Gee! These Aren't Roasted!
Sorry for for the slow response, I'm usually faster, but my I didn't have my computer for a while. If rssh knows the proper path for the sftp server, you shouldn't have to go through the extra trouble of creating the links to the right place. I don't have a solution for you yet, but I'll take another look.
Edit:
whoops. didn't read your edit, OnlyJedi. Glad you got it to work.
-Jimmy
Gee! These Aren't Roasted!
About this: you should probably unsetuid the rssh_chroot_helper in the chroot directory. It doesn't need to be chrooted, and it is probably insecure.Originally Posted by OnlyJedi
-Jimmy
Gee! These Aren't Roasted!
For those who have problem with the rssh setup after upgrading to Dapper from Breezy, there is a new thread for Dapper describing how to fix problems arising from the install. http://ubuntuforums.org/showthread.php?t=195266
-Jimmy
5 Cups of Ubuntu
I'm having a little trouble with this. Instead of using /home as a directory, i'm storing the path in /var/www/home
Everything worked fine, and i created a user with this command:
useradd eric -s /usr/bin/rssh -d /var/www/home/eric
it created the user just fine, then i did a 'passwd eric' to set the password. then i took the /etc/passwd file and placed it in /var/www/home/etc and removed all the lines except 'eric'.
no errors or anything, but when i try to log in, it just says access denied. i'm using winscp to try to get a visual of this working. i also tried PuTTY to get access, but it also says access denied. please help!!!
thanks,
Eric
Gee! These Aren't Roasted!
I do not recall seeing the error "access denied" and I cannot successfully recreate that error. Please make sure you followed every step.
A sshd setting may also be causing the problem (you did not allow password authentication). This is the most likely cause of that error that I found. See http://www.ubuntuforums.org/showthread.php?t=7842 for more information.
If that still doesn't help, please post the exact error message you get, note when the error appears, and also post the relevant log entries. See http://ubuntuforums.org/showpost.php...7&postcount=11 for more information.
Also, the point of this setup is to prevent shell access so you should not be able to connect with PuTTY; you should be presented with the following followed by a disconnect:
This account is restricted by rssh.
Allowed commands: sftp
If you believe this is in error, please contact your system administrator.
-Jimmy
First Cup of Ubuntu
Hi,
Thanks for a great howto. I have a problem with user accounts. When I add a new user and then login from another computer everything seems to be ok. But user is still able to explore out of his home dir and download files like /etc/passwd/ and othersShouldn't the user be jailed in it's home dir ? not just /home/chroot/ or what ?
Gee! These Aren't Roasted!
You're welcome!
Hi,
Thanks for a great howto. I have a problem with user accounts. When I add a new user and then login from another computer everything seems to be ok. But user is still able to explore out of his home dir and download files like /etc/passwd/ and others
If you followed the instructions, the user should still be able to see files like /etc/passwd. However, these files should not be the files on the real root (remember copying these files to the chroot directory?). These files should also have no information that can comprimise your system's security (remember removing all the unnecessary lines from the chroot copy of /etc/passwd? your system should also be using shadow, so no password hashes will be stored in /etc/passwd either).
Since sftp and rssh depends on the presence of certain files, the files need to be copied to the chroot folder. For clarification, the chroot jail prevents the jailed user from leaving the jail (in my case, /home/chroot/), not their home directory in the chroot jail (/home/chroot/home/sft/). So for example, the user sft in my howto can access /home/chroot/etc/nsswitch.conf (which will appear to be /etc/nsswitch.conf to the sft), but sft will not be allowed to access the real /etc/nsswitch.conf.
You might now be wondering why you would want to use a chroot jail. One advantage is damage control; if your user somehow compromises your sftp server, they should not be able to mess with the real root, only the chroot jail. Another is increased security: they will not be able to access files outside of the chroot jail even if your file permissions somehow allow it (though you should fix your file permissions anyway); eg. your home (outside the chroot jail) directory may be world readable, but you might have a confidential document stored in it or you might not want to let someone find out by looking through /usr/local/bin that you have some package installed. There are probably a few other advantages too.
If you don't feel that the chroot jail is worth the trouble, you can also forgo that altogether and just use rssh without the chroot jail (simply make the user's account by specifying rssh as a shell, don't specify a home directory, and comment the chrootpath from rssh.conf).
As an easy way to check to see if your users can get out of the chroot jail, you can see if the user can access the file "/etc/ssh/ssh_config". It is in the real root, but should not be in the chroot root. If they can get to the file, stop your ssh server or disable the accounts and make sure that you followed all the steps. You can also put a file in the real root and see if the chroot jailed users can access the file.
Last edited by jchau; September 5th, 2006 at 01:26 AM. Reason: to add comment
-Jimmy
First Cup of Ubuntu
I understand that jailing users inside this "fake system" is a lot safer way to go. I did edit the /etc and other folder permissions so even if users can browse the folders they cannot see the files. Even if it does not really matter
Gee! These Aren't Roasted!
Security Alert! Howto create chrooted Openssh SFTP without shell access through rssh.
