chroot certain SSH users

/dev/me · 09-06-2008, 07:35 AM

Hi,

Just a quick question. Is it possible to chroot certain SSH-users but not others?

I have found that I can easily chroot /all/ ssh users. But I would lock myself out in that way O_o and I only want to lock out certain users from all except their ~/

Looking for this I found several howto's describing mainly Debian based setups. It talked about patching ssh, using a different version of ssh (other than openSSH that is) or adding another authentication layer. But I was thinking maybe someone here knows something more 'slacky'*) for this purpose?
These users I want to chroot in SSH are also FTP-users and in that protocol it was very easy to chroot a list of users. I was kind of searching for something similar in SSH, but alas. I may be looking in the wrong places though. Sometimes you just don't see something because you expected something else.

So I'm hoping for something like this:
sshd_config

Code:

enable_overlooked_options=YES
chroot_list_of_users=/path/to/list_of_users

*) Slacky meaning, it Just Works once you've found the proper config option.

santaslilslacker · 09-06-2008, 08:00 AM

Hi,
Try with this script. It requires some minimum tweaking but it's rather easy to use.
http://www.fuschlberger.net/programs...p-chroot-jail/
Regards,

S.

keefaz · 09-06-2008, 08:44 AM

Or maybe run 2 sshd daemon, with one that uses another port than TCP/UDP 22 and another configuration file with the -f option, so you end with 2 configs, one for your user and another one for all other users

/dev/me · 09-08-2008, 12:13 PM

Thanks for your input santaslilslacker and keefaz!

But I don't really like both options. So I've decided that I let it, until I find something that does this a little cleaner. A chrooted user environment is a nasty business in any case, needing all sorts of extra steps. Rather than troubling myself with that, I reviewed my permission system and don't see how they can cause any trouble in a normal environment.

I don't really like the idea that other people can read my passwd file or init scripts, but so be it. It's a limited list of users who's names and addresses are known by yours truly.

I solved everything with this:

echo 'echo -e "I know where your house lives. I know where your bed sleeps.\nYou are being watched!"' >> /home/$user/.bashrc

rworkman · 09-08-2008, 12:33 PM

In newer (>=4.9 iirc) openssh, you can do this quite easily with the Match directive.
You will have to create a basic directory structure (most easily accomplished by installing all of the A package series into an alternate root).
Also, the chrooted user accounts must exist both on the real system and inside the chroot.

/dev/me · 09-08-2008, 01:05 PM

Quote:

Originally Posted by rworkman

In newer (>=4.9 iirc) openssh, you can do this quite easily with the Match directive.
You will have to create a basic directory structure (most easily accomplished by installing all of the A package series into an alternate root).
Also, the chrooted user accounts must exist both on the real system and inside the chroot.

Ah yes, silly me. I am running Slackware 12.0 on the server with ssh v. 4.6(p1) and hadn't thought it be a factor.

But *looks hopeful* I may be getting my new machine tomorrow and I intend to install Slack 12.1 on that. That *bling* new machine is going to be the definitive answer to computing, the future and everything...

I'll look into that once I migrated.