SSH Users CHROOT

Discussion in 'Installation/Configuration' started by howser, Dec 19, 2005.

  1. howser

    howser New Member

    Hi everyone,
    Is there a way to CHROOT the users who come in via SSH so that they cannot see the files of other users? I'd like to grant them SSH access but I can't do that if they are able to see other users files and directories. Any help would be appreciated.

    Take care,

    Howser
     
  2. falko

    falko Super Moderator Howtoforge Staff

  3. howser

    howser New Member

    Thanks Falko -- I've looked through those examples, since I'm running Ubuntu I have to make sure that everything is cool and it's cool to do it over SSH. Anyone out there done this using Ubuntu or Debian?

    Thanks!
     
  4. Ovidiu

    Ovidiu Active Member

    if I remember correct when I once tried to use the bastille package one of the questions I was asked was if my users should see other users files and if answered with yes it might have the same effect desired here?

    I am not 100% sure, its just a dim memory, maybe you give it a try..
     
  5. howser

    howser New Member

    Interesting, I installed it and checked the ISPConfig interface, no options to do that. It seems like this would be a good default configuration for a hosting app though right? Why would you ever want your users to see each other? Anyway, I'll keep digging. Feel free to chime in.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats not the question of ISPConfig settings. The problem is that there is no Linux distribution that supports chrooted SSH out of the box.
     
  7. howser

    howser New Member

    Agreed, I guess I should be clearer, it would be cool to add that to the ISPConfig/Perfect Setup that I've seen posted on the web. Seems like most people who use ISPConfig would want that functionality out of the box.
     
  8. falko

    falko Super Moderator Howtoforge Staff

    I'll see what I can do... :)
     
  9. danf.1979

    danf.1979 Member

    Any updates from you guys?
    I'm going to try chrooting users, and I'll be posting my google findings in here
     
    Last edited: Dec 24, 2005
  10. danf.1979

    danf.1979 Member

  11. falko

    falko Super Moderator Howtoforge Staff

    I installed a chrooted SSH yesterday on Debian Sarge, it will go into a small howto in the next days, but basically this is how I did it:

    Let's say your chroot will be in /home/chroot, and you have a user admin (whom we want ot give chrooted SSH access) in /etc/password like that:

    Code:
    admin:x:1000:1000:admin,,,:/home/admin:/bin/bash
    Change that line to
    Code:
    admin:x:1000:1000:admin,,,:/home/chroot/./home/admin:/bin/bash
    The dot in /home/chroot/./home/admin is important so that OpenSSH knows that this user should be chrooted.

    Now we install a new OpenSSH with chroot capabilities:

    Code:
    cd /tmp
    wget http://www.zlib.net/zlib-1.2.3.tar.gz
    tar xvfz zlib-1.2.3.tar.gz
    cd zlib-1.2.3
    make clean
    ./configure -s
    make
    make install
    cd ..
    
    apt-get install libpam0g-dev
    wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
    tar xvfz openssh-4.2p1-chroot.tar.gz
    cd openssh-4.2p1-chroot
    ./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
    make
    make install
    Afterwards, we create the chroot environment:

    Code:
    mkdir /home/chroot/
    mkdir -p /home/chroot/home/admin
    chown admin:admin /home/chroot/home/admin
    
    cd /home/chroot
    mkdir etc
    mkdir bin
    mkdir lib
    mkdir usr
    mkdir usr/bin
    mkdir dev
    mknod dev/null c 1 3
    mknod dev/zero c 1 5
    
    Then run the following commands on your shell:
    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            cp $l ./$l
                    done
            fi
    done
    
    Finally do this:
    Code:
    cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
    touch etc/passwd
    grep /etc/passwd -e "^root" -e "^admin" > etc/passwd
    grep /etc/group -e "^root" -e "^admin" > etc/group
    #grep admin /etc/passwd >> /home/chroot/etc/passwd
    echo '#!/bin/bash' > usr/bin/groups
    echo "id -Gn" >> usr/bin/groups
    /etc/init.d/ssh restart
    Now you can login as admin, and admin should be chrooted. :)
     
  12. danf.1979

    danf.1979 Member

    Is the admin root? I need this feature cause in the future I'll be managing my server remotely through ssh (me and server = diferent city) :rolleyes:
     
  13. falko

    falko Super Moderator Howtoforge Staff

    No, admin is the name of the user and not a placeholder for root. Replace admin with your own usernames. And don't try to chroot root, that makes no sense!
     
