Page 1 of 11 123 ... LastLast
Results 1 to 10 of 109

Thread: Howto create chrooted Openssh SFTP without shell access through rssh.

  1. #1
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Post Howto create chrooted Openssh SFTP without shell access through rssh.

    This functionality now comes standard in OpenSSH using the ChrootDirectory and the ForceCommand keyword in sshd_config! Hurray!


    The Match keyword also allows you to specify which users are affected. This means that rssh and the setup outlined in this howto are no longer necessary. From the sshd_config man page:
    Code:
         ChrootDirectory
                 Specifies a path to chroot(2) to after authentication.  This
                 path, and all its components, must be root-owned directories that
                 are not writable by any other user or group.
    
                 The path may contain the following tokens that are expanded at
                 runtime once the connecting user has been authenticated: %% is
                 replaced by a literal '%', %h is replaced by the home directory
                 of the user being authenticated, and %u is replaced by the user‐
                 name of that user.
    
                 The ChrootDirectory must contain the necessary files and directo‐
                 ries to support the users' session.  For an interactive session
                 this requires at least a shell, typically sh(1), and basic /dev
                 nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
                 arandom(4) and tty(4) devices.  For file transfer sessions using
                 “sftp”, no additional configuration of the environment is neces‐
                 sary if the in-process sftp server is used (see Subsystem for
                 details).
    
                 The default is not to chroot(2).
    Code:
         ForceCommand
                 Forces the execution of the command specified by ForceCommand,
                 ignoring any command supplied by the client and ~/.ssh/rc if
                 present.  The command is invoked by using the user's login shell
                 with the -c option.  This applies to shell, command, or subsystem
                 execution.  It is most useful inside a Match block.  The command
                 originally supplied by the client is available in the
                 SSH_ORIGINAL_COMMAND environment variable.  Specifying a command
                 of “internal-sftp” will force the use of an in-process sftp
                 server that requires no support files when used with
                 ChrootDirectory.
    Code:
         Match   Introduces a conditional block.  If all of the criteria on the
                 Match line are satisfied, the keywords on the following lines
                 override those set in the global section of the config file,
                 until either another Match line or the end of the file.
    
                 The arguments to Match are one or more criteria-pattern pairs.
                 The available criteria are User, Group, Host, and Address.  The
                 match patterns may consist of single entries or comma-separated
                 lists and may use the wildcard and negation operators described
                 in the PATTERNS section of ssh_config(5).
    
                 The patterns in an Address criteria may additionally contain
                 addresses to match in CIDR address/masklen format, e.g.
                 “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length
                 provided must be consistent with the address - it is an error to
                 specify a mask length that is too long for the address or one
                 with bits set in this host portion of the address.  For example,
                 “192.0.2.0/33” and “192.0.2.0/8” respectively.
    
                 Only a subset of keywords may be used on the lines following a
                 Match keyword.  Available keywords are AllowAgentForwarding,
                 AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
                 GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
                 KbdInteractiveAuthentication, KerberosAuthentication,
                 MaxAuthTries, MaxSessions, PasswordAuthentication,
                 PermitEmptyPasswords, PermitOpen, PermitRootLogin,
                 RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
                 X11Forwarding and X11UseLocalHost.
    You should probably use the functionality built into OpenSSH instead, but just in case you don't want to do so, below is the tutorial as it was, which was last edited on February 5th, 2008 at 08:10 PM.



    Howto create chrooted Openssh SFTP without shell access through rssh.

    I noticed many people wanted to set up a secure way (non cleartext and authentication required) to transfer files but wanted to limit their users from accessing a shell or browsing the entire file system. For the past week, I have been searching for a way to do this myself.

    However, most of the solutions posted to these requests didn't suit me: chrootssh (http://chrootssh.sourceforge.net/), which I found difficult to set up since it involved compiling from source instead of installing from a package; set up another ftp server (like vsftpd), since I already had sshd running, I didn't want to manage another server and I was having difficulty getting this to work securely; setting the user's shell to the sftp-server, which still allowed to user to get out of their directories (but limited the user to sftp).

