HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

How do you chroot your openssh users

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

How do you chroot your openssh users

I need to chroot sftp users in Linux.

Every approach has a pitfall.

One recompiles openssh and I want to use stock redhat.

I've tried this:
http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-1.3-1.2.el4.rf.i386.html

I had a working configuration and user add script but I managed to broke it and lost my script.

So what do you do?

Anyone using the jailkit v1.3 or v2.0 above having a valid user add script gets a bunny.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
25 REPLIES
Rob Leadbeater
Honored Contributor

Re: How do you chroot your openssh users

Hi SEP,

Been there, tried that, and couldn't figure it out :-(

I was trying to set up a Fedora box to support chrooted FTP users (vsftpd) as well as sftp, and whichever way I tried something else would fail...

In the end I balanced up the security risk and left the sftp users not chrooted, and used the builtins of vsftpd to control chrooting of the standard ftp users. Not ideal though.

I'm sure it must be possible somehow ...

Regards,

Rob
Ivan Ferreira
Honored Contributor

Re: How do you chroot your openssh users

I tried also and I think that chrooting user environment for scp it's too complex to manage (in your case, you lost your script and you have problems).

I really prefer to use vsftpd with SSL encription, provided by vsftpd itself. Configure chroot users in vsftpd is very easy, just like ftpusers (I think you already know this).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Correct Ivan.

A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Shalom,

I had this working perfectly on my desktop linux box at work.

Then I walloped it with Centos 5 and forgot to back up my script. Now I'm unsure which is more stable 1.3 or 2.0 or which I used.

http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-2.0-1.el4.rf.i386.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivan Ferreira
Honored Contributor

Re: How do you chroot your openssh users

>> A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

Yes. It works like https. I can't find a quick guide about how to set up it, I have it in spanish, but FAIK you won't have problems finding the information.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Fair enough.

I'll run some tests.

Hebrew is hard enough. I can live without a procedure in Spanish.

Pienso que lo leería algo en inglés

Ani Choshev ani ohaiv l'kro b'anglist

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Court Campbell
Honored Contributor

Re: How do you chroot your openssh users

SEP,

check this out:

http://209.85.165.104/search?q=cache:N_aul1dNFpEJ:www.opensourcehowto.org/how-to/fedora/vsftpd--openssl--net2ftp.html+howto+vsftpd+ssl&hl=en&ct=clnk&cd=5&gl=us

Had to send a cached version as the corporate proxy has blocked the site.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Court Campbell
Honored Contributor

Re: How do you chroot your openssh users

Also this may help. I haven't read all the code, but it looks promising.

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Heironimus
Honored Contributor

Re: How do you chroot your openssh users

Not exactly what you're asking for, but have you looked in to using scponly or rssh instead of jailkit to help support your chroot environment? They're one trick ponies, you can't use them to chroot anything else but you can safely assume that their documentation will apply to sftp.
Wouter Jagers
Honored Contributor
Solution

Re: How do you chroot your openssh users

When Steven just posted his question I decided to try that later on. Meanwhile I have: I got jailkit 2.3 from the web and tried the sftp thing. It seemed to work pretty fast on both an Oracle Enterprise Linux and a Debian.

However, reading the updates to this thread (and the names next to them) I'm starting to wonder whether I'm trying to do the same thing.

Therefore, I will hide the possible sillyness in an attachment. I've written what I just did in a little text file.

Should it be what you need, excellent. Otherwise, forgive me ;-)

Cheers,
Wout

an engineer's aim in a discussion is not to persuade, but to clarify.
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Shalom,

I thank you for you input.

I believe that going with the latest tar based version is a possibility for us.

I will report results.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Shalom again,

curios results.


sftp yaira@localhost

/var/log/messages

Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session opened for user yaira by (uid=0)
Apr 23 13:12:40 gate jk_chrootsh[28958]: now entering jail /home/ftpusers/yaira for user yaira (14618)
Apr 23 13:12:40 gate sshd(pam_unix)[28957]: session closed for user yaira


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Wouter Jagers
Honored Contributor

Re: How do you chroot your openssh users

I saw the same thing last week.. trying to remember.

