chrooted SSH + Debian Etch

Hi all, it seems like someone did all the hard work and created the perfect setup script for a chroot jail
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

Just used it on Debian Sarge, Etch & Centos ... works like a charm !

 

I get a 404 error when I try to download the script.

 

Seems that it's been fixed, as http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh worked for me. The script did work, although I get a complaint of

Code:

No directory, logging in with HOME=/

when logging in, although the user is chrooted into the correct area.

 

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch

 

falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.

Code:

/root/ispconfig/scripts/shell/create_chroot_env.sh

Code:

#!/bin/bash

#
# Usage: ./create_chroot_env username
#

# Here specify the apps you want into the enviroment
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar"

# Sanity check

if [ "$1" = "" ] ; then
        echo "    Usage: ./create_chroot_env username"
        exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# Add some users to ./etc/paswd

grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

if [ -x ${HOMEDIR}/ldlist ]; then 
  mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi

if [ -x ${HOMEDIR}/lddlist2 ]; then 
  mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi

for app in $APPS;  do
  # First of all, check that this application exists
  if [ -x $app ]; then
    # Check that the directory exists; create it if not.
    app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
    if ! [ -d .$app_path ]; then
      mkdir -p .$app_path
    fi

    # If the files in the chroot are on the same file system as the
    # original files you should be able to use hard links instead of
    # copying the files, too. Symbolic links cannot be used, because the
    # original files are outside the chroot.
    cp -p $app .$app
    # get list of necessary libraries
    ldd $app >> ${HOMEDIR}/ldlist
  fi
done

# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
  rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
  frst_char="`echo $libs | cut -c1`"
  if [ "$frst_char" = "/" ]; then
    echo "$libs" >> ${HOMEDIR}/ldlist2
  fi
done

for lib in `cat ${HOMEDIR}/ldlist2`; do
  mkdir -p .`dirname $lib` > /dev/null 2>&1
  # If the files in the chroot are on the same file system as the original
  # files you should be able to use hard links instead of copying the files,
  # too. Symbolic links cannot be used, because the original files are
  # outside the chroot.
  cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2

# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/

# mysql needs the socket in the chrooted environment
mkdir ${HOMEDIR}/var
mkdir ${HOMEDIR}/var/run
mkdir ${HOMEDIR}/var/run/mysqld
ln /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock

is this correct?

 

Looks good. Have you tried it?

 

yes I tried it and seems to work good so far, if I have any problems this is the first place I shall report

 

Thanks for the tip!

6th September 2007 17:54
daveb said:

Daveb thanks for all your work modifying the ISPConfig file. But how exactly do I deviate from the How To Tutorial to make this function with ISPConfig?

Do I still do this?:

The reason I ask is because on the Perfect Setup Tutorials I have already installed ssh and openssh-server packages. Do I remove them or run these commands on top of this install?

When creating the chrooted environment can I use the existing one located in /var/www ? Or do I have to create another one?

Will I be modifying this file like Falko suggests in the tutorial?

Code:

vi /usr/local/sbin/create_chroot_env

Or will your file allow ISPConfig do all the work when granting users shell access on the Control Panel?

I have also read somewhere that there is a config file in ISPConfig that activates chrooted ssh. Do I have to activate that or is it done by default? Will I have to activate this after every upgrade? Sorry for all the questions I am quite the noob. Thank you in advance...

JCorrea920

ISPConfig 2.2.12
Ubuntu 6.06

ISPConfig 2.2.13
Fedora Core 6

 

Well Jcorrea920 I followed the section "2.1 Install The Chrooted OpenSSH" of the How To Tutorial. Then I modified the script that is within ISPConfig as my earlier post describes. You must also make sure that you change if you havnt already.

Code:

/home/admispconfig/ispconfig/lib/config.inc.php
$go_info["server"]["ssh_chroot"] = 0;
to
$go_info["server"]["ssh_chroot"] = 1;

I then restarted ssh and the ispconfig_server. Logged in to control panel then granted the web shell rights and then granted the user of the web shell rights also.

I also saved a copy of the script in a safe place in case its rewrote during next ISPconfig Upgrade for replacement.

What I did doesn't chroot any system user just the users within ISPConfig granted shell access.

 

Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

(my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)

 

sorry, not updated APT-GET was a problem. Now it is all OK.

 

But Falco, why Shell Access for user from ISPConfig does not jail that user?
I created 'web24_admin' and gave him Shell Access from ISPConfig, but he can get out from his 'web24' directory and go all the way up to root.

I followed your "Chrooted SSH/SFTP Tutorial (Debian Etch)", but how do I apply it to existing ISPConfig users? And will it jail them into their website root folders?

 

Root and every other user worked fine for me to break out.
You might want to double check if the command su even is accessable, or sth. like that ... did you double check your script given by Falkos How2?


Regards,

Leander


P.S. Btw. if you read that Falko ... I still don't understand why you didn't include that into the ISPconfig installation script ... ? A quick check if it's Debian Linux, or Ubuntu ... and quick messagedialog if you want it or not ... (because I think most of your ISPconfig testers are running ether Ubuntu or Debian)

 

I've added it to our bugtracker.

 

falko, i run your script from ubuntu. and i got these error message.

Code:

Adding User kmel to jail
Copying necessary library-files to jail (may take some time)
mv: missing destination file operand after `.bak'
Try `mv --help' for more information.
mv: missing destination file operand after `.bak'
Try `mv --help' for more information.
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
/usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent

what should i do with this?

 

Which method did you use? What's your Ubuntu version?

 

i try following the instruction at

and after run the command

Code:

make_chroot_jail.sh falko /bin/bash /home

the error message displayed. i use ubuntu 9.10
sorry for my bad english

 

I found a modified script for Ubuntu 8.04 here (the original script is for Debian): http://www.7bf.de/?p=27
Please try that one.