    I also tried rssh unsuccessfully once before finding a HOWTO from the gentoo-wiki website <http://www.gentoo-wiki.com/index.php?title=HOWTO_SFTP_Server_(chrooted%2C_wit hout_shell)&redirect=no>. (Many thanks to them). I adapted their HOWTO slightly to work for Ubuntu.

    It took me a week to finally set it up and get it working since I started trying. I hope this HOWTO will help anyone else who wants to do this, but since I am writing this HOWTO after I set it up, I may accidentally forget a step. In addition, my system may differ from your's (FYI, Ubuntu Breezy with i686 kernel; but even if you have the same, your configs may differ). I make no guarantees that this will work on your system. I am just writing this in hopes that it will help. Feel free to post any suggestions/comments/questions/corrections. NOTE: I only tested my setup for SFTP.

    First, you need the "openssh-server" package. (I assume you already have that installed, updated, and configured. If not, it is pretty easy to do so & there are other tutorials available. You can get it through Synaptic Package Manager.)

    Then get the "rssh" package through Synaptic or through apt-get.

    Once that is ready, you can configure rssh by editing the file "/etc/rssh.conf". (You probably want to make a backup copy of that file by typing the command:
    Code:
    sudo cp /etc/rssh.conf /etc/rssh.orig.conf
    The command I used to edit /etc/rssh.conf was :
    Code:
    sudo nano /etc/rssh.conf
    Note: you need the nano text editor to do this. replace "nano" with "gedit" or another text editor if you want.

    The file should already be mostly filled out. Just uncomment (by removing the '#') the lines "#allowsftp" to allow sftp and if you want, uncomment the line "#allowscp". I left "#allowscp" commented since I only wanted sftp.

    There should be a line in "/etc/rssh.conf" that currently reads:
    Code:
    #chrootpath = "/usr/local/chroot dir"
    change it to:
    Code:
    chrootpath = "/home/chroot"
    (uncomment the line and change the path to "/home/chroot". The path is personal preference, but I decided "/home/chroot".) Doing this tells rssh to chroot jail everyone using rssh to the directory "/home/chroot".

    At this point, your rssh.conf file should have the following uncommented lines:
    Code:
    logfacility = LOG_USER
    allowsftp
    umask = 022
    chrootpath = "/home/chroot"
    Now to make sure OpenSSH does not weaken rssh (gunzip and read "/usr/share/doc/rssh/SECURITY" for more information), make sure you have the latest package for openssh-server and run the following command:
    Code:
    cat /etc/ssh/sshd_config | grep "PermitUserEnvironment"
    If you see the line beginning with "PermitUserEnvironment", use your text editor to either remove the line from "/etc/ssh/sshd_config" or to change the line to
    Code:
    PermitUserEnvironment=no
    Now to build the chrooted directory. There should be a zipped script at "/usr/share/doc/rssh/examples/mkchroot.sh.gz". Unzip the file, make a copy and edit the copy. You can do so using the following series of commands
    Code:
    sudo gunzip /usr/share/doc/rssh/examples/mkchroot.sh.gz
    sudo cp /usr/share/doc/rssh/examples/mkchroot.sh ~/mkchroot.sh
    sudo nano ~/mkchroot
    If you scroll through the file, you will find the lines:
    Code:
    scp_path="/usr/bin/scp"
    sftp_server_path="/usr/lib/sftp-server"
    rssh_path="/usr/bin/rssh"
    chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
    Make sure these paths match the ones given when you type the following command:
    Code:
    rssh -v
    If they do not match, change your script so the paths match.

    If your setup is like mine, your sftp server will actually be located in "/usr/lib/openssh/sftp-server" instead of "/usr/lib/sftp-server", which is where rssh thinks the sftp-server is. If this is your case, change
    Code:
    sftp_server_path="/usr/lib/sftp-server"
    to
    Code:
    sftp_server_path="/usr/lib/openssh/sftp-server"
    Save the script and exit the editor.

