-   Linux - Security (
-   -   jail user to /home/user directory (

confused_user 02-14-2006 05:15 AM

jail user to /home/user directory
i have an ssh user that i dont want to be able to navigate outside of his home directory - dont want him snooping around in /etc and so on.

Does anyone know how i can stop him doing this?

much appreciated

Intimidator 02-14-2006 11:29 AM

chroot is wat u r after.. check the following links...

stress_junkie 02-20-2006 09:24 AM

I just read this the other day. I haven't tested it yet.

confused_user 02-22-2006 04:47 AM

thanks for your replies guys.

after days of strugling with chroot ssh jails i have abandoned it and moved onto ssl instead - which is extremely simple to set up and just as secure.

if you want my adivce - unless you are the author of the ssh protocol, do not attempt to use chroot with sshd, its almost impossible to set up as the documentation available is pathetic.

many thanks for your help.

confused user.

nx5000 02-22-2006 07:27 AM

It is not very documented but I haven't came across special problems. I'll post my method , I have not tested the security (although the jail shows) and not tried with PAM , so call it introduction to chroot sshd. Some parts are specific to debian, refer to your distro for these.

(Everything has to be done as root)

Get the sshd server:

apt-get source openssh-server
Patch it, in my case I have 4.2p1:

Apply patch:

patch -p1 osshChroot-4.2p1.diff
See the result:

debian:~/chroot_ssh# more openssh-4.2p1/version.h
/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */

#define SSH_VERSION    "OpenSSH_4.2-chrootssh"


apt-get build-dep openssh-server
cd openssh-4.2p1
CFLAGS="-O4 -march=i686" debian/rules binary-openssh-server


cd ..
dpkg -i openssh-server_4.2p1-6_i386.deb

Now set up the jail for new user bush, be sure to put the leading . (to tell openssh to put bush in jail)

adduser bush -d /home/bush/./
Set the comfortable jail:

mkdir /home/bush/bin
mkdir /home/bush/etc
mkdir /home/bush/lib

Copy bash to the jail

cp /bin/bash /home/bush/bin
Look at dependencies of bash

ldd /home/bush/bin/bash
Gives me this:
Quote: => (0xffffe000) => /lib/ (0xb7e94000) => /lib/tls/ (0xb7e90000) => /lib/tls/ (0xb7d58000)
/lib/ (0xb7eef000)

Copy them in the jail

cd /lib
cp /home/bush/lib

Transfer /etc/passwd line for new user to the jail

grep bush /etc/passwd > /home/bush/etc/passwd

/etc/init/ssh restart
ssh bush@localhost


Last login: Wed Feb 22 13:50:27 2006 from localhost.localdomain

confused_user 02-23-2006 02:31 AM

well thats more like it, i'll follow your notes and let you know how i get on, but for anyone else lookign to do this in the meantime, vsftpd has ssl support built in now and is its like a 10 minute job to set it up.

thanks for the help!

nx5000 02-23-2006 02:44 AM

Yes, try it, at least for fun. I'm sure it won't take you longer than 10minutes :) This post is for ssh, for sftp (part of ssh) there are a few other things to do I think, I could post it if I try it.

confused_user 02-24-2006 06:33 AM

yes i will try it and post my results - i havnt had a chance yet...

i should probably restate my aims.

i have a client that is insisting on a secure file tranfer solution. Being a lazy person i opted for somthing that i thought would be easiest - sshd - being present on almost every standard linux distro.

i had originally wanted to use RSSH to limit what the ssh user could do, ie: not issue commands like "useradd" "chown" "chmod" and thigns like that. I only want him to be able to do a "get" "put" "mkdir" "rm" and "ls".

This is all pretty easy to do. So when it came to hardening the server i realised that i was able to navigate to the true root of the file system and was able to browse (read only) to /etc and everywhere else. In theory it would be possible to look at the shadow hashes and brute force them among other things.

so i want to put the user in a chroot jail in his home directory (or somwhere else). so the problem is moving the bin's like "ls" and "get" into his chroot jail and their associated libs.

your notes above have helped me understand how to go about doing this - i didnt know about the ldd command :)

if you have an SFTP version of the above notes i would love to read them!!

a thousand thanks

nx5000 03-02-2006 12:04 PM

Then better use the chroot configuration of vfstpd rather than hacking into the code of ssh , even if it is possible but maybe less tested.

tipa 03-15-2006 07:22 AM

can you more explain to me, or have you some link who's can help me

nx5000 03-15-2006 07:51 AM

You want to chroot ssh? What don't you understand?

The first thing is to get the ssh server source. You need this because you have to recompile it because the standard one, as far as I know doesn't have this feature.

Then you patch it.

Did you do this first?

tipa 03-15-2006 08:23 AM

no, i havn't do just download the last version and set up it, i think that's all what i had do.
have you some guide.
if you can firstly explain me how to set up the jail on local machine, where some user chrooted to jile.
thank you

nx5000 03-15-2006 09:56 AM

The only guide I have is this one :)

There are some on the net. I have just looked on google (keywords: chroot ssh) they are all a little bit more complex.

For setting up the jail you need to look after step:
"Now set up the jail for new user bush"

To set up a jail in his home, you need to put everything needed by his shell(bash) in his home, as if /home/bush was /

By doing ldd I ask what bash depends on.
/lib ,..
so you have to create first the place for bash:
mkdir /home/bush/bin
cp /bin/bash /home/bush/bin

then the libs
mkdir /home/bush/lib
cp <all the libs> /home/bush/lib

then the file passwd is needed so
mkdir /home/bush/etc

and so on..

All times are GMT -5. The time now is 01:22 PM.