LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   How to enable 2 ssh server : one for /home and one for /home/theuser only? (https://www.linuxquestions.org/questions/linux-server-73/how-to-enable-2-ssh-server-one-for-home-and-one-for-home-theuser-only-639326/)

frenchn00b 05-02-2008 06:59 AM
How to enable 2 ssh server : one for /home and one for /home/theuser only?
 
Hello,
I would be interested to establish on a Debian stable box :
a ssh server : one for /home and one for /home/theuser only?

I would like that with the ssh process/daemon can detect the name of the login and say:

- login: user1 to userX you may get full /home/... access (with regular permissions)

- login theuser : this user can see nothing. Just his personal /home/theuser content and nothing else. So that he can even not see any /usr/bin ... /etc ... well just his own data in his /home/theuser.

Is that somehow possible with Linux Debian?

I did apt-get install ssh server stuffs
and I am awaiting your information to modify the ssh config in the /etc.. .

I am looking forward to hearing and information

With thanks and best regards

tidww01 05-02-2008 07:21 AM
chroot, not 2 ssh servers
 
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.

seraphim172 05-02-2008 07:36 AM
jailroot
 
Use a jailroot shell for that given user (a chroot solution as already mentioned).

http://nixbit.com/cat//utilities/jailkit/

Another tutorial is at http://www.cyberciti.biz/tips/howto-...oted-jail.html but it's related to web servers, though it might give a few ideas.

Linux Archive

frenchn00b 05-02-2008 10:05 AM
Quote:
Originally Posted by tidww01 (Post 3139777)
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
What would you mean with "Perhaps you should just review normal security procedures and see if it will work for you."? like permissions ?
well I just have regular users that can do all mess they want with their user account since trusted and others nope or less. Then my idea was to block all and restrict just to /home/usersrestricted and nothing else.

I'll have look teh provided links above

T H A N K Y O U !!

frenchn00b 05-04-2008 12:42 PM
Quote:
Originally Posted by seraphim172 (Post 3139792)
Use a jailroot shell for that given user (a chroot solution as already mentioned).

http://nixbit.com/cat//utilities/jailkit/

Another tutorial is at http://www.cyberciti.biz/tips/howto-...oted-jail.html but it's related to web servers, though it might give a few ideas.
http://www.cyberciti.biz/tips/howto-...oted-jail.html
is more for apache


All those are bit complicated let's go step by step
Just installed jailkit after ./configure ; make ; make install

Code:
jailkit# cat /etc/shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/bash
/bin/rbash
/bin/zsh
/usr/bin/zsh
/usr/bin/screen
/usr/sbin/jk_chrootsh

So let's give it a try with chroot first

I found this :
http://www.fuschlberger.net/programs...p-chroot-jail/
I dont do when I dont understand ...
no bash of the sh file.

I follow this:
http://olivier.sessink.nl/jailkit/howtos_ssh_only.html

first error :

Code:
# jk_init -v  /home/chrootusers ssh
ERROR: /home/chrootusers is not owned by root:root!

ERROR: chrootdir /home/chrootusers is not safe

Usage: /usr/sbin/jk_init [OPTIONS] chrootdir sections...

-h --help              : this help screen
-c, --configfile=FILE  : specify configfile location
-l, --list            : list all available sections in the configfile
-v, --verbose          : show what is being done
-f, --force            : force overwriting of existing files

frenchn00b 05-04-2008 12:59 PM
Damn this:

How to break the jailkit :
http://www.bpfh.net/simes/computing/chroot-break.html

frenchn00b 05-04-2008 01:03 PM
My errors:

Code:
/etc/init.d/jailkit start
Starting jailkit: jk_socketdversion 2.1,no sockets specified in configfile or on commandline, nothing to do, exiting...
 done.

Tail error on the box:
Code:
by (uid=0)
May  4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is setgid
May  4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is not a safe jail, check ownership and permissions

fukawi2 05-05-2008 12:50 AM
Can you do it using Match rules in the sshd config file?

I use it to allow tcp-forwarding to certain users by adding them to a specific group:
Code:
Match Group tcp-forward
        AllowTcpForwarding yes
You could match the user, not 100% what parameter would jail them to their directory...

frenchn00b 05-05-2008 12:58 AM
Quote:
Originally Posted by fukawi2 (Post 3142955)
Can you do it using Match rules in the sshd config file?