    Then make the script executable with the following command:
    Code:
    sudo chmod u+x ~/mkchroot.sh

    Now remember how you made
    Code:
    chrootpath = "/home/chroot"
    in "/etc/rssh"? Well, now you actually make the chroot directory by running the following commands:
    Code:
    cd ~
    sudo ./mkchroot.sh /home/chroot
    While running that command, don't worry if you get the error saying that it cannot copy "linux-gate.so.1". It isn't a real file. However, you will probably need to copy the file "ld-linux.so.2" if it appears when you type the command:
    Code:
    ldd /usr/bin/scp | grep "ld-linux.so.2"
    but is not in the path "/home/chroot/lib/ld-linux.so.2". You can copy the file with the following commands:
    Code:
    cd /home/chroot
    sudo cp /lib/ld-linux.so.2 lib/
    Just to play it safe, make sure you have "libnss_compat.so.2" in the directory "/home/chroot/lib". If not, put it there with the following command:
    Code:
    sudo cp /lib/libnss_compat.so.2 /home/chroot/lib/
    Now make rssh a valid shell by running the command:
    Code:
    add-shell /usr/bin/rssh
    Now create a new user (I called mine "sft" for secure file transfer). Make the shell for the new user "/usr/bin/rssh". Make sure the home directory path is inside the chroot jail. For me, I made the home directory "/home/chroot/home/sft". If you don't know how to add a user, there is a GUI under System -> Administration -> Users and Groups.


    Now to apply the finishing touches and tie up loose ends:

    For logging to work properly, you need to tell sysklogd to listen to "/home/chroot/dev/log". You can do this by editing "/etc/init.d/sysklogd".
    WARNING: You can seriously mess up your system logging if you mess up here. BE CAREFUL!
    (you can replace nano with your text editor of choice). Run the following to edit "/etc/init.d/sysklogd":
    Code:
    sudo nano /etc/init.d/sysklogd
    You should find a line that starts with:
    Code:
    SYSLOGD=
    Simply add the following in the appropriate space on the line:
    Code:
    -a /home/chroot/dev/log
    If your config is like mine, the original line will read:
    Code:
    SYSLOGD="-u syslog"
    The new line will read:
    Code:
    SYSLOGD="-a /home/chroot/dev/log -u syslog"
    You will need to tell sysklogd to restart to get the new config; use the following command:
    Code:
    sudo /etc/init.d/sysklogd restart
    From what I read online, some programs may need /etc/passwd in order to run properly (I think scp). To play it safe, place a copy of /etc/passwd in the chroot directory using the following command:
    Code:
    sudo cp /etc/passwd /home/chroot/etc/
    For security reasons, you will probably want to remove all irrelevant lines from the passwd file in "/home/chroot/etc/". So for my passwd file, since the name of the account that will use this chrooted directory, I only have the line:
    Code:
    sft:x:1001:1001:Secure File Transfer Account,,,:/home/sft:/usr/bin/rssh
    WARNING: Please edit only the chroot copy of the passwd file, not the real one in /etc/passwd.
    You can use nano or another text editor to remove the other lines. (I also changed the home directory in the chroot passwd file from "/home/chroot/home/sft" to "/home/sft". I'm not sure if this is necessary, but I did this because I felt this will be better.)


    In order for the chrooting process to work, "/usr/lib/rssh/rssh_chroot_helper" has to be setuid root. (Note: this path is relative to real root, not chroot root.) To setuid root, run the command:
    Code:
    sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper

    Now remember how rssh thinks that the sftp subsystem is located at "/usr/lib/sftp-server" but it is actually located in "/usr/lib/openssh/sftp-server"? If not, you can run the command:
    Code:
    rssh -v
    to figure it out. (Note: if this is not the case on your system, since our configs may differ, you should not follow this step and you should not follow one of the previous steps where you changed sftp_server_path="/usr/lib/sftp-server" to sftp_server_path="/usr/lib/openssh/sftp-server".)

    If however, your sftp-server is located in "/usr/lib/openssh/" and rssh thinks that it is located in "/usr/lib/" and your sshd (ssh server) thinks that the sftp subsystem is located at "/usr/lib/openssh/", make the following changes. (Note: you can check where sshd thinks the sftp subsystem is by the following command:
    Code:
    cat /etc/ssh/sshd_config | grep "Subsystem sftp "
    First, create a link to "/usr/lib/openssh/sftp-server" at "/usr/lib/". (Note: I already found a symbolic link to sftp-server in my "/usr/lib", so I kept it as a symbolic link. However, a hard link seems more reasonable to me. I'll let you decide which one you want. If you don't know the difference between a symbolic link and a hard link, feel free to look it up; if you know how to explain the difference properly, please post an explanation.)

