topic Re: How do you chroot your openssh users in Operating System - Linux

How do you chroot your openssh users

Steven E. Protter — Thu, 19 Apr 2007 03:32:30 GMT

I need to chroot sftp users in Linux.

Every approach has a pitfall.

One recompiles openssh and I want to use stock redhat.

I've tried this:
http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-1.3-1.2.el4.rf.i386.html

I had a working configuration and user add script but I managed to broke it and lost my script.

So what do you do?

Anyone using the jailkit v1.3 or v2.0 above having a valid user add script gets a bunny.

SEP

Re: How do you chroot your openssh users

Rob Leadbeater — Thu, 19 Apr 2007 04:18:48 GMT

Hi SEP,

Been there, tried that, and couldn't figure it out :-(

I was trying to set up a Fedora box to support chrooted FTP users (vsftpd) as well as sftp, and whichever way I tried something else would fail...

In the end I balanced up the security risk and left the sftp users not chrooted, and used the builtins of vsftpd to control chrooting of the standard ftp users. Not ideal though.

I'm sure it must be possible somehow ...

Regards,

Rob

Re: How do you chroot your openssh users

Ivan Ferreira — Thu, 19 Apr 2007 04:22:40 GMT

I tried also and I think that chrooting user environment for scp it's too complex to manage (in your case, you lost your script and you have problems).

I really prefer to use vsftpd with SSL encription, provided by vsftpd itself. Configure chroot users in vsftpd is very easy, just like ftpusers (I think you already know this).

Re: How do you chroot your openssh users

Steven E. Protter — Thu, 19 Apr 2007 04:58:52 GMT

Correct Ivan.

A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

SEP

Re: How do you chroot your openssh users

Steven E. Protter — Thu, 19 Apr 2007 05:00:29 GMT

Shalom,

I had this working perfectly on my desktop linux box at work.

Then I walloped it with Centos 5 and forgot to back up my script. Now I'm unsure which is more stable 1.3 or 2.0 or which I used.

http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-2.0-1.el4.rf.i386.html

SEP

Re: How do you chroot your openssh users

Ivan Ferreira — Thu, 19 Apr 2007 06:31:34 GMT

>> A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

Yes. It works like https. I can't find a quick guide about how to set up it, I have it in spanish, but FAIK you won't have problems finding the information.

Re: How do you chroot your openssh users

Steven E. Protter — Thu, 19 Apr 2007 07:27:25 GMT

Fair enough.

I'll run some tests.

Hebrew is hard enough. I can live without a procedure in Spanish.

Pienso que lo leerÃa algo en inglÃ©s

Ani Choshev ani ohaiv l'kro b'anglist

SEP

Re: How do you chroot your openssh users

Court Campbell — Thu, 19 Apr 2007 10:02:20 GMT

SEP,

check this out:

http://209.85.165.104/search?q=cache:N_aul1dNFpEJ:www.opensourcehowto.org/how-to/fedora/vsftpd--openssl--net2ftp.html+howto+vsftpd+ssl&hl=en&ct=clnk&cd=5&gl=us

Had to send a cached version as the corporate proxy has blocked the site.

Re: How do you chroot your openssh users

Court Campbell — Thu, 19 Apr 2007 10:05:37 GMT

Also this may help. I haven't read all the code, but it looks promising.

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html

Re: How do you chroot your openssh users

Heironimus — Thu, 19 Apr 2007 10:12:50 GMT

Not exactly what you're asking for, but have you looked in to using scponly or rssh instead of jailkit to help support your chroot environment? They're one trick ponies, you can't use them to chroot anything else but you can safely assume that their documentation will apply to sftp.

Re: How do you chroot your openssh users

Wouter Jagers — Thu, 19 Apr 2007 10:45:15 GMT

When Steven just posted his question I decided to try that later on. Meanwhile I have: I got jailkit 2.3 from the web and tried the sftp thing. It seemed to work pretty fast on both an Oracle Enterprise Linux and a Debian.

However, reading the updates to this thread (and the names next to them) I'm starting to wonder whether I'm trying to do the same thing.

