First Cup of Ubuntu
Easy! :)Originally Posted by jchau
openssh allows you to specify rules per user/group. So in my sshd_config I have:
Cheers,Code:# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server Match Group chroot AllowTcpForwarding no
Roger
A Carafe of Ubuntu
I'm getting this error when I try to connect with Winscp:
Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).
Last edited by Poka64; April 15th, 2007 at 11:02 PM.
Way Too Much Ubuntu
i was very excited when i first saw this thread, but then as i scrolled down the howto i got disappointed. i really appreciate the hard work you've put into writing this, but i'm totally disappoint there isn't an easier way. has anybody written a script that would just do all of it for us? or what about these "jailer Builds and maintains chrooted environments" programs available? will they be easier?
i love ubuntu and like playing around on my computer plenty, but i don't want to have to go through all these steps. but perhaps there is no easier way, and perhaps i should try writing the script or my own program. i guess i just thought it would be easier than all this.
My Blog.
Gee! These Aren't Roasted!
Thanks. I'll add this to the original post. I hope u don't mind.Easy!
openssh allows you to specify rules per user/group. So in my sshd_config I have:
Cheers,Code:# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server Match Group chroot AllowTcpForwarding no
Roger
-Jimmy
Gee! These Aren't Roasted!
I've never seen that before. Have u tried another client? Or do all clients give this error message. what happens when u do
from the server? (Replace rsshuser with the user name).Code:sftp rsshuser@localhost
-Jimmy
Gee! These Aren't Roasted!
Writing a script to do this is possible, but I haven't see any available to completely automate this process. (BTW, most of this howto is modifying the mkchroot.sh script to fit your system.) If you know how to write such a script, that'll be awesome. There are also plenty of other options. This was the one that I liked the best. Feel free to suggest better alternatives.
If you go through these steps manually though, you'll probably understand the setup better though.
-Jimmy
First Cup of Ubuntu
I have the SFTP server up and running with the great instructions in this post. I was just trying to figure out how I can log: Time of Connection, User, File Transfered, and Logoff, or better yet if the logging is already happening, where the files are. Thanks.
Last edited by aschaef; April 25th, 2007 at 05:58 PM.
Just Give Me the Beans!
Upon logging in to the newly created account via ssh, I am prompted to change my password.
I plan on having this account used by multiple people, so I don't want them to have the ability to change the password. Is there a way to prevent this behavior?
Also, I am having trouble getting sftp to work. Here is my log file:
I noticed that there are no "rssh_chroot_helper" lines following this. Is this component not being loaded?Code:May 15 15:27:38 scud rssh[15221]: setting log facility to LOG_USER May 15 15:27:38 scud rssh[15221]: allowing sftp to all users May 15 15:27:38 scud rssh[15221]: setting umask to 022 May 15 15:27:38 scud rssh[15221]: chrooting all users to /home/chroot May 15 15:27:38 scud rssh[15221]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
I am also missing two files referenced within the setup:
/lib/ld-linux.so.2
/lib/libnss_compact.so.2
For the first one, I assume that my equivalent is "/lib/ld-linux-x86-64.so.2" since I'm running amd64 feisty. Would I need to copy this as /home/chroot/lib/ld-linux.so.2, or leave the name as it is and copy it to /home/chroot/lib/ld-linux-x86-64.so.2?
The second file doesn't seem to have an equivalent. Could you possibly have meant "/lib/libnss_compat.so.2" ("compat" not "compact")?
Any help would be greatly appreciated.
Last edited by cypher35; May 15th, 2007 at 10:04 PM.
5 Cups of Ubuntu
Hi - I'm using dapper (amd64) - and having big problems.
here is my setup (I have created my chroot dir in /usr/local as I'd like to keep the /home dir mounted with noexec):
I get connection closed when trying with sftp or scp. As far as I can see the 2 files mentioned below are present and executable!?Code:/usr/local/chroot: total 20 drwxr-xr-x 2 root root 4096 2007-05-17 06:25 dev drwxr-xr-x 2 root root 4096 2007-05-16 13:06 etc drwxr-xr-x 3 root root 4096 2007-05-16 13:09 home drwxr-xr-x 2 root root 4096 2007-05-16 13:07 lib drwxr-xr-x 4 root root 4096 2007-05-16 13:06 usr /usr/local/chroot/dev: total 0 srw-rw-rw- 1 root root 0 2007-05-17 06:25 log crw-rw-rw- 1 root root 1, 3 2007-05-16 13:11 null /usr/local/chroot/etc: total 40 -rw-r--r-- 1 root root 27266 2007-05-16 13:06 ld.so.cache -rw-r--r-- 1 root root 195 2007-05-16 13:06 ld.so.conf -rw-r--r-- 1 root root 470 2007-05-16 13:06 nsswitch.conf -rw-r--r-- 1 root root 1303 2007-05-17 11:03 passwd /usr/local/chroot/home: total 4 drwxr-xr-x 2 cheers cheers 4096 2007-05-16 13:09 cheers /usr/local/chroot/home/cheers: total 0 /usr/local/chroot/lib: total 1940 -rwxr-xr-x 1 root root 92868 2007-05-16 13:07 ld-linux.so.2 -rw-r--r-- 1 root root 8040 2007-05-16 13:06 libcom_err.so.2 -rw-r--r-- 1 root root 20376 2007-05-16 13:06 libcrypt.so.1 -rwxr-xr-x 1 root root 1267512 2007-05-16 13:06 libc.so.6 -rw-r--r-- 1 root root 10056 2007-05-16 13:06 libdl.so.2 -rw-r--r-- 1 root root 83424 2007-05-16 13:06 libnsl.so.1 -rw-r--r-- 1 root root 36112 2007-05-16 13:07 libnss_compat.so.2 -rw-r--r-- 1 root root 44056 2007-05-16 13:08 libnss_files-2.3.6.so lrwxrwxrwx 1 root root 21 2007-05-16 13:06 libnss_files.so.2 -> libnss_files-2.3.6.so -rw-r--r-- 1 root root 75288 2007-05-16 13:06 libresolv.so.2 -rw-r--r-- 1 root root 82624 2007-05-16 13:06 libselinux.so.1 -rw-r--r-- 1 root root 212376 2007-05-16 13:06 libsepol.so.1 -rw-r--r-- 1 root root 9864 2007-05-16 13:06 libutil.so.1 /usr/local/chroot/usr: total 8 drwxr-xr-x 2 root root 4096 2007-05-16 13:06 bin drwxr-xr-x 4 root root 4096 2007-05-17 10:55 lib /usr/local/chroot/usr/bin: total 64 -rwxr-xr-x 1 root root 24096 2007-05-16 13:06 rssh -rwxr-xr-x 1 root root 40752 2007-05-16 13:06 scp /usr/local/chroot/usr/lib: total 2400 -rw-r--r-- 1 root root 1495336 2007-05-16 13:06 libcrypto.so.0.9.8 -rw-r--r-- 1 root root 120064 2007-05-16 13:06 libgssapi_krb5.so.2 -rw-r--r-- 1 root root 150552 2007-05-16 13:06 libk5crypto.so.3 -rw-r--r-- 1 root root 548448 2007-05-16 13:06 libkrb5.so.3 -rw-r--r-- 1 root root 15792 2007-05-16 13:06 libkrb5support.so.0 -rw-r--r-- 1 root root 89512 2007-05-16 13:06 libz.so.1 drwxr-xr-x 2 root root 4096 2007-05-16 13:06 openssh drwxr-xr-x 2 root root 4096 2007-05-16 13:06 rssh lrwxrwxrwx 1 root root 45 2007-05-17 10:55 sftp-server -> /usr/local/chroot/usr/lib/openssh/sftp-server /usr/local/chroot/usr/lib/openssh: total 40 -rwxr-xr-x 1 root root 36992 2007-05-16 13:06 sftp-server /usr/local/chroot/usr/lib/rssh: total 24 -rwsr-xr-x 1 root root 23624 2007-05-16 13:06 rssh_chroot_helper
or :Code:May 17 11:18:41 delia rssh[8474]: setting log facility to LOG_USER May 17 11:18:41 delia rssh[8474]: allowing scp to all users May 17 11:18:41 delia rssh[8474]: allowing sftp to all users May 17 11:18:41 delia rssh[8474]: setting umask to 022 May 17 11:18:41 delia rssh[8474]: chrooting all users to /usr/local/chroot May 17 11:18:41 delia rssh[8474]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 1 "scp -t me.txt" May 17 11:18:41 delia rssh_chroot_helper[8474]: new session for cheers, UID=1005 May 17 11:18:41 delia rssh_chroot_helper[8474]: user's home dir is /usr/local/chroot/home/cheers May 17 11:18:41 delia rssh_chroot_helper[8474]: chrooted to /usr/local/chroot May 17 11:18:41 delia rssh_chroot_helper[8474]: changing working directory to /home/cheers (inside jail) May 17 11:18:41 delia rssh_chroot_helper[8474]: execv() failed, /usr/bin/scp: No such file or directory
*any* help would be greatly appreciated.Code:May 17 11:12:02 delia rssh[8401]: allowing scp to all users May 17 11:12:02 delia rssh[8401]: allowing sftp to all users May 17 11:12:02 delia rssh[8401]: setting umask to 022 May 17 11:12:02 delia rssh[8401]: chrooting all users to /usr/local/chroot May 17 11:12:02 delia rssh[8401]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server" May 17 11:12:02 delia rssh_chroot_helper[8401]: new session for cheers, UID=1005 May 17 11:12:02 delia rssh_chroot_helper[8401]: user's home dir is /usr/local/chroot/home/cheers May 17 11:12:02 delia rssh_chroot_helper[8401]: chrooted to /usr/local/chroot May 17 11:12:02 delia rssh_chroot_helper[8401]: changing working directory to /home/cheers (inside jail) May 17 11:12:02 delia rssh_chroot_helper[8401]: execv() failed, /usr/lib/openssh/sftp-server: No such file or directory
Last edited by reech; May 17th, 2007 at 11:28 AM. Reason: added amd64
5 Cups of Ubuntu
To get rssh working on dapper amd64 I did the following :
I added the following lines to the already modified mkchroot.sh script:
-------------snip-----------
-------------snip-----------Code:##################################################################### # # set up /dev/log # mkdir -p "$jail_dir/dev" ######### user added code ############## # cp some more files cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/" cp /lib/ld-linux.so.2 "$jail_dir/lib/" cp -pR /lib64 "$jail_dir/" # make /dev/null mknod -m 666 "$jail_dir/dev/null" c 1 3 ########## end user added code ############ echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
..and once you've created the chroot directory , create the chroot user and their home.
Don't forget to restart sysklogd:
Hope that helps somebody.Code:/etc/init.d/sysklogd restart
Posting Permissions
Adv Reply
Bookmarks