LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-02-2006, 01:24 PM   #1
zmeda
LQ Newbie
 
Registered: Jun 2006
Posts: 25

Rep: Reputation: 15
SSH chrooting ?


hi

first... im using slackware linux (ver. current (kernel 2.6.16.20))

i want to chroot my sftp. im using openssh ver 4.3p2
i have read all posts about it here... and then i tried to ch root my openssh but it wasn't work...

im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?

thx
 
Old 07-03-2006, 12:18 AM   #2
OmegaBlac
Member
 
Registered: Aug 2003
Location: California
Distribution: Ubuntu
Posts: 172

Rep: Reputation: 31
Couple of things I found in my bookmarks:
scponly
Chroot patch for ssh

You could also try running ssh in a virtual machine such as User-Mode Linux, Xen, or Linux-VServer.

Vsftpd has chroot facilities builtin so you could try that if you just want a chroot ftpd.

Out of curiousity, what errors were you getting with using the chroot command?
 
Old 07-03-2006, 10:11 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by zmeda
hi

then i tried to ch root my openssh but it wasn't work...

im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?

thx
As said, openssh and vsftp would do the job.

Have a look here:

http://mail.incredimail.com/howto/openssh/

http://www.linuxquestions.org/questi...d.php?t=415231

+
The link above concerning scponly.



What are your problems?

Regards
 
Old 07-03-2006, 01:01 PM   #4
javaroast
Member
 
Registered: Apr 2005
Posts: 131

Rep: Reputation: 19
I've had good experience with rssh. http://www.pizzashack.org/rssh/
 
Old 07-03-2006, 02:37 PM   #5
zmeda
LQ Newbie
 
Registered: Jun 2006
Posts: 25

Original Poster
Rep: Reputation: 15
ok... i have downloaded openssh 4.3p1 and chroot patch for it...
i have followed the instructions and my first output was (sorry for my stupidity but i'm new in linux)...
i have patched openssh like this...
# patch -p0 < osshChroot-4.3p1.diff
output was this...
patching file openssh-4.3p1/session.c

then i run configure like this
./configure --prefix=/usr --libexecdir=/usr/libexec/openssh --sysconfdir=/etc/ssh --mandir=/usr/share/man
and then make and make install
everything ok...
then i have created startup rutine like this
# cp -a opensshd.init /etc/rc.d/rc.sshd
then i run it...
# /etc/rc.d/rc.sshd start
starting /usr/sbin/sshd... \c
done.

everything looks fine here
then i have download script create_chroot_env from here http://mail.incredimail.com/howto/op...ate_chroot_env
i have create new user with command useradd new_user -d /var/ftp/./
then i try to run create_chroot_env new_user script and outputed this
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory

directories were done in /var/ftp and files were copied... (i'm not sure if all...)
i have tried
# ssh new_user@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 95:71:ea:03:cb:8a:d1:d3:56:6c:c0:f7:5a:4b:d8:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
new_user@localhost's password:
/bin/sh: No such file or directory
Connection to localhost closed.


then i have looked in /var/ftp/bin and there is no sh file...
ok i have look in this script create_chroot_env and see that in $APP variable is no /bin/sh... then i have added it at the end of line and rerun this script... file sh was made in /var/ftp/bin and the try to reconnect to loaclhost and same sh**t

any ideas?
 
Old 07-03-2006, 03:48 PM   #6
zmeda
LQ Newbie
 
Registered: Jun 2006
Posts: 25

Original Poster
Rep: Reputation: 15
ok now i have jailed my ssh...
# ssh new_user@localhost
new_user@localhost's password:
Last login: Mon Jul 3 21:41:02 2006 from localhost
-bash-3.1$ pwd
/
-bash-3.1$

but now my sftp doesn't work...
# sftp new_user@localhost
Connecting to localhost...
new_user@localhost's password:
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer


# ls -al /usr/libexec/openssh/sftp-server
-rwxr-xr-x 1 root root 35276 2006-07-03 20:00 /usr/libexec/openssh/sftp-server*


# grep sftp-server /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server


i have restarted sshd by /etc/rc.d/rc.sshd restart

??
 