    To create the symbolic link, use the command:
    Code:
    sudo ln -s /usr/lib/openssh/sftp-server /usr/lib/
    To create the hard link, use the command:
    Code:
    sudo ln /usr/lib/openssh/sftp-server /usr/lib/
    Now that the sftp-server exists in "/usr/lib", you can change the config file for your sshd. Use your text editor to edit "/etc/ssh/sshd_config". For me, the command was:
    Code:
    sudo nano /etc/ssh/sshd_config
    Then find the line:
    Code:
    Subsystem sftp /usr/lib/openssh/sftp-server
    and replace it with:
    Code:
    Subsystem sftp /usr/lib/sftp-server
    Save and exit the text editor when done. In order for the new config to take effect, you need to tell sshd to reload the config using the following command:
    Code:
    sudo /etc/init.d/ssh reload
    Now you have to fix your chroot directory setup (you need to be able to run "/usr/lib/sftp-server" even when chrooted). To do this, create a hard link between for "/home/chroot/usr/lib/openssh/sftp-server" at "/home/chroot/usr/lib/" using the following command:
    Code:
    sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/
    Finally, there may be some files in the rsshed account's home directory like ".bashrc". If these are not needed, you can just delete them using the command "rm".

    At this point, your setup should be done (unless you or I missed a step).

    Fire up your favorite SFTP client and test the new setup. Hopefully it will work. Now try to ssh in using the rsshed account. A message should appear, and then rssh should exit, closing the connection.

    If you get a "connection closed" error and you have followed all the steps, adding null to your chrooted dev directory may help. You can do this with the command
    Code:
    mknod -m 666 /home/chroot/dev/null c 1 3
    where /home/chroot is the chroot directory.

    Side note: If the user with the chrooted rsshed account manages to get to the server & get to the graphical login, they can login like a normal user (without chroot restrictions & without protection provided by rssh since the rssh shell is not the login shell).

    I have discovered that this setup will still allow people to use the port forwarding feature of SSH if it is enabled on the server. See the blue section below for the fix.
    Update on AllowTcpForwarding:
    You can use "Match" in your sshd_config to allow/disallow certain groups/users the ability to forward TCP connections. Thanks to oojah for this information. (He placed the rssh users into a group called "chroot" in this example.)
    Last edited by jchau; December 27th, 2009 at 02:37 AM. Reason: To note that rssh is no longer necessary to provided chrooted SFTP access.

  2. #2
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Lightbulb Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    I figured out how to avoid the GDM login loophole in security. Disable GDM. You can do this by going to System->Administration->Services. The uncheck "Graphical Login Manager (GDM)". A warning message will appear. Just continue. WARNING: Continuing will stop your X session without further warning.

    Now here is something funny. Since X stopped, your settings did not save yet. To actually make the change, you have to repeat.

    To get X back up:
    Code:
    startx
    Then proceed back to System->Administration->Services. You would notice that "Graphical Login Manager (GDM)" is still checked. Uncheck it again & continue. Click OK. There GDM will not load anymore (until you check that box again).

    Now the user will have to log in through the text virtual terminal before X starts. This lets rssh for the rsshed user run first, preventing those who aren't allowed to do anything but sftp from getting a normal login.

    For a normal user to get X, just run
    Code:
    startx
    after logging in.
    For improved security, run
    Code:
    exec startx
    . This prevents someone from simply pressing [Ctrl]+[Alt]+[F1] followed by [Ctrl]+[c] to get to your command prompt. By putting exec in front of startx, this makes your account log out when your X session ends. (To lock your X session, just go to System->Lock Screen.)

    Now your setup should work securely.

    However, if you run a laptop, you may notice a bug when you close your lid: your screen may not automatically turn back on after you open the lid again. The reason is that the default lid.sh in "/etc/acpi/lid.sh" relies too much on X. For more info, see http://www.ubuntuforums.org/showthread.php?t=134319.