*grind grind*

Ooh, two things:

- try and create a /tmp directory within your jail.
- double check whether the right path to the sftpd executable is in the configuration.

G'luck :-)

Cheers,
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
Wouter Jagers
Honored Contributor

Re: How do you chroot your openssh users

Just started from scratch, encountered (almost) similar issue.

Why ? It's on my OEL:
Before issuing the jk_init statements I needed to edit /etc/jailkit/jk_init.ini (to change the sftp-server path to /usr/libexec/openssh/sftp-server)

Later, when editing /home/sftproot/etc/jailkit/jk_lsh.ini I forgot to adapt the 'executable' part:

[group sftpu]
paths=/usr/lib/
executables= /usr/lib/sftp-server
allow_word_expansion = 0
umask = 002

This logged me out instantly as well. However there's a message in the syslog. (WARNING: user ftp1 (501) tried to run '/usr/libexec/openssh/sftp-server', which is not allowed according to /etc/jailkit/jk_lsh.ini)

After changing:
executables= /usr/lib/sftp-server
to:
executables= /usr/libexec/openssh/sftp-server

..it works again.
an engineer's aim in a discussion is not to persuade, but to clarify.
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Shalom Wouter,

Your approach solved the problem.

Due to the fact I used an rpm based jailkit and our server environment, I made some changes.

You will notice that this code is mostly yours.

This is not final, I will post a final version after unit testing.

The core problem was in my script, instead of dealing with the individual permissions problems I encounted at login, I openned up permissions too widely breaking the jail.

I have to run and help my wife shop and stuff, and will then assign points. Obviously Wouter is going to get a pair of bunnies. Approaches I decided not to test will be rated subjectively.

#!/bin/bash

set -x
USERNAME=$1

useradd -m -g client ${USERNAME}

passwd ${username}

mkdir -p /home/ftpusers/${USERNAME}
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} sftp scp
/usr/sbin/jk_init -v /home/ftpusers/${USERNAME} jk_lsh
/usr/sbin/jk_jailuser -m -n -j /home/ftpusers/${USERNAME} ${USERNAME}

cd /home/ftpusers/${USERNAME}
/bin/chown -R {USERNAME}:client home/
/bin/chown -R ${USERNAME}:client usr/
/bin.chown -R ${USERNAME}:client lib/
# chown ${USERNAME}:client /home/ftpusers/yaira//usr/sbin/jk_lsh
chmod a+rx ${USERNAME}/
chmod a+rx etc/
chmod a+rx etc/passwd
chmod a+rx etc/group
chmod u+rx /home/ftpusers/yaira//home/
chmod u+rx /home/ftpusers/yaira//home/yaira/

cd etc/jailkit
sed s/sftp/${USERNAME}/g jk_lsh.ini > jk_lsh.ini.bck;
mv jk_lsh.ini.bck jk_lsh.ini

killall jk_socketd

jk_socketd

exit 0


Shmuel
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Wouter Jagers
Honored Contributor

Re: How do you chroot your openssh users

Truly (truly!) honoured to have been of help.

A bunny from a two-star olympian can make one's day ;-)

Cheers,
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Off topic.

Here is a good one, case of Linux discrimination.

Bezeq, the local equivalent of AT&T before the breakup has a pretty fast Internet service, ADSL.

They hand out modems that also double as routers. B-FOCuS 312+.

Pretty decent router. My VOIP phone (btw my old phone phone still works if you wanna chat) loves it no problems. Its got a proprietary OS, perhaps a Linux distribution but it figuers out things just fine.

Aside: work pays for the connection because its critical I can get in and do work even if my street which has a 25 degree uphill grade is iced over.

My windows box figures things out with no issues.

Linux. No dice. A few websites work on browser, most just stare at me. I ignore the problem. We have a second connection I got on a long term contract for $19 a month that works fine with Linux.

Kid's discover Internet games, start chewing up their connection. Someone wants to watch Battlestar Galactica and we don't have a TV (bittorrent? I didn't post that did I).

With my little lab here the collision domain in my office is terrible and I can't avoid the problem any more. I must figure out why my Linux boxes won't work with bezeq. I thought the router was broken. Nah.

Turns out the router has a little DHCP server. Hands out addresses 10.0.0.1-something with a HUGE collision domain netmask 255.0.0.0. /etc/resolv.conf says nameserver 10.0.0.138

Now this thing hands out addresses no problem at all. dig and nslookup return answers instantly.

Something about the web browser doesn't like it.

I turn off iptables.

I turn of ip6tables (what is that for?)

I turn off and uninstall firestarter(great tool).

Doesn't help.

A few hours ago I decided (FC btw) to try and turn off SELINUX. I didn't do it right (say RHCE three times) and the box kernel panics. Can't even boot single user mode, had to boot rescue mode. Where was the DVD? Actually it was ith all the other important ones in a protective case. Whew.

Customer service, router must be broken? My Hebrew may NEVER be good enough for that.

Finally in desparation I turn to go to Dr. Google.

Input search.

bezeq DNS servers (a tough search because bezeq is a transliteration of a three letter word)

First link says change the MTU=1492 in ifcfg file. No help.

Next link lists Bezeq's NAME servers.

That works. I can browse on my Linux box and am currently in a browsing frenzy.

The why is meaningful if we ever figure it out.

Seems Windows can take the DHCP handoff which is designed specifically for it. Linux can't. not Centos, not RH, not Fedora Core 6.

Tried all kinds of browser proxy configuration but Bezeq dosn't have a proxy server.

Whew.

For my next trick, finding a program that lets my systems SMS my phone in Israel when they are unhappy. rpm based?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Rob Leadbeater
Honored Contributor

Re: How do you chroot your openssh users

> For my next trick, finding a program that
> lets my systems SMS my phone in Israel when
> they are unhappy. rpm based?

May not be what you're looking for but you could look at Hylafax. As well as its faxing capabilities it also provides a SNPP server which can be configured to send SMS messages.

Downside is that it needs to be configured with a modem to dial out to a SMS gateway. I'm guessing you're probably looking for a 'net based version...

CHeers,

Rob
Stuart Browne
Honored Contributor

Re: How do you chroot your openssh users

Weird. I've never had a problem with pump/dhclient doing '/etc/resolv.conf' updates before (unless they are explicitly told not to by the 'PEERDNS' option in the interface configuration (from ifup):

if [ "${PEERDNS}" = "no" ]; then
# Do not update/replace resolv.conf.
PUMPARGS="${PUMPARGS} -d"
DHCPCDARGS="${DHCPCDARGS} -R"
fi
)

If you had SELINUX turned on, it may have been preventing the daemon from modifying '/etc/resolv.conf' dynamically.

As for software to SMS you, from experience, it's easier to just use a 3rd party email-to-SMS gateway. It's not the software that's the issue, it's the getting the teleco service.

Just a brief note on the how-to: http://www.developershome.com/sms/howToSendSMSFromPC.asp

One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Stuart, It's Fedora Core 6. When I tried to turn of Selinux I ended up scrambling for my rescue disk to boot single user mode and change disabled back to something else.

Nice to see you.

I'll look at the SMS stuff and point it after I get a chance to check it. Putting a whole fax server system on a web server to get SMS seem
s counter intutitive, but Its my next task so I'll give it a hack on my hacking box.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: How do you chroot your openssh users

Must admit to not having toyed with FC6 yet. On all the previous FC boxen I've used (3-5), I've usually set it to 'permissive'.

But yeah.. just don't have the spare hardware to run a system up at this time..
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: How do you chroot your openssh users

Well Stuart, I overheated my box and burned out the disk drive. Thats gonna cost a pretty penny(shekel) to replace here.

Darned laptops. So fragile.

Wireless support in FC6 still BITES.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Maaz
Valued Contributor

Re: How do you chroot your openssh users

SEP, check the following url for the solution you required
http://articles.techrepublic.com.com/5100-1035_11-6181828.html?tag=nl.e011

Regards
Maaz
Maaz
Valued Contributor

Re: How do you chroot your openssh users

SEP, check the following url for the solution you required

http://www.pizzashack.org/rssh/
http://articles.techrepublic.com.com/5100-1035_11-6181828.html?tag=nl.e011

Regards
Maaz