ssh chroot jails
I know similar questions have been asked before but the answers were extremely complex so I am asking again hoping that an easier way has been discovered.
I want to grant ssh access to my web clients but need for them to be jailed so they cannot browse the directory structure beyond their home directory. I have got chroot jails on ftp access using ProFTP Server but need this functionality for SSH as well. Is there a straightforward how-to for ssh jails? Thanks to all, -vbsaltydog CentOS 4.2 OpenSSH_3.9p1 |
the answers were extremely complex
Maybe you could do me a favour and offer the URI's of two or three threads here that carry HOWTO information and tell me what *exactly* you find "extremely complex" about them? We could use that input for making things "easier" since "easier" was not declared before. |
As a matter of fact, there is nothing complex about getting this beast to run caged. I have done it numerous times on NetBSD, but I am pretty sure it will run just as nicely on any other distro. Its not complex, but rather long.
*) Creating the chroot jail First of all, we create a directory structure. The permissions have to be right to only allow copying files to the user home folder and to tmp. # mkdir -p /opt/chroot/sshd # cd /opt/chroot/sshd # mkdir -p bin dev etc home lib libexec sbin tmp var # mkdir -p var/run var/chroot/sshd # ln -s . usr # chmod 555 home # chmod 1777 tmp # mkdir –p pkg/etc/ssh As u can see `ln -s . usr`, make usr subdirectory becomes a symblink to chroot's top directory. This will avoid binary distinction. In “pkg/etc/ssh” is the place where the sshd config file and keys are going to be copied. *) Copying the needed stuff to the chrooted directory structure # cd /opt/chroot/sshd # cp /bin/ksh /usr/bin/passwd /bin/date /bin/ls /bin/pwd /usr/bin/groups bin # cp /usr/pkg/bin/scponly bin # cp /etc/localtime etc/localtime # cp /sbin/nologin /usr/sbin/pwd_mkdb /usr/pkg/sbin/sshd sbin # cp /etc/master.passwd /etc/group /etc/passwd.conf etc # cp /usr/libexec/ld.elf_so /usr/libexec/ld.so /usr/pkg/libexec/sftp-server libexec # cp -rf /etc/ssh pkg/etc Next we create the needed device files # cd /opt/chroot/sshd/dev # /dev/MAKEDEV std pty0 tty random We need some share libraries as well. If u use static linked binaries then u should not need those or at least some of them. Using ldd and awk is quite easy to get all of them inside the chrooted environment. # cd /opt/chroot/sshd/ # cp `ldd bin/* sbin/* | awk '{print $3}'` lib *) Setting up the user(s) # cd /opt/chroot/sshd/etc # vi group My group file is as follows: wheel:*:0:imanassy sshd:*:16: staff:*:20:scpuser nobody:*:39: The next step is edit the master.passwd file (inside the chroot). # cd /opt/chroot/sshd/etc # vi master.passwd My master.passwd file become this short. sshd:*:16:16:& pseudo-user:/var/chroot/sshd:/sbin/nologin nobody:*:32767:39:Unprivileged user:/nonexistent:/sbin/nologin scpuser:*:2003:100:test:/home/scpuser:/bin/scponly Everytime we modify the master.passwd file, we need to recreate the db files. We can use these commands: # cd /opt/chroot/sshd/ # sbin/pwd_mkdb -d /opt/chroot/sshd etc/master.passwd # sbin/pwd_mkdb -d /opt/chroot/sshd -p etc/master.passwd The scpuser is configured. Now we create his home folder. # cd /opt/chroot/sshd/home # mkdir –p scpuser # chown 2003:sshd scpuser *) Setting up the initial passwords # cd /opt/chroot/sshd/ # passwd scpuser Changing local password for scpuser. New password: ********* Retype new password: ********* # exit # cd /opt/chroot/sshd # rm bin/passwd # rm bin/ksh # rm bin/date Note: If any users has to be added afterwards, then "passwd" and "ksh" has to be temporary copied back to the chroot environment to accomplish the set up tasks for the new users. *) Setting up the SSHD server We need to make sure the chrooted ssh daemon does not conflict with any other SSHD server in the same machine, so we will set it up. The first step is to generate some new keys (or copy the ones you already have): # cd /opt/chroot/sshd/pkg/etc/ssh/ # /usr/pkg/bin/ssh-keygen -t rsa1 -b 1024 -f ssh_host_key -N '' # /usr/pkg/bin/ssh-keygen -t dsa -f ssh_host_dsa_key -N '' # /usr/pkg/bin/ssh-keygen -t rsa -f ssh_host_rsa_key -N '' To start the chrooted sshd server, if u have another sshd server already running in the same machine, u have to choose another port than the 22 ( the default port of the ssh daemon). To accomplish that edit the sshd_config and edit the following line: “Port 22” and change the 22 to anything else up to 65535: Another alternative to this would be to create a virtual ip on the interface, and bind the server to that ip. *) Starting the sshd server At this point everything is ready to start the ssh daemon and it is done with the following command: # chroot /opt/chroot/sshd /sbin/sshd Add this line to your startup scripts if you want it to be started at system bootup. *) Set up syslogd to log from the chrooted sshd server It is very important to know how our chrooted sshd server is doing inside the chroot. To syslog to the /var/log/authlog ( the default log file for the sshd server) we configure the syslogd_flags in the /etc/defaults/rc.conf file. # vi /etc/defaults/rc.conf And add/modify this line: syslogd=YES syslogd_flags="-p /var/run/log -p /opt/chroot/sshd/var/run/log -s" # -s "secure" unix domain only And then restart the syslogd daemon a la rc.d way. # /etc/rc.d/syslogd restart *) Client configuration The client configuration part is up to U. I use the scp command that comes with the openssh suite. A good free scp client for Windows is WinSCP (http://winscp.net). *) The folder/file structure This is how my chrooted folder/file structure looks like. Remember that the soft-linked pkg/etc acts like usr/pkg/etc. The dev folder is omitted, so don't panic if you don't see it. bin bin/scponly bin/groups bin/pwd bin/ls etc etc/passwd.conf etc/group etc/master.passwd etc/spwd.db etc/passwd etc/pwd.db etc/localtime home home/scpuser home/scpuser/.ssh home/scpuser/.ssh/authorized_keys lib lib/libcrypt.so.0 lib/libutil.so.7 lib/libskey.so.1 lib/libcrypto.so.0.9.7 lib/libc.so.12 lib/libwrap.so.0 lib/libtermcap.so.0 lib/libedit.so.2 lib/libroken.so.12 lib/libcom_err.so.4 lib/libasn1.so.6 lib/libcrypto.so.2 lib/libkrb5.so.19 lib/libz.so.0 libexec libexec/ld.so libexec/ld.elf_so libexec/sftp-server sbin sbin/sshd sbin/nologin sbin/pwd_mkdb tmp var var/run var/run/sshd.pid var/run/log var/run/utmpx var/chroot var/chroot/sshd pkg pkg/etc pkg/etc/ssh pkg/etc/ssh/moduli pkg/etc/ssh/ssh_known_hosts pkg/etc/ssh/ssh_config pkg/etc/ssh/sshd_config pkg/etc/ssh/ssh_host_key.pub pkg/etc/ssh/ssh_host_dsa_key pkg/etc/ssh/ssh_host_dsa_key.pub pkg/etc/ssh/ssh_host_rsa_key pkg/etc/ssh/ssh_host_rsa_key.pub pkg/etc/ssh/ssh_host_key |
Thank you for the detailed reply. This is what I was looking for. Perhaps long was a better word than complex but I think the length was enough to warrant my complexity comment.
Thanks again for the informative post. -vbsaltydog |
All times are GMT -5. The time now is 09:17 AM. |