It is not very documented but I haven't came across special problems. I'll post my method , I have not tested the security (although the jail shows) and not tried with PAM , so call it
introduction to chroot sshd. Some parts are specific to debian, refer to your distro for these.
(Everything has to be done as root)
Get the sshd server:
Code:
apt-get source openssh-server
Patch it, in my case I have 4.2p1:
Code:
wget http://chrootssh.sourceforge.net/download/osshChroot-4.2p1.diff
Apply patch:
Code:
patch -p1 osshChroot-4.2p1.diff
See the result:
Code:
debian:~/chroot_ssh# more openssh-4.2p1/version.h
/* $OpenBSD: version.h,v 1.45 2005/08/31 09:28:42 markus Exp $ */
#define SSH_VERSION "OpenSSH_4.2-chrootssh"
Compile/Build:
Code:
apt-get build-dep openssh-server
cd openssh-4.2p1
CFLAGS="-O4 -march=i686" debian/rules binary-openssh-server
Install:
Code:
cd ..
dpkg -i openssh-server_4.2p1-6_i386.deb
Now set up the jail for new user bush, be sure to put the leading . (to tell openssh to put bush in jail)
Code:
adduser bush -d /home/bush/./
Set the comfortable jail:
Code:
mkdir /home/bush/bin
mkdir /home/bush/etc
mkdir /home/bush/lib
Copy bash to the jail
Code:
cp /bin/bash /home/bush/bin
Look at dependencies of bash
Code:
ldd /home/bush/bin/bash
Gives me this:
Quote:
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7e94000)
libdl.so.2 => /lib/tls/libdl.so.2 (0xb7e90000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7d58000)
/lib/ld-linux.so.2 (0xb7eef000)
|
Copy them in the jail
Code:
cd /lib
cp ld-linux.so.2 libc.so.6 libdl.so.2 libncurses.so.5 /home/bush/lib
Transfer /etc/passwd line for new user to the jail
Code:
grep bush /etc/passwd > /home/bush/etc/passwd
Try!!
Code:
/etc/init/ssh restart
ssh bush@localhost
Quote:
Last login: Wed Feb 22 13:50:27 2006 from localhost.localdomain
-bash-3.1$pwd
/
-bash-3.1$
|