  14. magikern

    magikern New Member

    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            cp $l ./$l
                    done
            fi
    done
    
    this code gives me alot of errors:

    PS: I run a Norwegian locale and "Ingen slik fil eller filkatalog" translates to "no such file or folder".

    If i run "ldd /bin/bash" I get:
    When I tried to log on with the new user ,after following your guide, the console just hangs right after typing the password, but "who" and "ps aux | grep testuser" tells me that the user is logged on.

    "chroot /home/chroot /bin/bash" dies with the message:
    i run a Debian Sarge with kernel 2.6.12
     
  15. falko

    falko Super Moderator Howtoforge Staff

    Do the programs listed in the APPS line (/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping) exist on your system?

    You could change

    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            cp $l ./$l
                    done
            fi
    done
    to

    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            cp $l ./$l
                            [B][COLOR="Red"]echo "cp $l ./$l"[/COLOR][/B]
                    done
            fi
    done
    to see what happens actually.
     
  16. magikern

    magikern New Member

    Now I got a hole bunch of "permisson denied" messages?
    ++ many more
     
  17. falko

    falko Super Moderator Howtoforge Staff

    I think this is the problem:
    Code:
    cp /lib/libncurses.so.5 ./[B][COLOR="Red"]/[/COLOR][/B]lib/libncurses.so.5
    There's one slash too much.

    Please change the script to

    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS;  do
            cp $prog ./$prog
    
            # obtain a list of related libraryes
            ldd $prog > /dev/null
            if [ "$?" = 0 ] ; then
                    LIBS=`ldd $prog | awk '{ print $3 }'`
                    for l in $LIBS; do
                            mkdir ./`dirname $l` > /dev/null 2>&1
                            [B][COLOR="Red"]cp $l .$l
                            echo "cp $l .$l"[/COLOR][/B]
                    done
            fi
    done
     
  18. mchow

    mchow New Member

    The reason for "cp: cannot create regular file..." errors is because mkdir can't create directories more than 2 levels deep. You have to change the line to "mkdir -p" and then everything will work. I think you can ignore the "cp: cannot stat `(0xffffe000)' messages.

    Code:
    APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
    for prog in $APPS; do
        cp $prog ./$prog
        # obtain a list of related libraries
         ldd $prog > /dev/null
         if [ "$?" = 0 ] ; then
             LIBS=`ldd $prog | awk '{ print $3 }'`
             for l in $LIBS; do
                  [COLOR="Red"]mkdir -p ./`dirname $l` > /dev/null 2>&1[/COLOR]
                  cp $l ./$l
             done
         fi
     done
    
     
    Last edited: Mar 17, 2006
  19. jannoke

    jannoke New Member

    I got it working. figured out the script problem and my result was:
    2x cp change adding --parents parameter to copy with full path and added "grep -v \(" to exclude lines which have ( in them (since libs shouldn't have them in their path).

    Code:
    APPS="/bin/env /usr/bin/wget /usr/bin/ftp /usr/bin/ldd /sbin/ldconfig /usr/bin/dig /bin/traceroute /usr/bin/host /bin/sh /bin/grep /bin/cat /bin/vi /bin/gzip
    /bin/gunzip /usr/bin/mc /bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
    for prog in $APPS;  do
    echo "===========";
    echo $prog;
    #sleep 1
        cp $prog ./ --parents
    
        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
        LIBS=`ldd $prog | awk '{ print $3 }' | grep -v \(`
        echo $LIBS
        for l in $LIBS; do
            #mkdir -p ./`dirname $l` > /dev/null 2>&1
            cp $l ./ --parents
        done
    fi
    done
    
    my problem is that using ping (or traceroute) it returns host not found or some other resolving failure.
    dig works, and pinging numeric ip's work.
    also ssh works connecting by ip address but not by name.

    i have copied
    /etc/host.conf
    /etc/hosts
    /etc/nsswitch.conf
    /etc/localtime
    /etc/resolve.conf
    also to their chroot locations, but still no luck.

    it does reads hosts file , I tested that.
    but doesn't seem to do dns lookups
     
  20. falko

    falko Super Moderator Howtoforge Staff

    It's /etc/resolv.conf, not /etc/resolve.conf.
     

Share This Page