I use it to allow tcp-forwarding to certain users by adding them to a specific group:
Code:
Match Group tcp-forward
        AllowTcpForwarding yes
You could match the user, not 100% what parameter would jail them to their directory...
are you sure that it is the issue of my prob, i wouldnt be unsecured.
concerning the test, it was done from being hte firewalling (inside the network internal) ... it didnt work
i'll try tonight

tidww01 05-06-2008 08:01 AM
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.

frenchn00b 05-06-2008 12:48 PM
Quote:
Originally Posted by tidww01 (Post 3144477)
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
I did :
Code:
chmod uog+rx -R /home/chrootusers/
do you think it is sufficient ?
the /home/chrootusers/home/users has right permissions

what can it be ?

frenchn00b 05-06-2008 01:13 PM
Code:
/* test procmail in the jail, it is not allowed to be setuid() or setgid()
  236        it is common to have procmail setuid() root and setgid() mail in the regular
  237        system, but it is for most situations not required, and therefore very much
  238        not recommended inside a jail. So we will simply exit because it is a
  239        security risk */
  240        testsafepath(PROCMAILPATH,0,0);
  241
  242        /* prepare the new environment */
  243        setenv("HOME",newhome,1);
  244        setenv("USER",pw->pw_name,1);
  245        if (chdir(newhome) != 0) {
  246                syslog(LOG_ERR, "abort, failed to chdir() inside the jail to %s",newhome);
  247                exit(41);
  248        }
  249
  250        /* cleanup before execution */
  251        free(newhome);
  252        free(jaildir);
  253
  254        /* now execute the jailed shell */
  255        /*execl(pw->pw_shell, pw->pw_shell, NULL);*/
  256        {
  257                char **newargv;
  258                int i;
  259                newargv = malloc0((argc+1)*sizeof(char *));
  260                newargv[0] = PROCMAILPATH;
  261                for (i=1;i<argc;i++) {
  262                        newargv[i] = argv[i];
  263                }
  264                execv(PROCMAILPATH, newargv);
  265        }
  266        DEBUG_MSG(strerror(errno));
  267        syslog(LOG_ERR, "WARNING: could not execute %s for user %d:%d",PROCMAILPATH,getuid(),getgid());
  268
  269        exit(111);
  270 }

frenchn00b 05-06-2008 01:33 PM
Quote:
chroot Unsecured ???

Zenwalk Support • View topic - Does Zenwalk/Zenserver have a ...
- [ Vertaal deze pagina ]
It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something ...
support.zenwalk.org/viewtopic.php?p=81299&sid=df1f932f61c225a66ba0fd4b50553113 - 27
http://support.zenwalk.org/viewtopic...a0fd4b50553113

Quote:
Thanks mate!

Jailkit looked nice, but I'm a bit skeptic. It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something which is already insecure. They also make a big point of a wrong configured jail makes the system very insecure, which scares me a bit from using their system as well.

The blog about linux vserver wasn't complete, but it's a lot better then the linux vserver documentation only. Thanks!

After reading some of the posts in this forum, I'm afraid I'm just wasting my time securing a bastion host with Zenserver. A bastion host should be über secure, but if Zenwalk is only launching unofficial security advisories in the forum and not actually fixes, this might be a great problem. Maybe another distribution/OS would make a better choice for a bastion host?
------------------------------------

frenchn00b 05-06-2008 04:55 PM
waooow the ssh worked,

now I am trying now to get hte sftp server working with lke it says for debian :
syslog.conf step how to do ??
http://olivier.sessink.nl/jailkit/ho..._scp_only.html
I dont get what he means


I get this error message now ... )
Code:
tried to get an interactive shell session (/usr/sbin/jk_lsh), which is never allowed by jk_lsh
(if I manage, by luck, I will write my howto in this page)

frenchn00b 05-06-2008 05:37 PM
When I log to the ssh via gftp SSH2 (sftp) it says this erro r:

Code:
There was an error initializing a SSH connection with the remote server. The error message from the remote server follows:


All times are GMT -5. The time now is 10:26 PM.