LinuxQuestions.org - Sftp and chroot

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Sftp and chroot (https://www.linuxquestions.org/questions/linux-security-4/sftp-and-chroot-99100/)

I have a redhat 9 server that we wish to get Sftp working in a way the the users are chrooted to their home diretorys and cannot move outside of them.

Is there a way to configure vsftp to allow authentication over ssh?

Thanks for the assistance.

FTP and Sftp are unrelated, SSH provides scp and sftp.
Compile OpenSSH-3.7.1p2 with the chroot patch from http://chrootssh.sourceforge.net, and read the docs and the Chrooted Sftp one.

are there redhat rpms available anywhere with offering ssl with the patch for chroot

are there redhat rpms available anywhere with offering ssl with the patch for chroot
None I know of, but I build them myself, it's easy.
You need to fetch openssh-3.7.1p2.tar.gz yourself. Then save it with the patch in /usr/src/redhat/SOURCES, or even better, if you build rpm's as unprivileged user like I do, save 'em in there in the SOURCES dir. Save the spec file in /usr/src/redhat/SPECS or unpriv user equivalent, cd to that dir and issue "rpm -ba openssh-3.7.1p2.spec.unspawn".
All credits to the original owners and I do not take responsability if something breaks, so YMMV(VM).

This the chrootssh patch:

Code:

--- openssh-3.7.1p2/session.c.orig        Tue Sep 23 10:59:08 2003

+++ openssh-3.7.1p2/session.c        Wed Sep 24 12:56:28 2003

@@ -62,6 +62,8 @@

 #include "ssh-gss.h"

 #endif

 

+#define CHROOT

+

 /* func */

 

 Session *session_new(void);

@@ -1231,6 +1233,12 @@

 void

 do_setusercontext(struct passwd *pw)

 {

+

+#ifdef CHROOT

+        char *user_dir;

+        char *new_root;

+#endif /* CHROOT */

+

 #ifndef HAVE_CYGWIN

        if (getuid() == 0 || geteuid() == 0)

 #endif /* HAVE_CYGWIN */

@@ -1268,6 +1276,27 @@

                        exit(1);

                }

                endgrent();

+

+#ifdef CHROOT

+                user_dir = xstrdup(pw->pw_dir);

+                new_root = user_dir + 1;

+

+                while((new_root = strchr(new_root, '.')) != NULL) {

+                        new_root--;

+                        if(strncmp(new_root, "/./", 3) == 0) {

+                                *new_root = '\0';

+                                new_root += 2;

+

+                                if(chroot(user_dir) != 0)

+                                        fatal("Couldn't chroot to user directory % s", user_dir);

+                                        pw->pw_dir = new_root;

+                                        break;

+                                }

+                                new_root += 2;

+                }

+#endif /* CHROOT */

+

+

 # ifdef USE_PAM

                /*

                  * PAM credentials may take the form of supplementary groups.

And this the diff between the original and my specfile:

Code:

--- openssh.spec        Tue Sep 23 11:26:53 2003

+++ openssh.spec.u        Thu Oct  2 23:46:42 2003

@@ -1,3 +1,7 @@

+# Is this a chroot-enabled build? (1=yes 0=no)

+%define tchroot 1

+%{?build_tchroot:%define tchroot 1}

+

 %define ver 3.7.1p2

 %define rel 1

 

@@ -97,6 +101,16 @@

 BuildPreReq: krb5-libs

 %endif

 

+%if %{tchroot}

+# Patchloc: http://chrootssh.sourceforge.net/dow...hroot-3.7.diff

+%define patch1_uri chrootssh.sourceforge.net

+%define patch1_name osshChroot

+%define patch1_ver 3.7

+%define patch1_rel 1p2

+%define patch1_n %{patch1_name}-%{patch1_ver}.%{patch1_rel}.diff

+Patch1: %{patch1_n}

+%endif

+

 %package clients

 Summary: OpenSSH clients.

 Requires: openssh = %{version}-%{release}

@@ -138,12 +152,20 @@

 This package includes the core files necessary for both the OpenSSH

 client and server. To make this package useful, you should also

 install openssh-clients, openssh-server, or both.

+%endif

+%if %{tchroot}

+INCLUDES %{patch1_n}, see: %{patch1_uri}

+%endif

 

 %description clients

 OpenSSH is a free version of SSH (Secure SHell), a program for logging

 into and executing commands on a remote machine. This package includes

 the clients necessary to make encrypted connections to SSH servers.

 You'll also need to install the openssh package on OpenSSH clients.

+%endif

+%if %{tchroot}

+INCLUDES %{patch1_n}, see: %{patch1_uri}

+%endif

 

 %description server

 OpenSSH is a free version of SSH (Secure SHell), a program for logging

@@ -151,17 +173,29 @@

 the secure shell daemon (sshd). The sshd daemon allows SSH clients to

 securely connect to your SSH server. You also need to have the openssh

 package installed.

+%endif

+%if %{tchroot}

+INCLUDES %{patch1_n}, see: %{patch1_uri}

+%endif

 

 %description askpass

 OpenSSH is a free version of SSH (Secure SHell), a program for logging

 into and executing commands on a remote machine. This package contains

 an X11 passphrase dialog for OpenSSH.

+%endif

+%if %{tchroot}

+INCLUDES %{patch1_n}, see: %{patch1_uri}

+%endif

 

 %description askpass-gnome

 OpenSSH is a free version of SSH (Secure SHell), a program for logging

 into and executing commands on a remote machine. This package contains

 an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop

 environment.

+%endif

+%if %{tchroot}

+INCLUDES %{patch1_n}, see: %{patch1_uri}

+%endif

 

 %prep

 

@@ -169,6 +203,10 @@

 %setup -q -a 1

 %else

 %setup -q

+%endif

+

+%if %{tchroot}

+%patch1 -p1 -b session.c

 %endif

 

 %build

My specfile is too large to fit here even after I ripped out my stuff, so use the diff: extract and copy the specfile from the tarball (it's in contrib/redhat/openssh.spec) to your SPECS dir. Save the above patch as say chrootssh.spec.diff, then issue "cat chrootssh.spec.diff | patch -b openssh.spec". Then build with "rpm -ba openssh.spec".