hi

first... im using slackware linux (ver. current (kernel 2.6.16.20))

i want to chroot my sftp. im using openssh ver 4.3p2
i have read all posts about it here... and then i tried to ch root my openssh but it wasn't work...

im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?

thx

Couple of things I found in my bookmarks:
scponly
Chroot patch for ssh

You could also try running ssh in a virtual machine such as User-Mode Linux, Xen, or Linux-VServer.

Vsftpd has chroot facilities builtin so you could try that if you just want a chroot ftpd.

Out of curiousity, what errors were you getting with using the chroot command?

As said, openssh and vsftp would do the job.

Have a look here:

http://mail.incredimail.com/howto/openssh/

http://www.linuxquestions.org/questi...d.php?t=415231

+
The link above concerning scponly.



What are your problems?

Regards

I've had good experience with rssh. http://www.pizzashack.org/rssh/

ok... i have downloaded openssh 4.3p1 and chroot patch for it...
i have followed the instructions and my first output was (sorry for my stupidity but i'm new in linux)...
i have patched openssh like this...
# patch -p0 < osshChroot-4.3p1.diff
output was this...
patching file openssh-4.3p1/session.c

then i run configure like this
./configure --prefix=/usr --libexecdir=/usr/libexec/openssh --sysconfdir=/etc/ssh --mandir=/usr/share/man
and then make and make install
everything ok...
then i have created startup rutine like this
# cp -a opensshd.init /etc/rc.d/rc.sshd
then i run it...
# /etc/rc.d/rc.sshd start
starting /usr/sbin/sshd... \c
done.
everything looks fine here
then i have download script create_chroot_env from here http://mail.incredimail.com/howto/op...ate_chroot_env
i have create new user with command useradd new_user -d /var/ftp/./
then i try to run create_chroot_env new_user script and outputed this
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory

directories were done in /var/ftp and files were copied... (i'm not sure if all...)
i have tried
# ssh new_user@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 95:71:ea:03:cb:8a:d1:d3:56:6c:c0:f7:5a:4b:d8:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
new_user@localhost's password:
/bin/sh: No such file or directory
Connection to localhost closed.

then i have looked in /var/ftp/bin and there is no sh file...
ok i have look in this script create_chroot_env and see that in $APP variable is no /bin/sh... then i have added it at the end of line and rerun this script... file sh was made in /var/ftp/bin and the try to reconnect to loaclhost and same sh**t

any ideas?

ok now i have jailed my ssh...
# ssh new_user@localhost
new_user@localhost's password:
Last login: Mon Jul 3 21:41:02 2006 from localhost
-bash-3.1$ pwd
/
-bash-3.1$
but now my sftp doesn't work...
# sftp new_user@localhost
Connecting to localhost...
new_user@localhost's password:
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

# ls -al /usr/libexec/openssh/sftp-server
-rwxr-xr-x 1 root root 35276 2006-07-03 20:00 /usr/libexec/openssh/sftp-server*

# grep sftp-server /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server

i have restarted sshd by /etc/rc.d/rc.sshd restart

??

Use strace on the server with output redirected to a file and whatch when there are files that are impossible to open.
Then add them in the chroot..

strace?

sorry i'm noob but i don't have strace command...

actually i haven't understand your (nx5000) post here...

thx

ssh chrooting = world of pain

go for ftp(s) instead, vsftpd has an ssl patch now and its like a 5 minute job to set it up

ssh chrooting = world of pain
I find that hard to believe.
Maybe you should give more factual and detailed reasons.

I would definitely give rssh a try. It is a restricted shell for sftp users.

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

http://pizzashack.org/rssh/

In my experience sftp using ssh is a lot easier for the end user to set up then the ssl flavors of ftp. I just send them to filezilla for a client give them their logins and away we go. None of the problems with the setting up the SSL FTP clients. It is more work on the front end, but saves me tons of support calls on the backend.

I'm sorry I don't have so so much time these days. I gave you a general idea.

Some background

http://www.die.net/doc/linux/man/man1/strace.1.html

With strace you can "monitor" what a process does: what functions it calls, what files it tries to read and what are the results of these commands (read the content of the file or FAIL if the file doesn't exist).

So if you want to do some hacking, you try to chroot things by yourself. You look at files that ftpserver tries and fails to open.
That's not an easy easy job.

If you need to be 100% sure that your ftp server is correctly chrooted and that your patch doesn't add vulnerabilites, then better try vsftpd for the ftp part.
But if you want to play a bit (still I bet my post on sshd chrooting doesn't lower security), either go on google, or use strace to do_it_yourself..

as root:
strace `which sshd` -o /tmp/sshd.strace [1]
as user, from localhost
sftp user@localhost
<here the error appears>
Stop as soon as possible the strace command (so you don't have gigaBytes to look at)

[1] you may need to do it like this, but it will add even more lines..
strace `which sshd` -f -o /tmp/sshd.strace

rssh can be interesting also, don't know it.

Have fun!

when i say its a world of pain, i mean there are far easier and more effecient ways of acheiveing the same level of security.

with ssh chrooting, you need to copy all of the required binaries and their dependancies into the jail, which is a pain in the ass.

There are many guide available detailing how to acheive this, i never go any of them to work.

Then i discoverd that vsftpd supports SSL/TLS and has a chroot jail built in, 5 minutes later and i had an FTP(s) server up and running.

http://vsftpd.beasts.org/

save yourself the hastle, use vsftpd. Unless there is somthing specific you want from ssh?