LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2003, 02:33 PM   #1
axman
LQ Newbie
 
Registered: Aug 2001
Posts: 3

Rep: Reputation: 0
Sftp and chroot


I have a redhat 9 server that we wish to get Sftp working in a way the the users are chrooted to their home diretorys and cannot move outside of them.

Is there a way to configure vsftp to allow authentication over ssh?

Thanks for the assistance.
 
Old 10-02-2003, 10:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
FTP and Sftp are unrelated, SSH provides scp and sftp.
Compile OpenSSH-3.7.1p2 with the chroot patch from http://chrootssh.sourceforge.net, and read the docs and the Chrooted Sftp one.
 
Old 10-02-2003, 02:29 PM   #3
axman
LQ Newbie
 
Registered: Aug 2001
Posts: 3

Original Poster
Rep: Reputation: 0
are there redhat rpms available anywhere with offering ssl with the patch for chroot
 
Old 10-02-2003, 04:41 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
are there redhat rpms available anywhere with offering ssl with the patch for chroot
None I know of, but I build them myself, it's easy.
You need to fetch openssh-3.7.1p2.tar.gz yourself. Then save it with the patch in /usr/src/redhat/SOURCES, or even better, if you build rpm's as unprivileged user like I do, save 'em in there in the SOURCES dir. Save the spec file in /usr/src/redhat/SPECS or unpriv user equivalent, cd to that dir and issue "rpm -ba openssh-3.7.1p2.spec.unspawn".
All credits to the original owners and I do not take responsability if something breaks, so YMMV(VM).

This the chrootssh patch:
Code:
--- openssh-3.7.1p2/session.c.orig	Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c	Wed Sep 24 12:56:28 2003
@@ -62,6 +62,8 @@
 #include "ssh-gss.h"
 #endif
 
+#define CHROOT
+
 /* func */
 
 Session *session_new(void);
@@ -1231,6 +1233,12 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+
+#ifdef CHROOT
+	char *user_dir;
+	char *new_root;
+#endif /* CHROOT */
+
 #ifndef HAVE_CYGWIN
 	if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1268,6 +1276,27 @@
 			exit(1);
 		}
 		endgrent();
+
+#ifdef CHROOT
+		user_dir = xstrdup(pw->pw_dir);
+		new_root = user_dir + 1;
+
+		while((new_root = strchr(new_root, '.')) != NULL) {
+			new_root--;
+			if(strncmp(new_root, "/./", 3) == 0) {
+				*new_root = '\0';
+				new_root += 2;
+
+				if(chroot(user_dir) != 0)
+					fatal("Couldn't chroot to user directory % s", user_dir);
+					pw->pw_dir = new_root;
+					break;
+				}
+				new_root += 2;
+		}
+#endif /* CHROOT */
+
+
 # ifdef USE_PAM
 		/*
 		 * PAM credentials may take the form of supplementary groups.
 
Old 10-02-2003, 04:51 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
And this the diff between the original and my specfile:
Code:
--- openssh.spec	Tue Sep 23 11:26:53 2003
+++ openssh.spec.u	Thu Oct  2 23:46:42 2003
@@ -1,3 +1,7 @@
+# Is this a chroot-enabled build? (1=yes 0=no)
+%define tchroot 1
+%{?build_tchroot:%define tchroot 1}
+
 %define ver 3.7.1p2
 %define rel 1
 
@@ -97,6 +101,16 @@
 BuildPreReq: krb5-libs
 %endif
 
+%if %{tchroot}
+# Patchloc: http://chrootssh.sourceforge.net/dow...hroot-3.7.diff
+%define patch1_uri chrootssh.sourceforge.net
+%define patch1_name osshChroot
+%define patch1_ver 3.7
+%define patch1_rel 1p2
+%define patch1_n %{patch1_name}-%{patch1_ver}.%{patch1_rel}.diff
+Patch1: %{patch1_n}
+%endif
+
 %package clients
 Summary: OpenSSH clients.
 Requires: openssh = %{version}-%{release}
@@ -138,12 +152,20 @@
 This package includes the core files necessary for both the OpenSSH
 client and server. To make this package useful, you should also
 install openssh-clients, openssh-server, or both.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description clients
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package includes
 the clients necessary to make encrypted connections to SSH servers.
 You'll also need to install the openssh package on OpenSSH clients.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description server
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
@@ -151,17 +173,29 @@
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server. You also need to have the openssh
 package installed.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description askpass-gnome
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
 environment.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %prep
 
@@ -169,6 +203,10 @@
 %setup -q -a 1
 %else
 %setup -q
+%endif
+
+%if %{tchroot}
+%patch1 -p1 -b session.c
 %endif
 
 %build
My specfile is too large to fit here even after I ripped out my stuff, so use the diff: extract and copy the specfile from the tarball (it's in contrib/redhat/openssh.spec) to your SPECS dir. Save the above patch as say chrootssh.spec.diff, then issue "cat chrootssh.spec.diff | patch -b openssh.spec". Then build with "rpm -ba openssh.spec".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restrict ssh/sftp with chroot? Chowroc Linux - Networking 4 01-25-2005 10:48 AM
chroot sftp user group bmeckle Linux - Newbie 0 06-02-2004 03:58 PM
sftp + chroot ... almost schwing Linux - Software 1 10-26-2003 08:31 PM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 10:29 AM
chroot sftp user? cliffyman Linux - Security 8 05-08-2003 09:58 PM


All times are GMT -5. The time now is 01:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration