Howto create chrooted Openssh SFTP without shell access through rssh.

[flamacue]

Thanks for this guide. I just used it to get a chrooted rssh server up on Gutsy (that is, Ubuntu 7.10).

I do have a couple questions, though.

UPDATE! UPDATE!

DO NOT suid the chroot rssh_chroot_helper. This gives sftp users root privileges in the chroot environment!

Looks to me like the guide says only to suid the non-chrooted rssh_chroot_helper, so that should alleviate this security concern, right? Is there any security concern regarding doing suid on the non-chrooted rssh_chroot_helper, as the guide states?

For instance, what if I allow some chrooted and some non-chrooted users on my system, and maybe some of those non-chrooted users will have full ssh access. Will the non-chrooted users be able to exploit the suid'd rssh_chroot_helper to escalate privileges?

I ended up not following this guide and found a way to patch openssh-server with the new sftp-chroot patch which makes all this a WHOLE LOT EASIER.

Excellent guide on patching openssh-server here:

http://zephid.dk/2007/11/20/getting-...oot-in-debian/

Thanks

I'm not real fond of going to source, b/c then I'll miss out on any updates that Ubuntu makes for me. So, if the above situation that I describe is not a security concern, I think the best solution (for me) is to follow this guide.

...Interestingly, when I followed the link that mtegmont provided above, I found the following:

I finally found a good solution, there is a patched version of OpenSSH which gives a chroot feature of making sftp only connections, this however does not allowed the user to use a shell also, it’s either sftp or ssh, not both, if you need this, you will have to create a chroot for every user.

http://www.minstrel.org.uk/papers/sftp/

So I followed that link, and found the following:

Note: OpenSSH 4.9 now incorporates a built-in ability to chroot users (ChrootDirectory) and restrict them to SFTP (ForceCommand). I have started using this in my environment (instructions on how to do so can be found here), and so will no longer be keeping this page updated. I will leave it here, however, for those that are unable to upgrade to OpenSSH 4.9.

So, it looks to me like an even better solution than this howto is on the horizon, once we get OpenSSH 4.9 in Ubuntu. (Please someone correct me if I'm mistaken.)

However, it appears to me that even Hardy (Ubuntu 8.04) is still using OpenSSH 4.7.

I guess that's not surprising, though, since OpenSSH 4.9 was only released on March 30, 2008, which was not long before Hardy. I suppose we'll see OpenSSH 5.0 (or later) in Intrepid (Ubuntu 8.10).

[jchau]

Thanks for this guide. I just used it to get a chrooted rssh server up on Gutsy (that is, Ubuntu 7.10).

I do have a couple questions, though.

Looks to me like the guide says only to suid the non-chrooted rssh_chroot_helper, so that should alleviate this security concern, right? Is there any security concern regarding doing suid on the non-chrooted rssh_chroot_helper, as the guide states?

For instance, what if I allow some chrooted and some non-chrooted users on my system, and maybe some of those non-chrooted users will have full ssh access. Will the non-chrooted users be able to exploit the suid'd rssh_chroot_helper to escalate privileges?

You're welcome.

Only suid root on the real rssh_chroot_helper (not the one in the chroot directory). This is necessary because only the root user can chroot. However, if a vulnerability is ever found in rssh_chroot_helper, this may still weaken your security against users who can run the real rssh_chroot_helper. As an extra layer of security, you may want to ensure that only the users who are confined to the chroot jail have execute permission on rssh_chroot_helper.

So, it looks to me like an even better solution than this howto is on the horizon, once we get OpenSSH 4.9 in Ubuntu. (Please someone correct me if I'm mistaken.)

However, it appears to me that even Hardy (Ubuntu 8.04) is still using OpenSSH 4.7.

I guess that's not surprising, though, since OpenSSH 4.9 was only released on March 30, 2008, which was not long before Hardy. I suppose we'll see OpenSSH 5.0 (or later) in Intrepid (Ubuntu 8.10).

That's great news. I eagerly await the better solution. .

[tha_toadman]

Thanks for a great guide, jchau.

I'm having an issue though when I use WinSCP to connect to the server, via SFTP. I get the message

Cannot initialize SFTP protocol. Is the host running a SFTP server?

I'm running it on 7.04 Server and I even followed the guide to the changing of the sftp-server into the openssh area. I restarted SSH and, at this point, I'm baffled as to what I may have missed? Any ideas?

[jchau]

Thanks for a great guide, jchau.

I'm having an issue though when I use WinSCP to connect to the server, via SFTP. I get the message



I'm running it on 7.04 Server and I even followed the guide to the changing of the sftp-server into the openssh area. I restarted SSH and, at this point, I'm baffled as to what I may have missed? Any ideas?

What happens when you try

Code:

sftp localhost

on the computer running the server?

(Note that I haven't done this in a while.)

[tha_toadman]

That worked. Although I was on the server as 'root' and then I authenticated as 'root' and got a sftp> prompt.

I'll try as my user now and see what happens...and what it did was prompted me for a password, I must have authenticated but then PuTTY immediately died.

[jchau]

That worked. Although I was on the server as 'root' and then I authenticated as 'root' and got a sftp> prompt.

I'll try as my user now and see what happens...and what it did was prompted me for a password, I must have authenticated but then PuTTY immediately died.

PuTTY? Do you mean PSFTP? rssh should prevent the rssh user from gaining a command shell, so it would be appropriate if the server killed your PuTTY session.

I would advise against using the root account for anything that doesn't absolutely require it. That said, I don't think you should configure your ssh server to allow root to log in. In the event that you do need to remotely access the root account, you should log into a normal account and use su or sudo to gain root instead. The extra layer would prevent
intruders from directly gaining root access to your computer.

Also, testing the rssh setup with the root user is not helpful since I doubt that you set the root user's shell to rssh (if you did, you'd probably have other problems). Try with an account configured to use rssh as the shell.

[tha_toadman]

Also, testing the rssh setup with the root user is not helpful since I doubt that you set the root user's shell to rssh (if you did, you'd probably have other problems). Try with an account configured to use rssh as the shell.

Yes, and I agree. But that takes me to back to the guide that I followed and yet the user who was set with rssh, is what's causing this issue.

Is there a log that I should be looking at next?

[GeirS73]

I had problems with sftp-server exiting due to missing libraries. I'm using the 64 bit 8.04 server version. My solution was as follows:

Code:

cp /usr/lib//ld-linux-x86-64.so.2 /home/chroot/usr/lib
ln -s /home/chroot/lib /home/chroot/lib64

Can't wait for OpenSSH 4.9 to show up
Thanks to jchau for a great posting and followups!

PS: I saw the other 64 bit postings too late, my apologies.

[Wnutt]

Hi folks,

I finally got it working !

Many thanks to Jchau for his howto and help !

And thanks to you all who posted your problems AND solutions.

That was very helpfull !

Fred

[cypher35]

FYI, this is much easier now that the openssh package in Interpid is above version 4.8.

rssh is no longer necessary.

see: http://www.debian-administration.org/articles/590