    To fix this problem, replace the contents of lid.sh in "/etc/acpi/lid.sh" with:
    Code:
    #!/bin/sh
    
    # turns the screen off on lid close & on on lid open
    
    grep -q closed /proc/acpi/button/lid/*/state
    if [ $? = 0 ]
    then
            sudo /usr/sbin/vbetool dpms off
    else
            sudo /usr/sbin/vbetool dpms on
    fi
    (This requires the package "vbetool". If you don't have this package, get it through apt-get or Synaptic.)

    This code should shut off the screen when the lid is closed and turn the screen back on when the lid opens. Note: it will not automatically lock your X session & it will not automatically lock your other virtual terminals. To lock your X session, just go to System->Lock Screen.

    To lock your other virtual terminals, look into the package "vlock". To use vlock, go to the virtual terminal you want to lock and type
    Code:
    vlock
    or to lock all the terminals, type
    Code:
    vlock -a
    .

    Now you can test this setup and hopefully celebrate !

    Any feedback is welcome.
    I'd like to turn this into a Wiki page, but I don't have the time to do the formatting checking & markup yet.

  3. #3
    Join Date
    Nov 2005
    Beans
    4
    Distro
    Ubuntu Breezy 5.10

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Excellent tutorial. I got nearly everything squared away in one sitting.

    I ran into trouble when I attempted to symlink a shared directory into the chrooted home, but a little googling showed me that mount --bind is what I needed to solve the problem. Hope this saves some frustration for anyone else who tries to do the same thing. You can read more about it here:

    http://www.proftpd.org/localsite/Use...-symlinks.html

  4. #4
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Thanks. So that means I didn't miss a step! Great!
    -Jimmy

  5. #5
    Join Date
    Nov 2005
    Location
    London
    Beans
    66
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Hi jchau,

    I've been following your howto but I can't seem to get this working.

    Somehow I know it's something simple but I'd appreciate any advice on how to set this up!

    Obviously I don't want to put all of my sshd_config on the net but here are the outputs from a few commands:

    cat /home/chroot/etc/passwd
    Code:
    sft:x:1004:1008:Secure File Transfer,,,:/home/sft:/usr/bin/rssh
    cat /etc/rssh.conf
    Code:
    # This is the default rssh config file
    
    # set the log facility.  "LOG_USER" and "user" are equivalent.
    logfacility = LOG_USER
    
    # Leave these all commented out to make the default action for rssh to lock
    # users out completely...
    
    #allowscp
    allowsftp
    #allowcvs
    #allowrdist
    #allowrsync
    
    # set the default umask
    umask = 022
    
    # If you want to chroot users, use this to set the directory where the root of
    # the chroot jail will be located.
    #
    # if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
    # You can quote anywhere, but quotes not required unless path contains a
    # space... as in this example.
    
    chrootpath = "/home/chroot"
    
    ##########################################
    # EXAMPLES of configuring per-user options
    
    #user=rudy:077:00010:  # the path can simply be left out to not chroot
    #user=rudy:077:00010   # the ending colon is optional
    
    #spaces in the path must be quoted...
    #user=rudy:011:00001:"/usr/local/chroot dir"  # scp with chroot
    #user=rudy:011:00010:"/usr/local/chroot dir"  # sftp with chroot
    #user=rudy:011:00011:"/usr/local/chroot dir"  # both with chroot
    #user=rudy:011:00100:  # cvs, with no chroot
    #user=rudy:011:01000:  # rdist, with no chroot
    #user=rudy:011:10000:  # rsync, with no chroot
    #user="rudy:011:00001:/usr/local/chroot"  # whole user string can be quoted
    #user=rudy:01"1:00001:/usr/local/chroot"  # or somewhere in the middle, freak!
    #user=rudy:'011:00001:/usr/local/chroot'  # single quotes too
    
    # Spaces before or after the '=' are fine, but spaces in chrootpath need
    # quotes.
    #user = "rudy:011:00001:/usr/local/chroot dir"
    #user = "rudy:011:00001:/usr/local/chroot dir"  # neither do comments at line end
    cat mkchroot.sh
    Code:
    #!/bin/sh
    