Old 07-03-2006, 05:16 PM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Use strace on the server with output redirected to a file and whatch when there are files that are impossible to open.
Then add them in the chroot..
 
Old 07-04-2006, 12:53 AM   #8
zmeda
LQ Newbie
 
Registered: Jun 2006
Posts: 25

Original Poster
Rep: Reputation: 15
strace?

sorry i'm noob but i don't have strace command...

actually i haven't understand your (nx5000) post here...

thx
 
Old 07-04-2006, 10:23 AM   #9
confused_user
LQ Newbie
 
Registered: Feb 2006
Distribution: mostly debian for fun but SUSE / SLES for work
Posts: 10

Rep: Reputation: 0
ssh chrooting = world of pain

go for ftp(s) instead, vsftpd has an ssl patch now and its like a 5 minute job to set it up
 
Old 07-04-2006, 10:58 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
ssh chrooting = world of pain
I find that hard to believe.
Maybe you should give more factual and detailed reasons.
 
Old 07-04-2006, 02:23 PM   #11
javaroast
Member
 
Registered: Apr 2005
Posts: 131

Rep: Reputation: 19
I would definitely give rssh a try. It is a restricted shell for sftp users.

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

http://pizzashack.org/rssh/

In my experience sftp using ssh is a lot easier for the end user to set up then the ssl flavors of ftp. I just send them to filezilla for a client give them their logins and away we go. None of the problems with the setting up the SSL FTP clients. It is more work on the front end, but saves me tons of support calls on the backend.
 
Old 07-04-2006, 04:28 PM   #12
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by zmeda
strace?

sorry i'm noob but i don't have strace command...

actually i haven't understand your (nx5000) post here...

thx
I'm sorry I don't have so so much time these days. I gave you a general idea.

Some background

http://www.die.net/doc/linux/man/man1/strace.1.html

With strace you can "monitor" what a process does: what functions it calls, what files it tries to read and what are the results of these commands (read the content of the file or FAIL if the file doesn't exist).

So if you want to do some hacking, you try to chroot things by yourself. You look at files that ftpserver tries and fails to open.
That's not an easy easy job.

If you need to be 100% sure that your ftp server is correctly chrooted and that your patch doesn't add vulnerabilites, then better try vsftpd for the ftp part.
But if you want to play a bit (still I bet my post on sshd chrooting doesn't lower security), either go on google, or use strace to do_it_yourself..

as root:
strace `which sshd` -o /tmp/sshd.strace [1]
as user, from localhost
sftp user@localhost
<here the error appears>
Stop as soon as possible the strace command (so you don't have gigaBytes to look at)

[1] you may need to do it like this, but it will add even more lines..
strace `which sshd` -f -o /tmp/sshd.strace

rssh can be interesting also, don't know it.

Have fun!

Last edited by nx5000; 07-04-2006 at 04:29 PM.
 
Old 07-05-2006, 12:15 PM   #13
confused_user
LQ Newbie
 
Registered: Feb 2006
Distribution: mostly debian for fun but SUSE / SLES for work
Posts: 10

Rep: Reputation: 0
when i say its a world of pain, i mean there are far easier and more effecient ways of acheiveing the same level of security.

with ssh chrooting, you need to copy all of the required binaries and their dependancies into the jail, which is a pain in the ass.

There are many guide available detailing how to acheive this, i never go any of them to work.

Then i discoverd that vsftpd supports SSL/TLS and has a chroot jail built in, 5 minutes later and i had an FTP(s) server up and running.

http://vsftpd.beasts.org/

save yourself the hastle, use vsftpd. Unless there is somthing specific you want from ssh?

Last edited by confused_user; 07-05-2006 at 12:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Chrooting ssh/sftp users. OneEye Linux - General 1 03-22-2006 08:09 PM
chrooting nucleocide Linux - Software 2 08-08-2005 05:30 PM
Quick Q on 'chrooting'... tarballed Linux - Security 2 07-17-2003 12:15 PM
Chrooting somebody logging into SSH... Grim Reaper Linux - Security 23 12-15-2002 12:24 PM
Problems chrooting :( rverlander Linux From Scratch 1 07-21-2002 07:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration