail in his home directory (or somwhere else). so the problem is moving the bin's like "ls" and "get" into his chroot jail and their associated libs. your notes above have helped me understand how to go about doing this - i didnt know about the ldd command :) if you have an SFTP version of the above notes i would love to read them!! a thousand thanks Confused_user |
Then better use the chroot configuration of vfstpd rather than hacking into the code of ssh , even if it is possible but maybe less tested.
|
can you more explain to me, or have you some link who's can help me
|
You want to chroot ssh? What don't you understand?
The first thing is to get the ssh server source. You need this because you have to recompile it because the standard one, as far as I know doesn't have this feature. Then you patch it. Did you do this first? |
no, i havn't do just download the last version and set up it, i think that's all what i had do.
have you some guide. if you can firstly explain me how to set up the jail on local machine, where some user chrooted to jile. thank you |
The only guide I have is this one :)
There are some on the net. I have just looked on google (keywords: chroot ssh) they are all a little bit more complex. For setting up the jail you need to look after step: "Now set up the jail for new user bush" To set up a jail in his home, you need to put everything needed by his shell(bash) in his home, as if /home/bush was / By doing ldd I ask what bash depends on. /lib ,.. so you have to create first the place for bash: mkdir /home/bush/bin cp /bin/bash /home/bush/bin then the libs mkdir /home/bush/lib cp <all the libs> /home/bush/lib then the file passwd is needed so mkdir /home/bush/etc and so on.. |
All times are GMT -5. The time now is 04:26 PM. |