topic Re: ssh chroot for a specific user in Operating System - HP-UX

ssh chroot for a specific user

ManojK_1 — Mon, 17 May 2010 13:11:13 GMT

I sit possible to configure ssh chroot for a specific user.

OS :- HP Unix 11.31

Re: ssh chroot for a specific user

Steven E. Protter — Mon, 17 May 2010 13:39:45 GMT

Shalom,

Yes, you can chroot individual users with any ssh software.

HP's script they provide with openssh/secure shell can either be run selectively or you can restore the authentication files and only leave changed the users you wish to chroot.

Take a close look at the script that ships with openssh/secure shell.

SEP

Re: ssh chroot for a specific user

singh sanjeev — Mon, 17 May 2010 14:13:45 GMT

yes you can use chroot for specific user ,use chroot script.
>chroot is use to restrict the user to specific directory by providing binary file for few operation which is required to do by user.

Re: ssh chroot for a specific user

ManojK_1 — Tue, 18 May 2010 04:38:45 GMT

Hi,

I am following the following link for ssh chroot configuration.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=115&prodSeriesId=3215373&prodTypeId=18964&objectID=c01516983.

After the configuration chroot working fine but it is for globally (For All Users).

I want to use ssh chroot only for a specific user.

If i am removing the line ChrootDirectory /newroot from
/opt/ssh/etc/sshd_config
ssh working normal.

If we enable the "ChrootDirectory /newroot"
then chroot is active for all the users ssh session.

What i am missing from the configuration for enabling chroot for ssh for specific user.

Re: ssh chroot for a specific user

Antim Yosifov — Tue, 18 May 2010 07:59:11 GMT

Add a Match statement to the bottom of the /opt/ssh/etc/sshd_config configuration file to make to chroot into the newroot directory when logging in.

For example:

Match User
ChrootDirectory /newroot

NOTE: Alternatively, if you need to do this for a large number of users, it is easier to set it with a Match group statement. The users should belong to your match group.

For example:

Match group sshonly
ChrootDirectory /newroot

Re: ssh chroot for a specific user

ManojK_1 — Tue, 18 May 2010 11:23:12 GMT

Hi,

Now chroot is working perfectly for ssh login.

But facing problem with sftp & scp.

while doing scp i am getting the following error
"/usr/lib/hpux32/dld.so: Unable to find library 'libcrypto.so.1'.
sh: 24030 Killed
lost connection"

while trying for sftp i am getting the following error
"Connection closed"

In both the case system is accepting the password and then throwing this type of error.

Manoj K

Re: ssh chroot for a specific user

nightwich — Tue, 18 May 2010 13:39:57 GMT

Hi Manojk

You need to copy that missing library from /usr/lib/lib_name to

/newrrot/usr/lib/libname

Check LD_LIBRARY_PATH.

Regards.

Re: ssh chroot for a specific user

ManojK_1 — Tue, 18 May 2010 17:08:33 GMT

Hi,

The reason for the failure of sftp and scp is because of the permissions of some executables which i have changed for some security and audit issue.

Now ssh, scp & sftp working perfectly with chroot.

Thanks to all especially Antim Yosifov who has given me the correct solution what i am looking for.

Manoj K