topic Re: SSH chroot setup in Operating System - HP-UX

SSH chroot setup

yyghp — Fri, 30 Sep 2005 08:10:11 GMT

I am trying to setup SSH chroot environment on one of our HP-UX 11.11 server, with latest SSH v4.0.
I run its official script:

<> swlist -l product | grep -i shell
Secure_Shell A.04.00.000 HP-UX Secure Shell

<> ./ssh_chroot_setup.sh

Pre check in progress please wait...finished

Please wait. chroot setup checks for necessary files on the system ...

HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------

Select one of the option below

1.Configure a new user

2.Configure an existing user to a chroot-ed user

3.Remove chroot environment from a chroot-ed user

4.Exit

Enter your choice : 2

Chroot setup
---------------

User name : transfr

chroot setup checks for user details ...completed

Enter the new root directory for transfr with absolute path (or press return for default(/newroot)):

---------------------------------
Select chroot secure shell option
----------------------------------
1 sftp only
2 ssh & sftp & scp
press return key to skip this step

Option : 2

configuring ssh & sftp & scp...finished

Summary
--------

Chroot-ed user : transfr

Chroot-ed user's new root directory : /newroot

Secure Shell configuration : SSH & SFTP & SCP

press Return key

HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------

Select one of the option below

1.Configure a new user

2.Configure an existing user to a chroot-ed user

3.Remove chroot environment from a chroot-ed user

4.Exit

Enter your choice : 4

After that, I restarted the "sshd".

When I login as "transfr" via SFTP, it did prevent the user "transfr" to access directory other than /newroot, which is good. But I noticed that all files couldn't show group attribute:

psftp> open srs057
login as: transfr
Using username "transfr".
Password:
Remote working directory is /home/transfr
psftp> cd /
Remote directory is now /
psftp> ls
Listing directory /
drwxrwxrwx 11 root 3 8192 Sep 30 08:32 .
drwxrwxrwx 11 root 3 8192 Sep 30 08:32 ..
drwxr-xr-x 2 root 3 96 Sep 30 08:32 bin
drwxr-xr-x 3 root 3 96 Sep 30 08:32 dev
drwxr-xr-x 2 root 3 96 Sep 30 08:43 etc
drwxrwxrwx 3 root 3 96 Sep 30 08:32 home
drwxrwxrwx 3 root 3 96 Sep 30 08:32 opt
drwxr-xr-x 2 root 3 96 Sep 30 08:32 sbin
drwxrwxrwx 2 root 3 96 Sep 30 08:32 tmp
drwxrwxrwx 4 root 3 96 Sep 30 08:32 usr
drwxrwxrwx 3 root 3 96 Sep 30 08:32 var
psftp> cd
Remote directory is now /home/transfr
psftp> ls
Listing directory /home/transfr
drwxr-xr-x 2 transfr 240 96 Sep 30 08:36 .
drwxrwxrwx 3 root 3 96 Sep 30 08:32 ..
-rw------- 1 transfr 240 168 Sep 30 08:47 .sh_history

I tried to copy "/etc/group" to "/newroot/etc/group", restarted sshd, and login as "transfr", but it didn't help... What can I do?
<> cp /etc/group group
<> ll
total 64
-r-------- 1 root sys 352 Sep 30 08:43 group
-rw-r--r-- 1 root sys 28 Apr 5 08:42 nsswitch.conf
-r--r--r-- 1 root sys 1388 Jul 31 2003 pam.conf
-rw-r--r-- 1 root sys 1953 Sep 30 08:32 passwd

Please help! Thanks a lot!

Re: SSH chroot setup

Steven E. Protter — Fri, 30 Sep 2005 08:15:59 GMT

When you chroot a user, they need access to all commands they would normally get from places like /usr/bin

There is a command missing not the group file missing. Get rid of that copy of the group file and figure out what command has not been made acessible to this user.

SEP

Re: SSH chroot setup

baiju_3 — Fri, 30 Sep 2005 08:28:54 GMT

I think that is the what it is set to do .

In my server for a user same

drwxr-xr-x 11 root 3 1024 Sep 30 09:20 .
drwxr-xr-x 11 root 3 1024 Sep 30 09:20 ..
drwxr-xr-x 2 root 3 96 Sep 30 09:20 bin
drwxr-xr-x 3 root 3 96 Sep 30 09:21 dev
drwxr-xr-x 2 root 3 96 Sep 30 09:20 etc
drwxr-xr-x 3 root 3 96 Sep 30 09:20 home
drwxr-xr-x 3 root 3 96 Sep 30 09:20 opt
drwxr-xr-x 2 root 3 96 Sep 30 09:20 sbin
drw-rw-rw- 2 root 3 96 Sep 30 09:20 tmp
drwxr-xr-x 4 root 3 96 Sep 30 09:20 usr
drwxr-xr-x 3 root 3 96 Sep 30 09:20 var
$

and access is restricted as it is supposed to do .

thx,
bl.

Re: SSH chroot setup

yyghp — Fri, 30 Sep 2005 08:32:15 GMT

Hi Steven,

Now the problem is that no matter I login as "transfr" via SFTP or SSH, when I "ls" the directory, it couldn't show the "group name", but showed the "group ID" instead, I thought it needed "/etc/group" to do the translation ( there is /newroot/etc/passwd, that's why the UID can be translated to User name, right? )
The script I ran (/opt/ssh/ssh_chroot_setup.sh) is the official script provided by HP in their latest SSH (v4.0), it was supposed to copy all necessary files to "/newroot", but it seemed it didn't...
What command do you think it's missing?
Thanks!

Re: SSH chroot setup

yyghp — Fri, 30 Sep 2005 08:35:14 GMT

Hi lalb,

So, you think such problem is normal, right?
Any way to improve it?
Thanks!

Re: SSH chroot setup

yyghp — Fri, 30 Sep 2005 13:12:09 GMT

up!
Thanks!