HPE Community
Operating System - HP-UX
1753900 Members
7765 Online
108809 Solutions
New Discussion юеВ

Re: ssh chroot for a specific user

 
SOLVED
Go to solution
ManojK_1
Valued Contributor

тАО05-17-2010 06:11 AM

тАО05-17-2010 06:11 AM

ssh chroot for a specific user

I sit possible to configure ssh chroot for a specific user.

OS :- HP Unix 11.31
Thanks and Regards,
Manoj K
0 Kudos
7 REPLIES 7
Steven E. Protter
Exalted Contributor

тАО05-17-2010 06:39 AM

тАО05-17-2010 06:39 AM

Re: ssh chroot for a specific user

Shalom,

Yes, you can chroot individual users with any ssh software.

HP's script they provide with openssh/secure shell can either be run selectively or you can restore the authentication files and only leave changed the users you wish to chroot.

Take a close look at the script that ships with openssh/secure shell.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
singh sanjeev
Trusted Contributor

тАО05-17-2010 07:13 AM

тАО05-17-2010 07:13 AM

Re: ssh chroot for a specific user

yes you can use chroot for specific user ,use chroot script.
>chroot is use to restrict the user to specific directory by providing binary file for few operation which is required to do by user.
Sanjeev Singh
0 Kudos
ManojK_1
Valued Contributor

тАО05-17-2010 09:38 PM

тАО05-17-2010 09:38 PM

Re: ssh chroot for a specific user

Hi,

I am following the following link for ssh chroot configuration.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=115&prodSeriesId=3215373&prodTypeId=18964&objectID=c01516983.

After the configuration chroot working fine but it is for globally (For All Users).

I want to use ssh chroot only for a specific user.

If i am removing the line ChrootDirectory /newroot from
/opt/ssh/etc/sshd_config
ssh working normal.

If we enable the "ChrootDirectory /newroot"
then chroot is active for all the users ssh session.

What i am missing from the configuration for enabling chroot for ssh for specific user.
Thanks and Regards,
Manoj K
0 Kudos
Antim Yosifov
New Member

тАО05-18-2010 12:59 AM

тАО05-18-2010 12:59 AM

Solution

Re: ssh chroot for a specific user

Add a Match statement to the bottom of the /opt/ssh/etc/sshd_config configuration file to make to chroot into the newroot directory when logging in.

For example:

Match User
ChrootDirectory /newroot


NOTE: Alternatively, if you need to do this for a large number of users, it is easier to set it with a Match group statement. The users should belong to your match group.

For example:

Match group sshonly
ChrootDirectory /newroot
0 Kudos
ManojK_1
Valued Contributor

тАО05-18-2010 04:23 AM

тАО05-18-2010 04:23 AM

Re: ssh chroot for a specific user

Hi,

Now chroot is working perfectly for ssh login.

But facing problem with sftp & scp.

while doing scp i am getting the following error
"/usr/lib/hpux32/dld.so: Unable to find library 'libcrypto.so.1'.
sh: 24030 Killed
lost connection"

while trying for sftp i am getting the following error
"Connection closed"

In both the case system is accepting the password and then throwing this type of error.

Manoj K
Thanks and Regards,
Manoj K
0 Kudos
nightwich
Valued Contributor

тАО05-18-2010 06:39 AM

тАО05-18-2010 06:39 AM

Re: ssh chroot for a specific user

Hi Manojk


You need to copy that missing library from /usr/lib/lib_name to


/newrrot/usr/lib/libname

Check LD_LIBRARY_PATH.

Regards.

0 Kudos
ManojK_1
Valued Contributor

тАО05-18-2010 10:08 AM

тАО05-18-2010 10:08 AM

Re: ssh chroot for a specific user

Hi,

The reason for the failure of sftp and scp is because of the permissions of some executables which i have changed for some security and audit issue.

Now ssh, scp & sftp working perfectly with chroot.

Thanks to all especially Antim Yosifov who has given me the correct solution what i am looking for.

Manoj K
Thanks and Regards,
Manoj K
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.