How to enable 2 ssh server : one for /home and one for /home/theuser only?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to enable 2 ssh server : one for /home and one for /home/theuser only?
Hello,
I would be interested to establish on a Debian stable box :
a ssh server : one for /home and one for /home/theuser only?
I would like that with the ssh process/daemon can detect the name of the login and say:
- login: user1 to userX you may get full /home/... access (with regular permissions)
- login theuser : this user can see nothing. Just his personal /home/theuser content and nothing else. So that he can even not see any /usr/bin ... /etc ... well just his own data in his /home/theuser.
Is that somehow possible with Linux Debian?
I did apt-get install ssh server stuffs
and I am awaiting your information to modify the ssh config in the /etc.. .
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
What you want to do is called chroot on the second user and not use two ssh servers. Two ssh servers wouldn't work because of port conflicts, etc. The second user has to see /usr/bin at the very least, so to make chroot work you would have to copy select programs out of /usr/bin to a directory under their root directory /home/user. Commonly done with ftp but not so common with user logins. Why are you so concerned about limiting them to a single directory? Perhaps you should just review normal security procedures and see if it will work for you.
What would you mean with "Perhaps you should just review normal security procedures and see if it will work for you."? like permissions ?
well I just have regular users that can do all mess they want with their user account since trusted and others nope or less. Then my idea was to block all and restrict just to /home/usersrestricted and nothing else.
# jk_init -v /home/chrootusers ssh
ERROR: /home/chrootusers is not owned by root:root!
ERROR: chrootdir /home/chrootusers is not safe
Usage: /usr/sbin/jk_init [OPTIONS] chrootdir sections...
-h --help : this help screen
-c, --configfile=FILE : specify configfile location
-l, --list : list all available sections in the configfile
-v, --verbose : show what is being done
-f, --force : force overwriting of existing files
/etc/init.d/jailkit start
Starting jailkit: jk_socketdversion 2.1,no sockets specified in configfile or on commandline, nothing to do, exiting...
done.
Tail error on the box:
Code:
by (uid=0)
May 4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is setgid
May 4 19:57:12 localhost jk_chrootsh[17918]: abort, path /home/chrootusers is not a safe jail, check ownership and permissions
Can you do it using Match rules in the sshd config file?
I use it to allow tcp-forwarding to certain users by adding them to a specific group:
Code:
Match Group tcp-forward
AllowTcpForwarding yes
You could match the user, not 100% what parameter would jail them to their directory...
are you sure that it is the issue of my prob, i wouldnt be unsecured.
concerning the test, it was done from being hte firewalling (inside the network internal) ... it didnt work
i'll try tonight
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
The chroot or jailkit are really your only options. The tcp forwarding would only apply to X-Windows I believe, not sure what good that would do you. The error you saw with jailkit has to do with the permissions on the directory you were trying to use. For some reason it has the setgid bit turned on. Not sure what the purpose of that is but it's easy enough to turn off. I've never used jailkit, only the chroot option and the link previously given will work well. But if you've already installed jailkit, just fix your permissions and run it again.
I did :
Code:
chmod uog+rx -R /home/chrootusers/
do you think it is sufficient ?
the /home/chrootusers/home/users has right permissions
/* test procmail in the jail, it is not allowed to be setuid() or setgid()
236 it is common to have procmail setuid() root and setgid() mail in the regular
237 system, but it is for most situations not required, and therefore very much
238 not recommended inside a jail. So we will simply exit because it is a
239 security risk */
240 testsafepath(PROCMAILPATH,0,0);
241
242 /* prepare the new environment */
243 setenv("HOME",newhome,1);
244 setenv("USER",pw->pw_name,1);
245 if (chdir(newhome) != 0) {
246 syslog(LOG_ERR, "abort, failed to chdir() inside the jail to %s",newhome);
247 exit(41);
248 }
249
250 /* cleanup before execution */
251 free(newhome);
252 free(jaildir);
253
254 /* now execute the jailed shell */
255 /*execl(pw->pw_shell, pw->pw_shell, NULL);*/
256 {
257 char **newargv;
258 int i;
259 newargv = malloc0((argc+1)*sizeof(char *));
260 newargv[0] = PROCMAILPATH;
261 for (i=1;i<argc;i++) {
262 newargv[i] = argv[i];
263 }
264 execv(PROCMAILPATH, newargv);
265 }
266 DEBUG_MSG(strerror(errno));
267 syslog(LOG_ERR, "WARNING: could not execute %s for user %d:%d",PROCMAILPATH,getuid(),getgid());
268
269 exit(111);
270 }
Zenwalk Support • View topic - Does Zenwalk/Zenserver have a ...
- [ Vertaal deze pagina ]
It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something ...
support.zenwalk.org/viewtopic.php?p=81299&sid=df1f932f61c225a66ba0fd4b50553113 - 27 http://support.zenwalk.org/viewtopic...a0fd4b50553113
Quote:
Thanks mate!
Jailkit looked nice, but I'm a bit skeptic. It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something which is already insecure. They also make a big point of a wrong configured jail makes the system very insecure, which scares me a bit from using their system as well.
The blog about linux vserver wasn't complete, but it's a lot better then the linux vserver documentation only. Thanks!
After reading some of the posts in this forum, I'm afraid I'm just wasting my time securing a bastion host with Zenserver. A bastion host should be über secure, but if Zenwalk is only launching unofficial security advisories in the forum and not actually fixes, this might be a great problem. Maybe another distribution/OS would make a better choice for a bastion host?
------------------------------------
Last edited by frenchn00b; 05-06-2008 at 01:38 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
