HPE Community
Operating System - Linux
1752801 Members
5540 Online
108789 Solutions
New Discussion юеВ

How do you chroot your openssh users

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

тАО04-18-2007 08:32 PM

тАО04-18-2007 08:32 PM

How do you chroot your openssh users

I need to chroot sftp users in Linux.

Every approach has a pitfall.

One recompiles openssh and I want to use stock redhat.

I've tried this:
http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-1.3-1.2.el4.rf.i386.html

I had a working configuration and user add script but I managed to broke it and lost my script.

So what do you do?

Anyone using the jailkit v1.3 or v2.0 above having a valid user add script gets a bunny.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
25 REPLIES 25
Rob Leadbeater
Honored Contributor

тАО04-18-2007 09:18 PM

тАО04-18-2007 09:18 PM

Re: How do you chroot your openssh users

Hi SEP,

Been there, tried that, and couldn't figure it out :-(

I was trying to set up a Fedora box to support chrooted FTP users (vsftpd) as well as sftp, and whichever way I tried something else would fail...

In the end I balanced up the security risk and left the sftp users not chrooted, and used the builtins of vsftpd to control chrooting of the standard ftp users. Not ideal though.

I'm sure it must be possible somehow ...

Regards,

Rob
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО04-18-2007 09:22 PM

тАО04-18-2007 09:22 PM

Re: How do you chroot your openssh users

I tried also and I think that chrooting user environment for scp it's too complex to manage (in your case, you lost your script and you have problems).

I really prefer to use vsftpd with SSL encription, provided by vsftpd itself. Configure chroot users in vsftpd is very easy, just like ftpusers (I think you already know this).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-18-2007 09:58 PM

тАО04-18-2007 09:58 PM

Re: How do you chroot your openssh users

Correct Ivan.

A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-18-2007 10:00 PM

тАО04-18-2007 10:00 PM

Re: How do you chroot your openssh users

Shalom,

I had this working perfectly on my desktop linux box at work.

Then I walloped it with Centos 5 and forgot to back up my script. Now I'm unsure which is more stable 1.3 or 2.0 or which I used.

http://rpmfind.net//linux/RPM/dag/redhat/el4/i386/jailkit-2.0-1.el4.rf.i386.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО04-18-2007 11:31 PM

тАО04-18-2007 11:31 PM

Re: How do you chroot your openssh users

>> A procedure for SSL and vsftp has point value here. Is the authentication in such a scheme also encrypted?

Yes. It works like https. I can't find a quick guide about how to set up it, I have it in spanish, but FAIK you won't have problems finding the information.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО04-19-2007 12:27 AM

тАО04-19-2007 12:27 AM

Re: How do you chroot your openssh users

Fair enough.

I'll run some tests.

Hebrew is hard enough. I can live without a procedure in Spanish.

Pienso que lo leer├Г┬нa algo en ingl├Г┬йs

Ani Choshev ani ohaiv l'kro b'anglist

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО04-19-2007 03:02 AM

тАО04-19-2007 03:02 AM

Re: How do you chroot your openssh users

SEP,

check this out:

http://209.85.165.104/search?q=cache:N_aul1dNFpEJ:www.opensourcehowto.org/how-to/fedora/vsftpd--openssl--net2ftp.html+howto+vsftpd+ssl&hl=en&ct=clnk&cd=5&gl=us

Had to send a cached version as the corporate proxy has blocked the site.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО04-19-2007 03:05 AM

тАО04-19-2007 03:05 AM

Re: How do you chroot your openssh users

Also this may help. I haven't read all the code, but it looks promising.

http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Heironimus
Honored Contributor

тАО04-19-2007 03:12 AM

тАО04-19-2007 03:12 AM

Re: How do you chroot your openssh users

Not exactly what you're asking for, but have you looked in to using scponly or rssh instead of jailkit to help support your chroot environment? They're one trick ponies, you can't use them to chroot anything else but you can safely assume that their documentation will apply to sftp.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.