LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-08-2006, 01:40 PM   #1
vbsaltydog
Member
 
Registered: Nov 2005
Distribution: CentOS
Posts: 154

Rep: Reputation: 15
ssh chroot jails


I know similar questions have been asked before but the answers were extremely complex so I am asking again hoping that an easier way has been discovered.

I want to grant ssh access to my web clients but need for them to be jailed so they cannot browse the directory structure beyond their home directory.

I have got chroot jails on ftp access using ProFTP Server but need this functionality for SSH as well.

Is there a straightforward how-to for ssh jails?

Thanks to all,

-vbsaltydog

CentOS 4.2
OpenSSH_3.9p1
 
Old 06-08-2006, 03:38 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
the answers were extremely complex
Maybe you could do me a favour and offer the URI's of two or three threads here that carry HOWTO information and tell me what *exactly* you find "extremely complex" about them? We could use that input for making things "easier" since "easier" was not declared before.
 
Old 06-09-2006, 10:45 AM   #3
imanassypov
LQ Newbie
 
Registered: Sep 2005
Location: Toronto, Canada
Distribution: FreeBSD, Gentoo, NetBSD
Posts: 28

Rep: Reputation: 15
Cool

As a matter of fact, there is nothing complex about getting this beast to run caged. I have done it numerous times on NetBSD, but I am pretty sure it will run just as nicely on any other distro. Its not complex, but rather long.

*) Creating the chroot jail

First of all, we create a directory structure.
The permissions have to be right to only allow copying files to the user home folder and to tmp.

# mkdir -p /opt/chroot/sshd
# cd /opt/chroot/sshd
# mkdir -p bin dev etc home lib libexec sbin tmp var
# mkdir -p var/run var/chroot/sshd
# ln -s . usr
# chmod 555 home
# chmod 1777 tmp
# mkdir –p pkg/etc/ssh

As u can see `ln -s . usr`, make usr subdirectory becomes a symblink to chroot's top directory.
This will avoid binary distinction.
In “pkg/etc/ssh” is the place where the sshd config file and keys are going to be copied.

*) Copying the needed stuff to the chrooted directory structure

# cd /opt/chroot/sshd
# cp /bin/ksh /usr/bin/passwd /bin/date /bin/ls /bin/pwd /usr/bin/groups bin
# cp /usr/pkg/bin/scponly bin
# cp /etc/localtime etc/localtime
# cp /sbin/nologin /usr/sbin/pwd_mkdb /usr/pkg/sbin/sshd sbin
# cp /etc/master.passwd /etc/group /etc/passwd.conf etc
# cp /usr/libexec/ld.elf_so /usr/libexec/ld.so /usr/pkg/libexec/sftp-server libexec
# cp -rf /etc/ssh pkg/etc


Next we create the needed device files

# cd /opt/chroot/sshd/dev
# /dev/MAKEDEV std pty0 tty random

We need some share libraries as well.
If u use static linked binaries then u should not need those or at least some of them.
Using ldd and awk is quite easy to get all of them inside the chrooted environment.

# cd /opt/chroot/sshd/
# cp `ldd bin/* sbin/* | awk '{print $3}'` lib

*) Setting up the user(s)

# cd /opt/chroot/sshd/etc
# vi group
My group file is as follows:
wheel:*:0:imanassy
sshd:*:16:
staff:*:20:scpuser
nobody:*:39:

The next step is edit the master.passwd file (inside the chroot).
# cd /opt/chroot/sshd/etc
# vi master.passwd

My master.passwd file become this short.

sshd:*:16:16:& pseudo-user:/var/chroot/sshd:/sbin/nologin
nobody:*:32767:39:Unprivileged user:/nonexistent:/sbin/nologin
scpuser:*:2003:100:test:/home/scpuser:/bin/scponly

Everytime we modify the master.passwd file, we need to recreate the db files. We can use these commands:

# cd /opt/chroot/sshd/
# sbin/pwd_mkdb -d /opt/chroot/sshd etc/master.passwd
# sbin/pwd_mkdb -d /opt/chroot/sshd -p etc/master.passwd

The scpuser is configured. Now we create his home folder.

# cd /opt/chroot/sshd/home
# mkdir –p scpuser
# chown 2003:sshd scpuser

*) Setting up the initial passwords

# cd /opt/chroot/sshd/
# passwd scpuser
Changing local password for scpuser.
New password: *********
Retype new password: *********
# exit

# cd /opt/chroot/sshd
# rm bin/passwd
# rm bin/ksh
# rm bin/date

Note: If any users has to be added afterwards, then "passwd" and "ksh" has to be temporary copied back
to the chroot environment to accomplish the set up tasks for the new users.

