LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-02-2008, 06:59 AM   #1
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 51
How to enable 2 ssh server : one for /home and one for /home/theuser only?


Hello,
I would be interested to establish on a Debian stable box :
a ssh server : one for /home and one for /home/theuser only?

I would like that with the ssh process/daemon can detect the name of the login and say:

- login: user1 to userX you may get full /home/... access (with regular permissions)

- login theuser : this user can see nothing. Just his personal /home/theuser content and nothing else. So that he can even not see any /usr/bin ... /etc ... well just his own data in his /home/theuser.

Is that somehow possible with Linux Debian?

I did apt-get install ssh server stuffs
and I am awaiting your information to modify the ssh config in the /etc.. .

I am looking forward to hearing and information

With thanks and best regards
 
Old 05-02-2008, 07:21 AM   #2
tidww01
LQ Newbie
 
Registered: Dec 2005
Posts: 19

Rep: Reputation: 0
chroot, not 2 ssh servers

What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
 
Old 05-02-2008, 07:36 AM   #3
seraphim172
Member
 
Registered: May 2008
Posts: 101

Rep: Reputation: 15
jailroot

Use a jailroot shell for that given user (a chroot solution as already mentioned).

http://nixbit.com/cat//utilities/jailkit/

Another tutorial is at http://www.cyberciti.biz/tips/howto-...oted-jail.html but it's related to web servers, though it might give a few ideas.

Linux Archive

Last edited by seraphim172; 06-05-2008 at 10:33 AM.
 
Old 05-02-2008, 10:05 AM   #4
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by tidww01 View Post
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
What would you mean with "Perhaps you should just review normal security procedures and see if it will work for you."? like permissions ?
well I just have regular users that can do all mess they want with their user account since trusted and others nope or less. Then my idea was to block all and restrict just to /home/usersrestricted and nothing else.

I'll have look teh provided links above

T H A N K Y O U !!
 
Old 05-04-2008, 12:42 PM   #5
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by seraphim172 View Post
Use a jailroot shell for that given user (a chroot solution as already mentioned).

http://nixbit.com/cat//utilities/jailkit/

Another tutorial is at http://www.cyberciti.biz/tips/howto-...oted-jail.html but it's related to web servers, though it might give a few ideas.
http://www.cyberciti.biz/tips/howto-...oted-jail.html
is more for apache


All those are bit complicated let's go step by step
Just installed jailkit after ./configure ; make ; make install

Code:
jailkit# cat /etc/shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/bash
/bin/rbash
/bin/zsh
/usr/bin/zsh
/usr/bin/screen
/usr/sbin/jk_chrootsh

So let's give it a try with chroot first

I found this :
http://www.fuschlberger.net/programs...p-chroot-jail/
I dont do when I dont understand ...
no bash of the sh file.

I follow this:
http://olivier.sessink.nl/jailkit/howtos_ssh_only.html

first error :

Code:
# jk_init -v  /home/chrootusers ssh
ERROR: /home/chrootusers is not owned by root:root!

ERROR: chrootdir /home/chrootusers is not safe

Usage: /usr/sbin/jk_init [OPTIONS] chrootdir sections...

-h --help              : this help screen
-c, --configfile=FILE  : specify configfile location
-l, --list             : list all available sections in the configfile
-v, --verbose          : show what is being done
-f, --force            : force overwriting of existing files
 
Old 05-04-2008, 12:59 PM   #6
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Damn this:

How to break the jailkit :
http://www.bpfh.net/simes/computing/chroot-break.html
 
Old 05-04-2008, 01:03 PM   #7
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
My errors:

Code:
 /etc/init.d/jailkit start
Starting jailkit: jk_socketdversion 2.1,no sockets specified in configfile or on commandline, nothing to do, exiting...
 done.

Tail error on the box:
Code:
 by (uid=0)
May  4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is setgid
May  4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is not a safe jail, check ownership and permissions
 
Old 05-05-2008, 12:50 AM   #8
fukawi2
Member
 
Registered: Oct 2006
Location: Melbourne, Australia
Distribution: ArchLinux, ArchServer, Fedora, CentOS
Posts: 448

Rep: Reputation: 34
Can you do it using Match rules in the sshd config file?

I use it to allow tcp-forwarding to certain users by adding them to a specific group:
Code:
Match Group tcp-forward
        AllowTcpForwarding yes
You could match the user, not 100% what parameter would jail them to their directory...
 
Old 05-05-2008, 12:58 AM   #9
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by fukawi2 View Post
Can you do it using Match rules in the sshd config file?

I use it to allow tcp-forwarding to certain users by adding them to a specific group:
Code:
Match Group tcp-forward
        AllowTcpForwarding yes
You could match the user, not 100% what parameter would jail them to their directory...
are you sure that it is the issue of my prob, i wouldnt be unsecured.
concerning the test, it was done from being hte firewalling (inside the network internal) ... it didnt work
i'll try tonight
 
Old 05-06-2008, 08:01 AM   #10
tidww01
LQ Newbie
 
Registered: Dec 2005
Posts: 19

Rep: Reputation: 0
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
 
Old 05-06-2008, 12:48 PM   #11
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by tidww01 View Post
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
I did :
Code:
chmod uog+rx -R /home/chrootusers/
do you think it is sufficient ?
the /home/chrootusers/home/users has right permissions

what can it be ?
 
Old 05-06-2008, 01:13 PM   #12
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Code:
/* test procmail in the jail, it is not allowed to be setuid() or setgid()
  236 	it is common to have procmail setuid() root and setgid() mail in the regular
  237 	system, but it is for most situations not required, and therefore very much
  238 	not recommended inside a jail. So we will simply exit because it is a
  239 	security risk */
  240 	testsafepath(PROCMAILPATH,0,0);
  241 
  242 	/* prepare the new environment */
  243 	setenv("HOME",newhome,1);
  244 	setenv("USER",pw->pw_name,1);
  245 	if (chdir(newhome) != 0) {
  246 		syslog(LOG_ERR, "abort, failed to chdir() inside the jail to %s",newhome);
  247 		exit(41);
  248 	}
  249 
  250 	/* cleanup before execution */
  251 	free(newhome);
  252 	free(jaildir);
  253 
  254 	/* now execute the jailed shell */
  255 	/*execl(pw->pw_shell, pw->pw_shell, NULL);*/
  256 	{
  257 		char **newargv;
  258 		int i;
  259 		newargv = malloc0((argc+1)*sizeof(char *));
  260 		newargv[0] = PROCMAILPATH;
  261 		for (i=1;i<argc;i++) {
  262 			newargv[i] = argv[i];
  263 		}
  264 		execv(PROCMAILPATH, newargv);
  265 	}
  266 	DEBUG_MSG(strerror(errno));
  267 	syslog(LOG_ERR, "WARNING: could not execute %s for user %d:%d",PROCMAILPATH,getuid(),getgid());
  268 
  269 	exit(111);
  270 }
 
Old 05-06-2008, 01:33 PM   #13
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
Quote:
chroot Unsecured ???

Zenwalk Support • View topic - Does Zenwalk/Zenserver have a ...
- [ Vertaal deze pagina ]
It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something ...
support.zenwalk.org/viewtopic.php?p=81299&sid=df1f932f61c225a66ba0fd4b50553113 - 27
http://support.zenwalk.org/viewtopic...a0fd4b50553113

Quote:
Thanks mate!

Jailkit looked nice, but I'm a bit skeptic. It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something which is already insecure. They also make a big point of a wrong configured jail makes the system very insecure, which scares me a bit from using their system as well.

The blog about linux vserver wasn't complete, but it's a lot better then the linux vserver documentation only. Thanks!

After reading some of the posts in this forum, I'm afraid I'm just wasting my time securing a bastion host with Zenserver. A bastion host should be ber secure, but if Zenwalk is only launching unofficial security advisories in the forum and not actually fixes, this might be a great problem. Maybe another distribution/OS would make a better choice for a bastion host?
------------------------------------

Last edited by frenchn00b; 05-06-2008 at 01:38 PM.
 
Old 05-06-2008, 04:55 PM   #14
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
waooow the ssh worked,

now I am trying now to get hte sftp server working with lke it says for debian :
syslog.conf step how to do ??
http://olivier.sessink.nl/jailkit/ho..._scp_only.html
I dont get what he means


I get this error message now ... )
Code:
tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh
(if I manage, by luck, I will write my howto in this page)
 
Old 05-06-2008, 05:37 PM   #15
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 51
When I log to the ssh via gftp SSH2 (sftp) it says this erro r:

Code:
There was an error initializing a SSH connection with the remote server. The error message from the remote server follows:
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
contents of 'home' directory found at sda5: mounted as /home, and also on sda6:/home leswatson Linux - Newbie 4 04-18-2008 04:02 PM
Is it possible to browse over ssh from home using my school server? thefountainhead100 Linux - Newbie 2 03-09-2008 09:17 PM
ssh connection refused - trying to set up ssh server at home openSauce Linux - Server 10 10-18-2007 04:38 PM
Put a 2nd kanotix at hdb 3/,-4/home. 1st is at hdb8/,-9/home.#2 is using 1st's /home sleekmason Linux - General 3 12-09-2006 09:21 AM
want to ssh/ftp to home machine (Slack) from office through home router fincher69 Linux - Networking 2 09-21-2005 10:55 PM


All times are GMT -5. The time now is 10:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration