Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-02-2006, 01:24 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Posts: 25
Rep:
|
SSH chrooting ?
hi
first... im using slackware linux (ver. current (kernel 2.6.16.20))
i want to chroot my sftp. im using openssh ver 4.3p2
i have read all posts about it here... and then i tried to ch root my openssh but it wasn't work...
im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?
thx
|
|
|
07-03-2006, 12:18 AM
|
#2
|
Member
Registered: Aug 2003
Location: California
Distribution: Ubuntu
Posts: 172
Rep:
|
Couple of things I found in my bookmarks:
scponly
Chroot patch for ssh
You could also try running ssh in a virtual machine such as User-Mode Linux, Xen, or Linux-VServer.
Vsftpd has chroot facilities builtin so you could try that if you just want a chroot ftpd.
Out of curiousity, what errors were you getting with using the chroot command?
|
|
|
07-03-2006, 10:11 AM
|
#3
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
Originally Posted by zmeda
hi
then i tried to ch root my openssh but it wasn't work...
im wondering if there are any other ssh implementation which will satisfy my needs?
or what do i have to do with openssh?
thx
|
As said, openssh and vsftp would do the job.
Have a look here:
http://mail.incredimail.com/howto/openssh/
http://www.linuxquestions.org/questi...d.php?t=415231
+
The link above concerning scponly.
What are your problems?
Regards
|
|
|
07-03-2006, 02:37 PM
|
#5
|
LQ Newbie
Registered: Jun 2006
Posts: 25
Original Poster
Rep:
|
ok... i have downloaded openssh 4.3p1 and chroot patch for it...
i have followed the instructions and my first output was (sorry for my stupidity but i'm new in linux)...
i have patched openssh like this...
# patch -p0 < osshChroot-4.3p1.diff
output was this...
patching file openssh-4.3p1/session.c
then i run configure like this
./configure --prefix=/usr --libexecdir=/usr/libexec/openssh --sysconfdir=/etc/ssh --mandir=/usr/share/man
and then make and make install
everything ok...
then i have created startup rutine like this
# cp -a opensshd.init /etc/rc.d/rc.sshd
then i run it...
# /etc/rc.d/rc.sshd start
starting /usr/sbin/sshd... \c
done.
everything looks fine here
then i have download script create_chroot_env from here http://mail.incredimail.com/howto/op...ate_chroot_env
i have create new user with command useradd new_user -d /var/ftp/./
then i try to run create_chroot_env new_user script and outputed this
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
cp: cannot stat `(0xffffe000)': No such file or directory
directories were done in /var/ftp and files were copied... (i'm not sure if all...)
i have tried
# ssh new_user@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 95:71:ea:03:cb:8a:d1:d3:56:6c:c0:f7:5a:4b:d8:70.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
new_user@localhost's password:
/bin/sh: No such file or directory
Connection to localhost closed.
then i have looked in /var/ftp/bin and there is no sh file...
ok i have look in this script create_chroot_env and see that in $APP variable is no /bin/sh... then i have added it at the end of line and rerun this script... file sh was made in /var/ftp/bin and the try to reconnect to loaclhost and same sh**t
any ideas?
|
|
|
07-03-2006, 03:48 PM
|
#6
|
LQ Newbie
Registered: Jun 2006
Posts: 25
Original Poster
Rep:
|
ok now i have jailed my ssh...
# ssh new_user@localhost
new_user@localhost's password:
Last login: Mon Jul 3 21:41:02 2006 from localhost
-bash-3.1$ pwd
/
-bash-3.1$
but now my sftp doesn't work...
# sftp new_user@localhost
Connecting to localhost...
new_user@localhost's password:
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer
# ls -al /usr/libexec/openssh/sftp-server
-rwxr-xr-x 1 root root 35276 2006-07-03 20:00 /usr/libexec/openssh/sftp-server*
# grep sftp-server /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server
i have restarted sshd by /etc/rc.d/rc.sshd restart
??
|
|
|
07-03-2006, 05:16 PM
|
#7
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Use strace on the server with output redirected to a file and whatch when there are files that are impossible to open.
Then add them in the chroot..
|
|
|
07-04-2006, 12:53 AM
|
#8
|
LQ Newbie
Registered: Jun 2006
Posts: 25
Original Poster
Rep:
|
strace?
sorry i'm noob but i don't have strace command...
actually i haven't understand your (nx5000) post here...
thx
|
|
|
07-04-2006, 10:23 AM
|
#9
|
LQ Newbie
Registered: Feb 2006
Distribution: mostly debian for fun but SUSE / SLES for work
Posts: 10
Rep:
|
ssh chrooting = world of pain
go for ftp(s) instead, vsftpd has an ssl patch now and its like a 5 minute job to set it up
|
|
|
07-04-2006, 10:58 AM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
ssh chrooting = world of pain
I find that hard to believe.
Maybe you should give more factual and detailed reasons.
|
|
|
07-04-2006, 02:23 PM
|
#11
|
Member
Registered: Apr 2005
Posts: 131
Rep:
|
I would definitely give rssh a try. It is a restricted shell for sftp users.
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
http://pizzashack.org/rssh/
In my experience sftp using ssh is a lot easier for the end user to set up then the ssl flavors of ftp. I just send them to filezilla for a client give them their logins and away we go. None of the problems with the setting up the SSL FTP clients. It is more work on the front end, but saves me tons of support calls on the backend.
|
|
|
07-04-2006, 04:28 PM
|
#12
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
Originally Posted by zmeda
strace?
sorry i'm noob but i don't have strace command...
actually i haven't understand your (nx5000) post here...
thx
|
I'm sorry I don't have so so much time these days. I gave you a general idea.
Some background
http://www.die.net/doc/linux/man/man1/strace.1.html
With strace you can "monitor" what a process does: what functions it calls, what files it tries to read and what are the results of these commands (read the content of the file or FAIL if the file doesn't exist).
So if you want to do some hacking, you try to chroot things by yourself. You look at files that ftpserver tries and fails to open.
That's not an easy easy job.
If you need to be 100% sure that your ftp server is correctly chrooted and that your patch doesn't add vulnerabilites, then better try vsftpd for the ftp part.
But if you want to play a bit (still I bet my post on sshd chrooting doesn't lower security), either go on google, or use strace to do_it_yourself..
as root:
strace `which sshd` -o /tmp/sshd.strace [1]
as user, from localhost
sftp user@localhost
<here the error appears>
Stop as soon as possible the strace command (so you don't have gigaBytes to look at)
[1] you may need to do it like this, but it will add even more lines..
strace `which sshd` -f -o /tmp/sshd.strace
rssh can be interesting also, don't know it.
Have fun!
Last edited by nx5000; 07-04-2006 at 04:29 PM.
|
|
|
07-05-2006, 12:15 PM
|
#13
|
LQ Newbie
Registered: Feb 2006
Distribution: mostly debian for fun but SUSE / SLES for work
Posts: 10
Rep:
|
when i say its a world of pain, i mean there are far easier and more effecient ways of acheiveing the same level of security.
with ssh chrooting, you need to copy all of the required binaries and their dependancies into the jail, which is a pain in the ass.
There are many guide available detailing how to acheive this, i never go any of them to work.
Then i discoverd that vsftpd supports SSL/TLS and has a chroot jail built in, 5 minutes later and i had an FTP(s) server up and running.
http://vsftpd.beasts.org/
save yourself the hastle, use vsftpd. Unless there is somthing specific you want from ssh?
Last edited by confused_user; 07-05-2006 at 12:16 PM.
|
|
|
All times are GMT -5. The time now is 05:40 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|