Well i wanted to setup a chrooted ssh to allow users sftp to my server for file transfer. The chroot ssh site "http://chrootssh.sourceforge.net/" seems to be down for some reason so i moved to rssh with no need to patch openssh. I had trouble getting it to work and after long hours of hair pulling success
just wanted to share this with others so they don't waste time figuring out whats bloddy worng
In my case (testin with Winscp) the connection would close after authenticating the user.
The problem:
permission to /chroot_path/dev/null & /chroot_path/dev/zero was not chmod 666 .sheeshhh
I have tested this on a fedora core 5 distro and would work on redhat distros and possibly on others.
Download Rssh from:
http://www.pizzashack.org/rssh/
Configure /etc/rssh.cong for chroot.
Some things i do manually is creating sftp users home directory under the chroot jail home directory, chown the direcoty to the user and chmod 770 to the user's home dir and copying the user's entry frm /etc/passwd & group to chroot jail etc directory.
in my passwd the entry is like:
sftp_user:x:1000:1000::/opt/chroot/home/sftp_user:/usr/bin/rssh
Also edit /etc/sysconfig/syslog
and replace
SYSLOGD_OPTIONS="-m 0"
with
SYSLOGD_OPTIONS="-m 0 -a /chroot_jail_path/dev/log"
service syslog restart
otherwise the last rssh log entry in /var/log/messages will always be:
Quote:
|
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 /usr/libexec/openssh/sftp-server"
|
because after chrooting it can't find /dev/log in the jail.
The following is my modified script to create the Chroot Jail environment i found on some site.
Copy and paste the code in a file called "create_chroot_rssh" and
chmod +x create_chroot_rssh
Code:
#!/bin/bash
# Here specify the apps you want into the enviroment
APPS="/usr/bin/scp /usr/libexec/openssh/sftp-server /usr/libexec/rssh_chroot_helper"
# Sanity check
if [ "$1" = "" ] ; then
echo "Usage: ./create_chroot_rssh chroot_jail_path"
echo
echo "For eg: ./create_chroot_rssh /home/chroot"
exit
fi
# Obtain username and HomeDir
CHROOT_JAIL=$1
cd $CHROOT_JAIL
# Create Directories no one will do it for you
mkdir ./home
mkdir ./etc
mkdir ./usr
mkdir ./usr/bin
mkdir -p ./usr/libexec/openssh
mkdir dev
mknod ./dev/null c 1 3
mknod ./dev/zero c 1 5
chmod 666 ./dev/*
# Copy the apps and the related libs
for prog in $APPS; do
cp $prog ./$prog
# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
done
fi
done
# This library has a symbolic link
cp /lib/ld-2.4.so ./lib
ln -s ld-2.4.so ./lib/ld-linux.so.2
# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
cp /etc/ld.so* ./etc/
Working Script chroot rssh tested on FC5
