Hi everyone, Is there a way to CHROOT the users who come in via SSH so that they cannot see the files of other users? I'd like to grant them SSH access but I can't do that if they are able to see other users files and directories. Any help would be appreciated. Take care, Howser
You have to patch your SSH daemon; the "normal" OpenSSH daemon does not have the ability to chroot users. Have a look at these pages: http://chrootssh.sourceforge.net/index.php http://www.brandonhutchinson.com/chroot_ssh.html http://mail.incredimail.com/howto/openssh/
Thanks Falko -- I've looked through those examples, since I'm running Ubuntu I have to make sure that everything is cool and it's cool to do it over SSH. Anyone out there done this using Ubuntu or Debian? Thanks!
if I remember correct when I once tried to use the bastille package one of the questions I was asked was if my users should see other users files and if answered with yes it might have the same effect desired here? I am not 100% sure, its just a dim memory, maybe you give it a try..
Interesting, I installed it and checked the ISPConfig interface, no options to do that. It seems like this would be a good default configuration for a hosting app though right? Why would you ever want your users to see each other? Anyway, I'll keep digging. Feel free to chime in.
Thats not the question of ISPConfig settings. The problem is that there is no Linux distribution that supports chrooted SSH out of the box.
Agreed, I guess I should be clearer, it would be cool to add that to the ISPConfig/Perfect Setup that I've seen posted on the web. Seems like most people who use ISPConfig would want that functionality out of the box.
Any updates from you guys? I'm going to try chrooting users, and I'll be posting my google findings in here
I installed a chrooted SSH yesterday on Debian Sarge, it will go into a small howto in the next days, but basically this is how I did it: Let's say your chroot will be in /home/chroot, and you have a user admin (whom we want ot give chrooted SSH access) in /etc/password like that: Code: admin:x:1000:1000:admin,,,:/home/admin:/bin/bash Change that line to Code: admin:x:1000:1000:admin,,,:/home/chroot/./home/admin:/bin/bash The dot in /home/chroot/./home/admin is important so that OpenSSH knows that this user should be chrooted. Now we install a new OpenSSH with chroot capabilities: Code: cd /tmp wget http://www.zlib.net/zlib-1.2.3.tar.gz tar xvfz zlib-1.2.3.tar.gz cd zlib-1.2.3 make clean ./configure -s make make install cd .. apt-get install libpam0g-dev wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz tar xvfz openssh-4.2p1-chroot.tar.gz cd openssh-4.2p1-chroot ./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam make make install Afterwards, we create the chroot environment: Code: mkdir /home/chroot/ mkdir -p /home/chroot/home/admin chown admin:admin /home/chroot/home/admin cd /home/chroot mkdir etc mkdir bin mkdir lib mkdir usr mkdir usr/bin mkdir dev mknod dev/null c 1 3 mknod dev/zero c 1 5 Then run the following commands on your shell: Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done Finally do this: Code: cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/ touch etc/passwd grep /etc/passwd -e "^root" -e "^admin" > etc/passwd grep /etc/group -e "^root" -e "^admin" > etc/group #grep admin /etc/passwd >> /home/chroot/etc/passwd echo '#!/bin/bash' > usr/bin/groups echo "id -Gn" >> usr/bin/groups /etc/init.d/ssh restart Now you can login as admin, and admin should be chrooted.
Is the admin root? I need this feature cause in the future I'll be managing my server remotely through ssh (me and server = diferent city)
No, admin is the name of the user and not a placeholder for root. Replace admin with your own usernames. And don't try to chroot root, that makes no sense!
Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done this code gives me alot of errors: PS: I run a Norwegian locale and "Ingen slik fil eller filkatalog" translates to "no such file or folder". If i run "ldd /bin/bash" I get: When I tried to log on with the new user ,after following your guide, the console just hangs right after typing the password, but "who" and "ps aux | grep testuser" tells me that the user is logged on. "chroot /home/chroot /bin/bash" dies with the message: i run a Debian Sarge with kernel 2.6.12
Do the programs listed in the APPS line (/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping) exist on your system? You could change Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done to Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l [B][COLOR="Red"]echo "cp $l ./$l"[/COLOR][/B] done fi done to see what happens actually.
I think this is the problem: Code: cp /lib/libncurses.so.5 ./[B][COLOR="Red"]/[/COLOR][/B]lib/libncurses.so.5 There's one slash too much. Please change the script to Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 [B][COLOR="Red"]cp $l .$l echo "cp $l .$l"[/COLOR][/B] done fi done
The reason for "cp: cannot create regular file..." errors is because mkdir can't create directories more than 2 levels deep. You have to change the line to "mkdir -p" and then everything will work. I think you can ignore the "cp: cannot stat `(0xffffe000)' messages. Code: APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraries ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do [COLOR="Red"]mkdir -p ./`dirname $l` > /dev/null 2>&1[/COLOR] cp $l ./$l done fi done
I got it working. figured out the script problem and my result was: 2x cp change adding --parents parameter to copy with full path and added "grep -v \(" to exclude lines which have ( in them (since libs shouldn't have them in their path). Code: APPS="/bin/env /usr/bin/wget /usr/bin/ftp /usr/bin/ldd /sbin/ldconfig /usr/bin/dig /bin/traceroute /usr/bin/host /bin/sh /bin/grep /bin/cat /bin/vi /bin/gzip /bin/gunzip /usr/bin/mc /bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors" for prog in $APPS; do echo "==========="; echo $prog; #sleep 1 cp $prog ./ --parents # obtain a list of related libraries ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }' | grep -v \(` echo $LIBS for l in $LIBS; do #mkdir -p ./`dirname $l` > /dev/null 2>&1 cp $l ./ --parents done fi done my problem is that using ping (or traceroute) it returns host not found or some other resolving failure. dig works, and pinging numeric ip's work. also ssh works connecting by ip address but not by name. i have copied /etc/host.conf /etc/hosts /etc/nsswitch.conf /etc/localtime /etc/resolve.conf also to their chroot locations, but still no luck. it does reads hosts file , I tested that. but doesn't seem to do dns lookups