Therefore, I will hide the possible sillyness in an attachment. I've written what I just did in a little text file.

Should it be what you need, excellent. Otherwise, forgive me ;-)

Cheers,
Wout

Re: How do you chroot your openssh users

Steven E. Protter — Sun, 22 Apr 2007 04:31:47 GMT

Shalom,

I thank you for you input.

I believe that going with the latest tar based version is a possibility for us.

I will report results.

SEP

Re: How do you chroot your openssh users

Steven E. Protter — Mon, 23 Apr 2007 05:14:24 GMT

Shalom again,

curios results.

sftp yaira@localhost

/var/log/messages

Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session opened for user yaira by (uid=0)
Apr 23 13:12:40 gate jk_chrootsh[28958]: now entering jail /home/ftpusers/yaira for user yaira (14618)
Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session closed for user yaira

SEP

Re: How do you chroot your openssh users

Wouter Jagers — Mon, 23 Apr 2007 05:17:48 GMT

I saw the same thing last week.. trying to remember.

*grind grind*

Ooh, two things:

- try and create a /tmp directory within your jail.
- double check whether the right path to the sftpd executable is in the configuration.

G'luck :-)

Cheers,
Wout

Re: How do you chroot your openssh users

Wouter Jagers — Mon, 23 Apr 2007 06:32:10 GMT

Just started from scratch, encountered (almost) similar issue.

Why ? It's on my OEL:
Before issuing the jk_init statements I needed to edit /etc/jailkit/jk_init.ini (to change the sftp-server path to /usr/libexec/openssh/sftp-server)

Later, when editing /home/sftproot/etc/jailkit/jk_lsh.ini I forgot to adapt the 'executable' part:

[group sftpu]
paths=/usr/lib/
executables= /usr/lib/sftp-server
allow_word_expansion = 0
umask = 002

This logged me out instantly as well. However there's a message in the syslog. (WARNING: user ftp1 (501) tried to run '/usr/libexec/openssh/sftp-server', which is not allowed according to /etc/jailkit/jk_lsh.ini)

After changing:
executables= /usr/lib/sftp-server
to:
executables= /usr/libexec/openssh/sftp-server

..it works again.

Re: How do you chroot your openssh users

Steven E. Protter — Mon, 23 Apr 2007 06:37:32 GMT

Shalom Wouter,

Your approach solved the problem.

Due to the fact I used an rpm based jailkit and our server environment, I made some changes.

You will notice that this code is mostly yours.

This is not final, I will post a final version after unit testing.

The core problem was in my script, instead of dealing with the individual permissions problems I encounted at login, I openned up permissions too widely breaking the jail.

I have to run and help my wife shop and stuff, and will then assign points. Obviously Wouter is going to get a pair of bunnies. Approaches I decided not to test will be rated subjectively.

#!/bin/bash

set -x
USERNAME=$1

useradd -m -g client ${USERNAME}

passwd ${username}

mkdir -p /home/ftpusers/${USERNAME}
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} sftp scp
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} jk_lsh
/usr/sbin/jk_jailuser -m -n -j /home/ftpusers/${USERNAME} ${USERNAME}

cd /home/ftpusers/${USERNAME}
/bin/chown -R {USERNAME}:client home/
/bin/chown -R ${USERNAME}:client usr/
/bin.chown -R ${USERNAME}:client lib/
# chown ${USERNAME}:client /home/ftpusers/yaira//usr/sbin/jk_lsh
chmod a+rx ${USERNAME}/
chmod a+rx etc/
chmod a+rx etc/passwd
chmod a+rx etc/group
chmod u+rx /home/ftpusers/yaira//home/
chmod u+rx /home/ftpusers/yaira//home/yaira/

cd etc/jailkit
sed s/sftp/${USERNAME}/g jk_lsh.ini > jk_lsh.ini.bck;
mv jk_lsh.ini.bck jk_lsh.ini

killall jk_socketd

jk_socketd

exit 0

Shmuel

Re: How do you chroot your openssh users

Wouter Jagers — Mon, 23 Apr 2007 10:02:36 GMT

Truly (truly!) honoured to have been of help.