    #####################################################################
    #####################################################################
    ##
    ## mkchroot.sh - set up a chroot jail.
    ##
    ## This script is written to work for Red Hat 8/9 systems, but may work on
    ## other systems.  Or, it may not...  In fact, it may not work at all.  Use at
    ## your own risk.  :)
    ##
    
    fail() {
    
            echo "`basename $0`: fatal error" >&2
            echo "$1" >&2
            exit $2
    }
    
    #####################################################################
    #
    # Initialize - handle command-line args, and set up variables and such.
    #
    # $1 is the directory to make the root of the chroot jail (required)
    # $2, if given, is the user who should own the jail (optional)
    # $3, if given,  is the permissions on the directory (optional)
    #
    
    if [ -z "$1" ]; then
            echo "`basename $0`: error parsing command line" >&2
            echo "  You must specify a directory to use as the chroot jail." >&2
            exit 1
    fi
    
    jail_dir="$1"
    
    if [ -n "$2" ]; then
            owner="$2"
    fi
    
    if [ -n "$3" ]; then
            perms="$3"
    fi
    
    
    #####################################################################
    #
    # build the jail
    #
    
    # now make the directory
    
    if [ ! -d "$jail_dir" ]; then
            echo "Creating root jail directory."
            mkdir -p "$jail_dir"
    
            if [ $? -ne 0 ]; then
                    echo "  `basename $0`: error creating jail directory." >&2
                    echo "Check permissions on parent directory." >&2
                    exit 2
            fi
    fi
    
    if [ -n "$owner" -a `whoami` = "root" ]; then
            echo "Setting owner of jail."
            chown "$owner" "$jail_dir"
            if [ $? -ne 0 ]; then
                    echo "  `basename $0`: error changing owner of jail directory." >&2
                    exit 3
             fi
    else
            echo -e "NOT changing owner of root jail. \c"
            if [ `whoami` != "root" ]; then
                    echo "You are not root."
            else
                    echo
            fi
    fi
    
    if [ -n "$owner" -a `whoami` = "root" ]; then
            echo "Setting permissions of jail."
            chmod "$perms" "$jail_dir"
            if [ $? -ne 0 ]; then
                    echo "  `basename $0`: error changing perms of jail directory." >&2
                    exit 3
             fi
    else
            echo -e "NOT changing perms of root jail. \c"
            if [ `whoami` != "root" ]; then
                    echo "You are not root."
            else
                    echo
            fi
    fi
    
    # copy SSH files
    
    scp_path="/usr/bin/scp"
    sftp_server_path="/usr/lib/openssh/sftp-server"
    rssh_path="/usr/bin/rssh"
    chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
    
    for jail_path in `dirname "$jail_dir$scp_path"` `dirname "$jail_dir$sftp_server_path"` `dirname "$jail_dir$chroot_helper_path"`; do
    
            echo "setting up $jail_path"
    
            if [ ! -d "$jail_path" ]; then
                    mkdir -p "$jail_path" || \
                            fail "Error creating $jail_path. Exiting." 4
            fi
    
    done
    
    cp "$scp_path" "$jail_dir$scp_path" || \
            fail "Error copying $scp_path. Exiting." 5
    cp "$sftp_server_path" "$jail_dir$sftp_server_path" || \
            fail "Error copying $sftp_server_path. Exiting." 5
    cp "$rssh_path" "$jail_dir$rssh_path" || \
            fail "Error copying $rssh_path. Exiting." 5
    cp "$chroot_helper_path" "$jail_dir$chroot_helper_path" || \
            fail "Error copying $chroot_helper_path. Exiting." 5
    
    
    #####################################################################
    #
    # identify and copy libraries needed in the jail
    #
    
    for prog in $scp_path $sftp_server_path $rssh_path $chroot_helper_path; do
            echo "Copying libraries for $prog."
            libs=`ldd $prog | tr -s ' ' | cut -d' ' -f3`
            for lib in $libs; do
                    mkdir -p "$jail_dir$(dirname $lib)"
                    echo -e "\t$lib"
                    cp "$lib" "$jail_dir$lib"
            done
    done
    
    echo "copying name service resolution libraries..."
    tar -cf - /lib/libnss_files* | tar -C "$jail_dir" -xvf - |sed 's/^/\t/'
    