*) Setting up the SSHD server

We need to make sure the chrooted ssh daemon does not conflict with any other SSHD server in the same machine,
so we will set it up. The first step is to generate some new keys (or copy the ones you already have):

# cd /opt/chroot/sshd/pkg/etc/ssh/
# /usr/pkg/bin/ssh-keygen -t rsa1 -b 1024 -f ssh_host_key -N ''
# /usr/pkg/bin/ssh-keygen -t dsa -f ssh_host_dsa_key -N ''
# /usr/pkg/bin/ssh-keygen -t rsa -f ssh_host_rsa_key -N ''

To start the chrooted sshd server, if u have another sshd server already running in the same machine,
u have to choose another port than the 22 ( the default port of the ssh daemon).
To accomplish that edit the sshd_config and edit the following line:
“Port 22” and change the 22 to anything else up to 65535:
Another alternative to this would be to create a virtual ip on the interface, and bind the server to that ip.

*) Starting the sshd server

At this point everything is ready to start the ssh daemon and it is done with the following command:

# chroot /opt/chroot/sshd /sbin/sshd

Add this line to your startup scripts if you want it to be started at system bootup.

*) Set up syslogd to log from the chrooted sshd server

It is very important to know how our chrooted sshd server is doing inside the chroot.
To syslog to the /var/log/authlog ( the default log file for the sshd server)
we configure the syslogd_flags in the /etc/defaults/rc.conf file.

# vi /etc/defaults/rc.conf

And add/modify this line:
syslogd=YES syslogd_flags="-p /var/run/log -p /opt/chroot/sshd/var/run/log -s" # -s "secure" unix domain only

And then restart the syslogd daemon a la rc.d way.

# /etc/rc.d/syslogd restart

*) Client configuration

The client configuration part is up to U.
I use the scp command that comes with the openssh suite.
A good free scp client for Windows is WinSCP (http://winscp.net).

*) The folder/file structure

This is how my chrooted folder/file structure looks like.
Remember that the soft-linked pkg/etc acts like usr/pkg/etc.
The dev folder is omitted, so don't panic if you don't see it.

bin
bin/scponly
bin/groups
bin/pwd
bin/ls
etc
etc/passwd.conf
etc/group
etc/master.passwd
etc/spwd.db
etc/passwd
etc/pwd.db
etc/localtime
home
home/scpuser
home/scpuser/.ssh
home/scpuser/.ssh/authorized_keys
lib
lib/libcrypt.so.0
lib/libutil.so.7
lib/libskey.so.1
lib/libcrypto.so.0.9.7
lib/libc.so.12
lib/libwrap.so.0
lib/libtermcap.so.0
lib/libedit.so.2
lib/libroken.so.12
lib/libcom_err.so.4
lib/libasn1.so.6
lib/libcrypto.so.2
lib/libkrb5.so.19
lib/libz.so.0
libexec
libexec/ld.so
libexec/ld.elf_so
libexec/sftp-server
sbin
sbin/sshd
sbin/nologin
sbin/pwd_mkdb
tmp
var
var/run
var/run/sshd.pid
var/run/log
var/run/utmpx
var/chroot
var/chroot/sshd
pkg
pkg/etc
pkg/etc/ssh
pkg/etc/ssh/moduli
pkg/etc/ssh/ssh_known_hosts
pkg/etc/ssh/ssh_config
pkg/etc/ssh/sshd_config
pkg/etc/ssh/ssh_host_key.pub
pkg/etc/ssh/ssh_host_dsa_key
pkg/etc/ssh/ssh_host_dsa_key.pub
pkg/etc/ssh/ssh_host_rsa_key
pkg/etc/ssh/ssh_host_rsa_key.pub
pkg/etc/ssh/ssh_host_key
 
Old 06-09-2006, 10:56 AM   #4
vbsaltydog
Member
 
Registered: Nov 2005
Distribution: CentOS
Posts: 154

Original Poster
Rep: Reputation: 15
Thank you for the detailed reply. This is what I was looking for. Perhaps long was a better word than complex but I think the length was enough to warrant my complexity comment.

Thanks again for the informative post.

-vbsaltydog
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chroot ssh Manuel-H Slackware 3 09-15-2005 05:33 PM
chroot kits and jails dracolich Linux - Security 1 08-29-2005 06:52 AM
ssh for chroot Thorsten Linux - Security 1 08-26-2003 05:46 AM
ssh for chroot Thorsten Linux - Software 0 08-26-2003 03:49 AM
chroot jails and passwd control scottrell Linux - General 11 04-04-2003 10:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration