Hi, Recently I was installing a Debian Etch based server for a school. Since students can be really naughty sometimes and do something bad while exploring the filesystem by SSH, I've used the second way to chroot them into a jail. After loging by SSH everything works fine,user is locked in his jail and doesn't see to much.Unfortunetly chrooted users cannot log in by SFTP nor SCP. Here's a part of the auth.log: I tried to connect by Midnight Commander and in efect I've got empty directory. I believe WinSCP gave an "Access Denied" error (can't remember). Other (not chrooted) users can connect without problems. One other thing that concerns me is that mod_userdir doesn't work for chrooted users. All the browser gives back is error 404. I've even chmod 777 index.html in /home/chroot/home/klient2/public_html to be sure. I hope Apache doesn't have to be in the jail for it to work. Can it be fixed somehow ? Thanks for Your help.
you could use mysecureshell instead. That will only allow scp connections and they can't get outside their home directory.
Yes,I could.But students wouldn't be able to practice bash commands then. That's why it's important.I know the chroot jail doesn't have all of the commands but the plan doesn't contain very much commands so teachers could add theese commands.
Did you copy /usr/bin/sftp and /usr/lib/openssh/sftp-server to the chroot jail? What's the output of Code: uname -a ?
I'm not sure why but without touching anything I've tried to connect to that server (which is at home) from the mentioned school by WinSCP and it worked.I don't know why Two other people couldn't. Falko, /home/chroot/usr/lib/openssh/sftp-server and /usr/bin/sftp are present. There was no uname command,but I've copied it and the output is:
All firewalls were off while testing. I've found out that something is wrong with dns settings. The server's domain wasn't found while connecting. Entering the ip address helped.Strange! Well,everything is ok now.I think this was the solution. Sometimes it happens that You miss something small but important. Thanks for Your help.
mysecureshell disables? remote login I followed the tutorial for installing mysecureshell v0.95 (Download failed for v1.0-2) which worked great the first time on my debian 4 box. In other words, sftp clients connect fine and see only jailed homedirs. However, those same users, when they ssh in (from another machine on the soho network), get a welcome message, then the connection is closed. Same thing if they scp. My best guess is that the users old shell pref is.. uh... conflicting with whatever mysecureshell does. More of a nuisance than a problem for now.. just seems odd. As does that the open-ssh server defaults to NOT chrooting remote users. Huh? Why do I have to install the mysecureshell pkg to achieve this? Seems like a slightly ugly workaround to what could be a simple ssh pref. Only a handful of *x installations worth of experience here (and not from source) so its very likely I'm missing something. Hours of gugling didnt make me any cluedinner. Nor searching the logs. TIA Feb 25 19:11:15 debian sshd[20398]: Accepted password for lazer from 192.168.2.53 port 49284 ssh2 Feb 25 19:11:15 debian sshd[20400]: (pam_unix) session opened for user lazer by (uid=0) Feb 25 19:11:15 debian sshd[20400]: (pam_unix) session closed for user lazer
I'M not sure if SSH is possible with MySecureShell. I think it's SFTP only. However, you can try to change the configuration in /etc/ssh/sftp_config.
Denying ssh by redirecting shell - all or nothing? Thanks for confirming -- Apparently in a shell, even a jailed cracker can still escape - I guess the denial of shell completely to sftp users makes sense. And I don't know anyone who knows the CLI anyway except my 16yo son I haven't disabled shell for root - that would be very inconvenient. But if root password is guessable then your box is owned anyway. So I guess jailing is really just for multiple, honest, normal users privacy. And to protect themselves and each other from borking improperly permissioned files. Gad, configuration is slow sloggin.. hoping sql goes smoothly. BTW This fella seems to have the most developed method of chrooting a shell: http://olivier.sessink.nl/jailkit/