    #####################################################################
    #
    # copy config files for the dynamic linker, nsswitch.conf, and the passwd file
    #
    
    echo "Setting up /etc in the chroot jail"
    mkdir -p "$jail_dir/etc"
    cp /etc/nsswitch.conf "$jail_dir/etc/"
    cp /etc/passwd "$jail_dir/etc/"
    cp /etc/ld.* "$jail_dir/etc/"
    
    echo -e "Chroot jail configuration completed."
    echo -e "\nNOTE: if you are not using the passwd file for authentication,"
    echo -e "you may need to copy some of the /lib/libnss_* files into the jail.\n"
    
    
    #####################################################################
    #
    # set up /dev/log
    #
    
    mkdir -p "$jail_dir/dev"
    
    echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
    echo -e "with appropriate options to log to $jail_dir/dev/log.  In most cases,"
    echo -e "you will need to start syslog as:\n"
    echo -e "   /sbin/syslogd -a $jail_dir/dev/log\n"
    
    echo -e "NOTE: we make no guarantee that ANY of this will work for you... \c"
    echo -e "if it\ndoesn't, you're on your own.  Sorry!\n"
    rssh -v
    Code:
    rssh 2.2.3
    Copyright 2002-4 Derek D. Martin <rssh-discuss at lists dot sourceforge dot net>
    
        rssh config file = /etc/rssh.conf
      chroot helper path = /usr/lib/rssh/rssh_chroot_helper
         scp binary path = /usr/bin/scp
      sftp server binary = /usr/lib/sftp-server
         cvs binary path = /usr/bin/cvs
       rdist binary path = /usr/bin/rdist
       rsync binary path = /usr/bin/rsync
    cat /etc/ssh/sshd_config | grep "Subsystem sftp "
    Code:
    Subsystem sftp /usr/lib/sftp-server
    ls /usr/lib/sft* -l
    Code:
    lrwxrwxrwx  1 root root 28 2006-04-14 20:56 /usr/lib/sftp-server -> /usr/lib/openssh/sftp-server
    ls /usr/lib/openssh/sft* -l
    Code:
    -rwxr-xr-x  1 root root 27184 2006-02-20 14:45 /usr/lib/openssh/sftp-server
    ls /home/chroot/usr/lib/openssh/* -l
    Code:
    -rwxr-xr-x  1 root root 27184 2006-04-14 20:44 /home/chroot/usr/lib/openssh/sftp-server
    // Dave

  6. #6
    Join Date
    Nov 2005
    Location
    London
    Beans
    66
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    By the way - the problem seems to be that sftp-server doesn't run when I try to sftp in.

    When I try "sftp sft@localhost" the following happens:

    Code:
    Connecting to localhost...
    sft@localhost's password:
    I enter the password and press enter...

    Code:
    Connection closed
    Bah!

    Thanks,
    // Dave

  7. #7
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    did you setuid rssh_chroot_helper (the real one not the chroot dir one)?

    If not, setuid it with
    Code:
    sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper
    That might be causing the problem. If
    -Jimmy

  8. #8
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    sorry for the slow response. I checked over your stuff and I can't find anything blatantly wrong. Try the setuid thing and if that doesn't work, I'll try to get back to you Monday. (I'm packing for a trip home right now).
    -Jimmy

  9. #9
    Join Date
    Nov 2005
    Beans
    169
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    I tried unsetting root setuid on
    Code:
    /usr/lib/rssh/rssh_chroot_helper
    . It gives the same problem that you describe. so just run:
    Code:
    sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper
    and you should be OK!
    -Jimmy

  10. #10
    Join Date
    Nov 2005
    Location
    London
    Beans
    66
    Distro
    Ubuntu 6.06

    Re: Howto create chrooted Openssh SFTP without shell access through rssh.

    Hi Jimmy,

    Slow response? Not at all! Cheers for getting back to me. Unfortunately I tried out your tip but it didn't work.

    ls /usr/lib/rssh/rssh* -l
    Code:
    -rwsr-xr-x  1 root root 6680 2005-04-14 17:21 /usr/lib/rssh/rssh_chroot_helper
    Don't know what's going on... Listen, enjoy your trip anyway. I'm off on one myself this afternoon so I'll be back after the weekend.

    Take it easy,
    // Dave

Page 1 of 11 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •