Hi!
Edit: got it working after all.
First Cup of Ubuntu
Re: Howto create chrooted Openssh SFTP without shell access through rssh.
Hi!
Edit: got it working after all.
Last edited by JGZimmerle; February 7th, 2008 at 11:14 PM. Reason: Found solution in previous post about x64 libs.
First Cup of Ubuntu
Originally Posted by aprita
If you get the above error message when you try to SSH in then try commenting the "logfacility = LOG_USER" line in the /etc/rssh.conf, alternatively try changing it to:
When RSSH users login via ssh RSSH prints the message telling them that they are not allowed to login then logs the attempt before exiting, therefore something in the logging is the most likely cause of the problem described on page 3.Code:logfacility = user
First Cup of Ubuntu
UPDATE! UPDATE!
DO NOT suid the chroot rssh_chroot_helper. This gives sftp users root privileges in the chroot environment!
I ended up not following this guide and found a way to patch openssh-server with the new sftp-chroot patch which makes all this a WHOLE LOT EASIER.
Excellent guide on patching openssh-server here:
http://zephid.dk/2007/11/20/getting-...oot-in-debian/
Thanks
Hi, many thanks for this guide.
I followed the instructions as closely as possible on Ubuntu 7.10.
But mine didn't work until doing this:
chmod u+s /home/chroot/usr/lib/rssh/rssh_chroot_helper
The guide only says to do this:
chmod u+s /usr/lib/rssh/rssh_chroot_helper
and seems to clarify that this is not meant to be done for the chroot environment.
I found that confusing, maybe I have read it wrong or done something else wrong but thats what i ended up needing for it to work.
Again, thanks for the rest of the guide, helped me a lot.
From the original post:
In order for the chrooting process to work, "/usr/lib/rssh/rssh_chroot_helper" has to be setuid root. (Note: this path is relative to real root, not chroot root.) To setuid root, run the command:
Code:
sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper
Last edited by mtegmont; March 14th, 2008 at 02:00 AM.
Gee! These Aren't Roasted!
Thanks for the suggestion. At the time I wrote the guide, it was not necessary to allow /home/chroot/usr/lib/rssh/rssh_chroot_helper to run as root. I am no longer running Ubuntu now, so I cannot confirm whether this is necessary now.
However, I would advise against giving anything inside the chroot jail root privileges (as that chmod command would). That would effectively defeat many layers of security. If (through exploiting some bug), someone was able to break rssh, any SUID root file may become a shortcut to becoming root for the attacker.
-Jimmy
Spilled the Beans
I am having similar issues with setting up CHROOT environment. I get the following error in syslogd:
Apr 2 17:15:12 myhost rssh[4616]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
Apr 2 17:15:47 myhost rssh[4623]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 "/usr/lib/openssh/sftp-server"
RSSH shows sftp in the /openssh dir and symlink exists. Also issues setuid cmd, with no change.
rssh 2.3.2
sftp server binary = /usr/lib/openssh/sftp-server
Any thoughts?
First Cup of Ubuntu
Hi,
I have followed all the steps and it seems that everything works except that /home/chroot/etc/passwd file is not used, i.e. for login using rssh it is still used /etc/passwd.
My understanding is that only users from /home/chroot/etc/passwd should be able to login using sftp (ssh) isn't that the case?
If it is any idea what when wrong?
Gee! These Aren't Roasted!
That is NOT the case. It's just that many programs expect to have /etc/passwd and if it's missing from the chroot jail, those programs may misbehave, so you put a copy of /etc/passwd there. However, that copy isn't used for authentication.
-Jimmy
First Cup of Ubuntu
Thank you very much. Do you know a way to enable rssh to only a sub-set of users, i.e. allow rssh only to one or two users out of all users regisered?
Gee! These Aren't Roasted!
You can have rssh disable rsync, rdist, cvs, sftp, and scp by default and then enable them for each user you want. See the man page for rssh for more help (I don't have rssh ready to do testing right now).
-Jimmy
First Cup of Ubuntu
that's good enough for now, thank you very much.
Posting Permissions
Adv Reply
Bookmarks