A bunny from a two-star olympian can make one's day ;-)

Cheers,
Wout

Re: How do you chroot your openssh users

Steven E. Protter — Mon, 23 Apr 2007 17:07:47 GMT

Off topic.

Here is a good one, case of Linux discrimination.

Bezeq, the local equivalent of AT&T before the breakup has a pretty fast Internet service, ADSL.

They hand out modems that also double as routers. B-FOCuS 312+.

Pretty decent router. My VOIP phone (btw my old phone phone still works if you wanna chat) loves it no problems. Its got a proprietary OS, perhaps a Linux distribution but it figuers out things just fine.

Aside: work pays for the connection because its critical I can get in and do work even if my street which has a 25 degree uphill grade is iced over.

My windows box figures things out with no issues.

Linux. No dice. A few websites work on browser, most just stare at me. I ignore the problem. We have a second connection I got on a long term contract for $19 a month that works fine with Linux.

Kid's discover Internet games, start chewing up their connection. Someone wants to watch Battlestar Galactica and we don't have a TV (bittorrent? I didn't post that did I).

With my little lab here the collision domain in my office is terrible and I can't avoid the problem any more. I must figure out why my Linux boxes won't work with bezeq. I thought the router was broken. Nah.

Turns out the router has a little DHCP server. Hands out addresses 10.0.0.1-something with a HUGE collision domain netmask 255.0.0.0. /etc/resolv.conf says nameserver 10.0.0.138

Now this thing hands out addresses no problem at all. dig and nslookup return answers instantly.

Something about the web browser doesn't like it.

I turn off iptables.

I turn of ip6tables (what is that for?)

I turn off and uninstall firestarter(great tool).

Doesn't help.

A few hours ago I decided (FC btw) to try and turn off SELINUX. I didn't do it right (say RHCE three times) and the box kernel panics. Can't even boot single user mode, had to boot rescue mode. Where was the DVD? Actually it was ith all the other important ones in a protective case. Whew.

Customer service, router must be broken? My Hebrew may NEVER be good enough for that.

Finally in desparation I turn to go to Dr. Google.

Input search.

bezeq DNS servers (a tough search because bezeq is a transliteration of a three letter word)

First link says change the MTU=1492 in ifcfg file. No help.

Next link lists Bezeq's NAME servers.

That works. I can browse on my Linux box and am currently in a browsing frenzy.

The why is meaningful if we ever figure it out.

Seems Windows can take the DHCP handoff which is designed specifically for it. Linux can't. not Centos, not RH, not Fedora Core 6.

Tried all kinds of browser proxy configuration but Bezeq dosn't have a proxy server.

Whew.

For my next trick, finding a program that lets my systems SMS my phone in Israel when they are unhappy. rpm based?

SEP

Re: How do you chroot your openssh users

Rob Leadbeater — Tue, 24 Apr 2007 04:28:04 GMT

> For my next trick, finding a program that
> lets my systems SMS my phone in Israel when
> they are unhappy. rpm based?

May not be what you're looking for but you could look at Hylafax. As well as its faxing capabilities it also provides a SNPP server which can be configured to send SMS messages.

Downside is that it needs to be configured with a modem to dial out to a SMS gateway. I'm guessing you're probably looking for a 'net based version...

CHeers,

Rob

Re: How do you chroot your openssh users

Stuart Browne — Wed, 25 Apr 2007 22:34:04 GMT

Weird. I've never had a problem with pump/dhclient doing '/etc/resolv.conf' updates before (unless they are explicitly told not to by the 'PEERDNS' option in the interface configuration (from ifup):

if [ "${PEERDNS}" = "no" ]; then
# Do not update/replace resolv.conf.
PUMPARGS="${PUMPARGS} -d"
DHCPCDARGS="${DHCPCDARGS} -R"
fi
)

If you had SELINUX turned on, it may have been preventing the daemon from modifying '/etc/resolv.conf' dynamically.

As for software to SMS you, from experience, it's easier to just use a 3rd party email-to-SMS gateway. It's not the software that's the issue, it's the getting the teleco service.

Just a brief note on the how-to: http://www.developershome.com/sms/howToSendSMSFromPC.asp