HPE Community
Operating System - HP-UX
1822002 Members
3880 Online
109639 Solutions
New Discussion юеВ

SSH chroot setup

 
yyghp
Super Advisor

тАО09-30-2005 01:10 AM

тАО09-30-2005 01:10 AM

SSH chroot setup

I am trying to setup SSH chroot environment on one of our HP-UX 11.11 server, with latest SSH v4.0.
I run its official script:

<> swlist -l product | grep -i shell
Secure_Shell A.04.00.000 HP-UX Secure Shell

<> ./ssh_chroot_setup.sh


Pre check in progress please wait...finished


Please wait. chroot setup checks for necessary files on the system ...



HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------

Select one of the option below

1.Configure a new user

2.Configure an existing user to a chroot-ed user

3.Remove chroot environment from a chroot-ed user

4.Exit



Enter your choice : 2

Chroot setup
---------------

User name : transfr

chroot setup checks for user details ...completed


Enter the new root directory for transfr with absolute path (or press return for default(/newroot)):


---------------------------------
Select chroot secure shell option
----------------------------------
1 sftp only
2 ssh & sftp & scp
press return key to skip this step


Option : 2

configuring ssh & sftp & scp...finished

Summary
--------

Chroot-ed user : transfr

Chroot-ed user's new root directory : /newroot

Secure Shell configuration : SSH & SFTP & SCP

press Return key



HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------

Select one of the option below

1.Configure a new user

2.Configure an existing user to a chroot-ed user

3.Remove chroot environment from a chroot-ed user

4.Exit



Enter your choice : 4

After that, I restarted the "sshd".

When I login as "transfr" via SFTP, it did prevent the user "transfr" to access directory other than /newroot, which is good. But I noticed that all files couldn't show group attribute:

psftp> open srs057
login as: transfr
Using username "transfr".
Password:
Remote working directory is /home/transfr
psftp> cd /
Remote directory is now /
psftp> ls
Listing directory /
drwxrwxrwx 11 root 3 8192 Sep 30 08:32 .
drwxrwxrwx 11 root 3 8192 Sep 30 08:32 ..
drwxr-xr-x 2 root 3 96 Sep 30 08:32 bin
drwxr-xr-x 3 root 3 96 Sep 30 08:32 dev
drwxr-xr-x 2 root 3 96 Sep 30 08:43 etc
drwxrwxrwx 3 root 3 96 Sep 30 08:32 home
drwxrwxrwx 3 root 3 96 Sep 30 08:32 opt
drwxr-xr-x 2 root 3 96 Sep 30 08:32 sbin
drwxrwxrwx 2 root 3 96 Sep 30 08:32 tmp
drwxrwxrwx 4 root 3 96 Sep 30 08:32 usr
drwxrwxrwx 3 root 3 96 Sep 30 08:32 var
psftp> cd
Remote directory is now /home/transfr
psftp> ls
Listing directory /home/transfr
drwxr-xr-x 2 transfr 240 96 Sep 30 08:36 .
drwxrwxrwx 3 root 3 96 Sep 30 08:32 ..
-rw------- 1 transfr 240 168 Sep 30 08:47 .sh_history

I tried to copy "/etc/group" to "/newroot/etc/group", restarted sshd, and login as "transfr", but it didn't help... What can I do?
<> cp /etc/group group
<> ll
total 64
-r-------- 1 root sys 352 Sep 30 08:43 group
-rw-r--r-- 1 root sys 28 Apr 5 08:42 nsswitch.conf
-r--r--r-- 1 root sys 1388 Jul 31 2003 pam.conf
-rw-r--r-- 1 root sys 1953 Sep 30 08:32 passwd


Please help! Thanks a lot!
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

тАО09-30-2005 01:15 AM

тАО09-30-2005 01:15 AM

Re: SSH chroot setup

When you chroot a user, they need access to all commands they would normally get from places like /usr/bin

There is a command missing not the group file missing. Get rid of that copy of the group file and figure out what command has not been made acessible to this user.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
baiju_3
Esteemed Contributor

тАО09-30-2005 01:28 AM

тАО09-30-2005 01:28 AM

Re: SSH chroot setup

I think that is the what it is set to do .

In my server for a user same

drwxr-xr-x 11 root 3 1024 Sep 30 09:20 .
drwxr-xr-x 11 root 3 1024 Sep 30 09:20 ..
drwxr-xr-x 2 root 3 96 Sep 30 09:20 bin
drwxr-xr-x 3 root 3 96 Sep 30 09:21 dev
drwxr-xr-x 2 root 3 96 Sep 30 09:20 etc
drwxr-xr-x 3 root 3 96 Sep 30 09:20 home
drwxr-xr-x 3 root 3 96 Sep 30 09:20 opt
drwxr-xr-x 2 root 3 96 Sep 30 09:20 sbin
drw-rw-rw- 2 root 3 96 Sep 30 09:20 tmp
drwxr-xr-x 4 root 3 96 Sep 30 09:20 usr
drwxr-xr-x 3 root 3 96 Sep 30 09:20 var
$

and access is restricted as it is supposed to do .

thx,
bl.
Good things Just Got better (Plz,not stolen from advertisement -:) )
0 Kudos
Reply
yyghp
Super Advisor

тАО09-30-2005 01:32 AM

тАО09-30-2005 01:32 AM

Re: SSH chroot setup

Hi Steven,

Now the problem is that no matter I login as "transfr" via SFTP or SSH, when I "ls" the directory, it couldn't show the "group name", but showed the "group ID" instead, I thought it needed "/etc/group" to do the translation ( there is /newroot/etc/passwd, that's why the UID can be translated to User name, right? )
The script I ran (/opt/ssh/ssh_chroot_setup.sh) is the official script provided by HP in their latest SSH (v4.0), it was supposed to copy all necessary files to "/newroot", but it seemed it didn't...
What command do you think it's missing?
Thanks!
0 Kudos
Reply
yyghp
Super Advisor

тАО09-30-2005 01:35 AM

тАО09-30-2005 01:35 AM

Re: SSH chroot setup

Hi lalb,

So, you think such problem is normal, right?
Any way to improve it?
Thanks!
0 Kudos
Reply
yyghp
Super Advisor

тАО09-30-2005 06:12 AM

тАО09-30-2005 06:12 AM

Re: SSH chroot setup

up!
Thanks!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.