Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Chrooted SSH/SFTP On Fedora 7


This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they can’t break out. They will be able to access their jail via SSH and SFTP.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 First Method (By Hand)

1.1 Install The Chrooted OpenSSH

First we have to install some needed packages:

yum install openssl-devel pam-devel
yum groupinstall ‘Development Tools’

Afterwards we have to customize the ssh/sshd-configuration:

vi /etc/ssh/sshd_config

change

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

to

#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

vi /etc/ssh/ssh_config

change

GSSAPIAuthentication yes

to

#GSSAPIAuthentication yes

Next we download the patched OpenSSH sources, configure them to our needs (/usr for the executable files, /etc/ssh for the configuration files and enabled PAM authentication).

cd /tmp/
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure –exec-prefix=/usr –sysconfdir=/etc/ssh –with-pam
make
make install

 

1.2 Create The Chroot Environment

We’ll create a chroot environment under /home/chroot – the jail for all chrooted SSH-users.

mkdir -p /home/chroot/home/
cd /home/chroot
mkdir -p usr/lib/openssh/
mkdir bin lib usr/bin dev etc
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null dev/zero

Now, after we created the necessary directories, we have to copy some binaries and their depending libraries into the chroot environment. The most of this work can be done with a little script that was found by Falko Timme – he also modified it a bit. I adapted it to work with Fedora 7.

vi /usr/local/sbin/create_chroot_env

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd
/bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping
/usr/bin/dircolors /bin/vi /usr/bin/sftp
/usr/libexec/openssh/sftp-server"

for prog in $APPS; do

mkdir -p ./`dirname $prog` > /dev/null 2>&1
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/nullq
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`

for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l  > /dev/null 2>&1
done

fi
done

Note: You can make more programs available to your chrooted users by adding them to the APPS-line in the script.

Make the script executable and run it:

chmod 700 /usr/local/sbin/create_chroot_env
create_chroot_env

Afterwards we have to copy a couple of additional files and libraries to the chroot jail:

cp /lib/libnss_compat.so.2 /lib/libcom_err.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 lib/

cp -R /etc/pam.d/ etc/
cp -R /lib/security/ lib/
cp -R /etc/security/ etc/
cp /etc/login.defs /etc/hosts /etc/resolv.conf etc/
cp /usr/lib/libgssapi_krb5.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libkrb5support.so.0 usr/lib/

In the next step we do the following:

echo ‘#!/bin/bash’ > usr/bin/groups
echo “id -Gn” >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e “^root” > etc/passwd

You should also copy the line of the group, which will be used to create new chrooted users from /etc/group to /home/chroot/etc/group. In this tutorial we will create chrooted users with the group users:

grep /etc/group -e “^root” -e “^users” > etc/group

Now it’s time to restart the OpenSSH server:

/etc/init.d/sshd restart

 

1.3 Create Chrooted Users

Although we installed the chrooted SSH it’s still possible to log in without being chrooted (this makes sense if you log in as root, for example). The decision, which user will be chrooted and which not, is depending on a dot. If the user’s home directory in /etc/passwd has a dot in it, this user will be chrooted.

This user will be chrooted:

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will not be chrooted:

user_a:x:2002:100:User A:/home/user_a:/bin/bash

We create the user testuser with the homedirectory /home/chroot/./home/testuser/ and the group users:

useradd -s /bin/bash -m -d /home/chroot/./home/testuser/ -c “testuser” -g users testuser

After we created the new useraccount, we have to set a password for it:

passwd testuser

At last we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e “^testuser” >> /home/chroot/etc/passwd

Cause we have already copied the the line for the group users from /etc/group to /home/chroot/etc/group, we don’t have to do this again. If you want to create a chrooted user with another group than users, you have to add this group to /home/chroot/etc/group.

e.g.:

grep /etc/group -e “^othergroup” >> /home/chroot/etc/group

Now try to log in to SSH or SFTP as testuser. You should be jailed in /home/chroot.

2. Second Method (By Script)

A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 – maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you’ll see a notice while executing the script), but it works fine without them.

2.1 The Script

Before we proceed, we have to install a needed package:

yum install sudo

Afterwards we download the script and change the rights:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh

 

2.2 Use The Script

You can create a chrooted user via:

make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

If the user is already existing, he will be updated – if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional – if you don’t specify them, the default values /bin/chroot-shell and /home/jail will be used.

To update the files and libraries in the chroot jail, run:

make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

%path_to_chrootshell% and %path_to_chroot% are optional again – depending on how you created the user.

 

2.3 ProFTPd

If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.

As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.

To change this, we have to customize the proftpd.conf:

vi /etc/proftpd/proftpd.conf

add the following line:

RequireValidShell	off

Afterwards restart ProFTPd:

/etc/init.d/proftpd restart

Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don’t want – the best solution would be to drop the usage of FTP and simply use SFTP.

 

  • Chroot Patch For SSH: http://chrootssh.sourceforge.net/index.php
  • OpenSSH: http://www.openssh.org
  • make_chroot_jail.sh: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail
  • Fedora: http://fedoraproject.org/

Comments

comments