LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Sftp and chroot (https://www.linuxquestions.org/questions/linux-security-4/sftp-and-chroot-99100/)

axman 10-01-2003 03:33 PM

Sftp and chroot
 
I have a redhat 9 server that we wish to get Sftp working in a way the the users are chrooted to their home diretorys and cannot move outside of them.

Is there a way to configure vsftp to allow authentication over ssh?

Thanks for the assistance.

unSpawn 10-02-2003 11:43 AM

FTP and Sftp are unrelated, SSH provides scp and sftp.
Compile OpenSSH-3.7.1p2 with the chroot patch from http://chrootssh.sourceforge.net, and read the docs and the Chrooted Sftp one.

axman 10-02-2003 03:29 PM

are there redhat rpms available anywhere with offering ssl with the patch for chroot

unSpawn 10-02-2003 05:41 PM

are there redhat rpms available anywhere with offering ssl with the patch for chroot
None I know of, but I build them myself, it's easy.
You need to fetch openssh-3.7.1p2.tar.gz yourself. Then save it with the patch in /usr/src/redhat/SOURCES, or even better, if you build rpm's as unprivileged user like I do, save 'em in there in the SOURCES dir. Save the spec file in /usr/src/redhat/SPECS or unpriv user equivalent, cd to that dir and issue "rpm -ba openssh-3.7.1p2.spec.unspawn".
All credits to the original owners and I do not take responsability if something breaks, so YMMV(VM).

This the chrootssh patch:
Code:

--- openssh-3.7.1p2/session.c.orig        Tue Sep 23 10:59:08 2003
+++ openssh-3.7.1p2/session.c        Wed Sep 24 12:56:28 2003
@@ -62,6 +62,8 @@
 #include "ssh-gss.h"
 #endif
 
+#define CHROOT
+
 /* func */
 
 Session *session_new(void);
@@ -1231,6 +1233,12 @@
 void
 do_setusercontext(struct passwd *pw)
 {
+
+#ifdef CHROOT
+        char *user_dir;
+        char *new_root;
+#endif /* CHROOT */
+
 #ifndef HAVE_CYGWIN
        if (getuid() == 0 || geteuid() == 0)
 #endif /* HAVE_CYGWIN */
@@ -1268,6 +1276,27 @@
                        exit(1);
                }
                endgrent();
+
+#ifdef CHROOT
+                user_dir = xstrdup(pw->pw_dir);
+                new_root = user_dir + 1;
+
+                while((new_root = strchr(new_root, '.')) != NULL) {
+                        new_root--;
+                        if(strncmp(new_root, "/./", 3) == 0) {
+                                *new_root = '\0';
+                                new_root += 2;
+
+                                if(chroot(user_dir) != 0)
+                                        fatal("Couldn't chroot to user directory % s", user_dir);
+                                        pw->pw_dir = new_root;
+                                        break;
+                                }
+                                new_root += 2;
+                }
+#endif /* CHROOT */
+
+
 # ifdef USE_PAM
                /*
                  * PAM credentials may take the form of supplementary groups.


unSpawn 10-02-2003 05:51 PM

And this the diff between the original and my specfile:
Code:

--- openssh.spec        Tue Sep 23 11:26:53 2003
+++ openssh.spec.u        Thu Oct  2 23:46:42 2003
@@ -1,3 +1,7 @@
+# Is this a chroot-enabled build? (1=yes 0=no)
+%define tchroot 1
+%{?build_tchroot:%define tchroot 1}
+
 %define ver 3.7.1p2
 %define rel 1
 
@@ -97,6 +101,16 @@
 BuildPreReq: krb5-libs
 %endif
 
+%if %{tchroot}
+# Patchloc: http://chrootssh.sourceforge.net/dow...hroot-3.7.diff
+%define patch1_uri chrootssh.sourceforge.net
+%define patch1_name osshChroot
+%define patch1_ver 3.7
+%define patch1_rel 1p2
+%define patch1_n %{patch1_name}-%{patch1_ver}.%{patch1_rel}.diff
+Patch1: %{patch1_n}
+%endif
+
 %package clients
 Summary: OpenSSH clients.
 Requires: openssh = %{version}-%{release}
@@ -138,12 +152,20 @@
 This package includes the core files necessary for both the OpenSSH
 client and server. To make this package useful, you should also
 install openssh-clients, openssh-server, or both.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description clients
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package includes
 the clients necessary to make encrypted connections to SSH servers.
 You'll also need to install the openssh package on OpenSSH clients.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description server
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
@@ -151,17 +173,29 @@
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server. You also need to have the openssh
 package installed.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %description askpass-gnome
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
 environment.
+%endif
+%if %{tchroot}
+INCLUDES %{patch1_n}, see: %{patch1_uri}
+%endif
 
 %prep
 
@@ -169,6 +203,10 @@
 %setup -q -a 1
 %else
 %setup -q
+%endif
+
+%if %{tchroot}
+%patch1 -p1 -b session.c
 %endif
 
 %build

My specfile is too large to fit here even after I ripped out my stuff, so use the diff: extract and copy the specfile from the tarball (it's in contrib/redhat/openssh.spec) to your SPECS dir. Save the above patch as say chrootssh.spec.diff, then issue "cat chrootssh.spec.diff | patch -b openssh.spec". Then build with "rpm -ba openssh.spec".


All times are GMT -5. The time now is 12:36 PM.