I have discovered that this setup will still allow people to use the port forwarding feature of SSH if it is enabled on the server. A temporary fix is to disallow TCPForwarding completely for everyone. This can be done by adding the following line to /etc/ssh/sshd_config:Then reload the new config with the following command:Code:AllowTcpForwarding noCode:sudo /etc/init.d/ssh reload
If anyone has any ideas about how to prevent only the rssh users from using TCP forwarding feature or to allow only certain users to have that ability, I'd be glad to see it! The sshd_config(5) man page seems to suggest that the latter should be possible by saying the following:I have modified the first post of this thread to include this information, but I'm hoping this new reply will cause everyone subscribed to this thread to receive this notice.Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
-Jimmy
First Cup of Ubuntu
I've been trying to setup a rssh with chroot jail on ubuntu 6.10 pretty much out of the box and was able to get a nice configure working with openssh and mysecureshell. I'm now interested in rssh b/c it supports rsync as well and followed the excellent howto provided in this post. Sadly things didn't quite want to work out that well and since google wasn't able to help me I'm hoping I'll find some help here.
What happens: after following through the howto and log on to my host through sftp I get a simple Connection closed after inputting the password. The complete log that gets generated looks like this:
when I try to log into the shh using an account for which rssh is setup I get the following output in the terminal:Code:rssh[6291]: setting log facility to LOG_USER rssh[6291]: allowing sftp to all users rssh[6291]: allowing rsync to all users rssh[6291]: setting umask to 022 rssh[6291]: chrooting all users to /home/office rssh[6291]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
I don't know if this is relevant, but I setup my ssh server on a nonstandard port and used the home directory of the user as the chroot jail directory (since only one user will be using the rssh shell). Also when I remove the option to use the chroot in the rssh.conf file, everything works fine. (I am able to log in through sftp and terminal doesn't provide a crash report when trying to log in through ssh (it simply states connection closed and that's it)).Code:This account is restricted by rssh. Allowed commands: sftp rsync If you believe this is in error, please contact your system administrator. *** glibc detected *** -rssh: malloc(): memory corruption: 0x0804fc78 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7e2b1cd] /lib/tls/i686/cmov/libc.so.6(malloc+0x7f)[0xb7e2c83f] -rssh[0x804a485] -rssh[0x804aceb] -rssh[0x804b33c] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7dd98cc] -rssh[0x8048aa1] ======= Memory map: ======== 08048000-0804d000 r-xp 00000000 08:04 2900436 /usr/bin/rssh 0804d000-0804e000 rwxp 00004000 08:04 2900436 /usr/bin/rssh 0804e000-0806f000 rwxp 0804e000 00:00 0 [heap] b7c00000-b7c21000 rwxp b7c00000 00:00 0 b7c21000-b7d00000 ---p b7c21000 00:00 0 b7d84000-b7d8e000 r-xp 00000000 08:04 1196099 /lib/libgcc_s.so.1 b7d8e000-b7d8f000 rwxp 00009000 08:04 1196099 /lib/libgcc_s.so.1 b7d8f000-b7d98000 r-xp 00000000 08:04 1229074 /lib/tls/i686/cmov/libnss_files-2.4.so b7d98000-b7d9a000 rwxp 00008000 08:04 1229074 /lib/tls/i686/cmov/libnss_files-2.4.so b7d9a000-b7da2000 r-xp 00000000 08:04 1229076 /lib/tls/i686/cmov/libnss_nis-2.4.so b7da2000-b7da4000 rwxp 00007000 08:04 1229076 /lib/tls/i686/cmov/libnss_nis-2.4.so b7da4000-b7db6000 r-xp 00000000 08:04 1229071 /lib/tls/i686/cmov/libnsl-2.4.so b7db6000-b7db8000 rwxp 00011000 08:04 1229071 /lib/tls/i686/cmov/libnsl-2.4.so b7db8000-b7dba000 rwxp b7db8000 00:00 0 b7dba000-b7dc1000 r-xp 00000000 08:04 1229072 /lib/tls/i686/cmov/libnss_compat-2.4.so b7dc1000-b7dc3000 rwxp 00006000 08:04 1229072 /lib/tls/i686/cmov/libnss_compat-2.4.so b7dc3000-b7dc4000 rwxp b7dc3000 00:00 0 b7dc4000-b7ef1000 r-xp 00000000 08:04 1229065 /lib/tls/i686/cmov/libc-2.4.so b7ef1000-b7ef3000 r-xp 0012c000 08:04 1229065 /lib/tls/i686/cmov/libc-2.4.so b7ef3000-b7ef5000 rwxp 0012e000 08:04 1229065 /lib/tls/i686/cmov/libc-2.4.so b7ef5000-b7ef8000 rwxp b7ef5000 00:00 0 b7f0a000-b7f0c000 rwxp b7f0a000 00:00 0 b7f0c000-b7f25000 r-xp 00000000 08:04 1196245 /lib/ld-2.4.so b7f25000-b7f27000 rwxp 00018000 08:04 1196245 /lib/ld-2.4.so bfbc0000-bfbd6000 rw-p bfbc0000 00:00 0 [stack] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] Connection to **** closed.
Any help would be greatly appreciated. If you need more info, please let me know. Thanks.
Last edited by aprita; December 3rd, 2006 at 01:29 AM.
Posting Permissions
Adv Reply
Bookmarks