Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
first... im using slackware linux (ver. current (kernel 2.6.16.20))
i want to chroot my sftp. im using openssh ver 4.3p2
i have read all posts about it here... and then i tried to ch root my openssh but it wasn't work...
im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?
ok... i have downloaded openssh 4.3p1 and chroot patch for it...
i have followed the instructions and my first output was (sorry for my stupidity but i'm new in linux)...
i have patched openssh like this... # patch -p0 < osshChroot-4.3p1.diff
output was this... patching file openssh-4.3p1/session.c
then i run configure like this ./configure --prefix=/usr --libexecdir=/usr/libexec/openssh --sysconfdir=/etc/ssh --mandir=/usr/share/man
and then make and make install
everything ok...
then i have created startup rutine like this # cp -a opensshd.init /etc/rc.d/rc.sshd
then i run it... # /etc/rc.d/rc.sshd start starting /usr/sbin/sshd... \c
done.
everything looks fine here
then i have download script create_chroot_env from here http://mail.incredimail.com/howto/op...ate_chroot_env
i have create new user with command useradd new_user -d /var/ftp/./
then i try to run create_chroot_env new_user script and outputed this cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
directories were done in /var/ftp and files were copied... (i'm not sure if all...)
i have tried # ssh new_user@localhost The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 95:71:ea:03:cb:8a:d1:d3:56:6c:c0:f7:5a:4b:d8:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
new_user@localhost's password:
/bin/sh: No such file or directory
Connection to localhost closed.
then i have looked in /var/ftp/bin and there is no sh file...
ok i have look in this script create_chroot_env and see that in $APP variable is no /bin/sh... then i have added it at the end of line and rerun this script... file sh was made in /var/ftp/bin and the try to reconnect to loaclhost and same sh**t
ok now i have jailed my ssh... # ssh new_user@localhost
new_user@localhost's password:
Last login: Mon Jul 3 21:41:02 2006 from localhost
-bash-3.1$ pwd
/
-bash-3.1$
but now my sftp doesn't work... # sftp new_user@localhost
Connecting to localhost...
new_user@localhost's password:
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer
I would definitely give rssh a try. It is a restricted shell for sftp users.
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
In my experience sftp using ssh is a lot easier for the end user to set up then the ssl flavors of ftp. I just send them to filezilla for a client give them their logins and away we go. None of the problems with the setting up the SSL FTP clients. It is more work on the front end, but saves me tons of support calls on the backend.
With strace you can "monitor" what a process does: what functions it calls, what files it tries to read and what are the results of these commands (read the content of the file or FAIL if the file doesn't exist).
So if you want to do some hacking, you try to chroot things by yourself. You look at files that ftpserver tries and fails to open.
That's not an easy easy job.
If you need to be 100% sure that your ftp server is correctly chrooted and that your patch doesn't add vulnerabilites, then better try vsftpd for the ftp part.
But if you want to play a bit (still I bet my post on sshd chrooting doesn't lower security), either go on google, or use strace to do_it_yourself..
as root:
strace `which sshd` -o /tmp/sshd.strace [1]
as user, from localhost
sftp user@localhost
<here the error appears>
Stop as soon as possible the strace command (so you don't have gigaBytes to look at)
[1] you may need to do it like this, but it will add even more lines..
strace `which sshd` -f -o /tmp/sshd.strace
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.