Questions about "Chrooted SSH/SFTP Tutorial (Debian Etch)"

Discussion in 'HOWTO-Related Questions' started by Leszek, Dec 17, 2007.

  1. Leszek

    Leszek Member

    Recently I was installing a Debian Etch based server for a school.
    Since students can be really naughty sometimes and do something bad while exploring the filesystem by SSH, I've used the second way to chroot them into a jail. After loging by SSH everything works fine,user is locked in his jail and doesn't see to much.Unfortunetly chrooted users cannot log in by SFTP nor SCP.
    Here's a part of the auth.log:
    I tried to connect by Midnight Commander and in efect I've got empty directory. I believe WinSCP gave an "Access Denied" error (can't remember).
    Other (not chrooted) users can connect without problems.
    One other thing that concerns me is that mod_userdir doesn't work for chrooted users. All the browser gives back is error 404.
    I've even chmod 777 index.html in /home/chroot/home/klient2/public_html to be sure.
    I hope Apache doesn't have to be in the jail for it to work.

    Can it be fixed somehow ? Thanks for Your help.
  2. sjau

    sjau Local Meanie Moderator

    you could use mysecureshell instead. That will only allow scp connections and they can't get outside their home directory.
  3. Leszek

    Leszek Member

    Yes,I could.But students wouldn't be able to practice bash commands then.
    That's why it's important.I know the chroot jail doesn't have all of the commands but the plan doesn't contain very much commands so teachers could add theese commands.
  4. falko

    falko Super Moderator ISPConfig Developer

    Did you copy /usr/bin/sftp and /usr/lib/openssh/sftp-server to the chroot jail? What's the output of
    uname -a
  5. Leszek

    Leszek Member

    I'm not sure why but without touching anything I've tried to connect to that server (which is at home) from the mentioned school by WinSCP and it worked.I don't know why :confused: Two other people couldn't.

    /home/chroot/usr/lib/openssh/sftp-server and /usr/bin/sftp are present.
    There was no uname command,but I've copied it and the output is:
    Last edited: Dec 18, 2007
  6. falko

    falko Super Moderator ISPConfig Developer

    Maybe a problem with the personal firewalls (e.g. the Windows firewall or ZoneAlarm) on the clients?
  7. Leszek

    Leszek Member

    All firewalls were off while testing.
    I've found out that something is wrong with dns settings.
    The server's domain wasn't found while connecting.
    Entering the ip address helped.Strange!
    Well,everything is ok now.I think this was the solution. Sometimes it happens that You miss something small but important.
    Thanks for Your help.
  8. mikewerth

    mikewerth New Member

    mysecureshell disables? remote login

    I followed the tutorial for installing mysecureshell v0.95 (Download failed for v1.0-2) which worked great the first time on my debian 4 box. In other words, sftp clients connect fine and see only jailed homedirs.

    However, those same users, when they ssh in (from another machine on the soho network), get a welcome message, then the connection is closed. Same thing if they scp. My best guess is that the users old shell pref is.. uh... conflicting with whatever mysecureshell does.

    More of a nuisance than a problem for now.. just seems odd. As does that the open-ssh server defaults to NOT chrooting remote users. Huh? Why do I have to install the mysecureshell pkg to achieve this? Seems like a slightly ugly workaround to what could be a simple ssh pref.

    Only a handful of *x installations worth of experience here (and not from source) so its very likely I'm missing something. Hours of gugling didnt make me any cluedinner. Nor searching the logs.


    Feb 25 19:11:15 debian sshd[20398]: Accepted password for lazer from port 49284 ssh2
    Feb 25 19:11:15 debian sshd[20400]: (pam_unix) session opened for user lazer by (uid=0)
    Feb 25 19:11:15 debian sshd[20400]: (pam_unix) session closed for user lazer
  9. falko

    falko Super Moderator ISPConfig Developer

    I'M not sure if SSH is possible with MySecureShell. I think it's SFTP only. However, you can try to change the configuration in /etc/ssh/sftp_config.
  10. mikewerth

    mikewerth New Member

    Denying ssh by redirecting shell - all or nothing?

    Thanks for confirming -- Apparently in a shell, even a jailed cracker can still escape - I guess the denial of shell completely to sftp users makes sense.

    And I don't know anyone who knows the CLI anyway except my 16yo son :p

    I haven't disabled shell for root - that would be very inconvenient. But if root password is guessable then your box is owned anyway.

    So I guess jailing is really just for multiple, honest, normal users privacy. And to protect themselves and each other from borking improperly permissioned files.

    Gad, configuration is slow sloggin.. hoping sql goes smoothly.

    BTW This fella seems to have the most developed method of chrooting a shell:

Share This Page