Installing rssh to allow scp/sftp sessions only for user accounts is a breeze. Getting them into a chroot jail took a bit more reseach, but in the end turned out to be pretty easy.
This is on CentOS 4.6, but this technique should work almost identically for any Linux system thanks to the l2chroot script.
install rssh
found my RPM at http://dag.wieers.com/rpm/packages/rssh/ and it installed flawlessly with yum. See the rssh site for instructions for other platforms.
configure rssh
- Default configuration file is located at /etc/rssh.conf
- Default rssh binary location /usr/bin/rssh
- Default port none - (openssh 22 port used - rssh is shell with security features)
So the editing of /etc/rssh.conf is simple, and proceeded according to the nixcraft guide, but I only uncommented
allowscp allowsftp
and set
chrootpath = /home/jail
and added a single line for per-user config, although this probably isn’t even necessary:
user=adama:112:00011:/home/jail
update: in fact it is not necessary, and though it should not hurt it could cause permissions issues (see comments). If you want all the jailed users to share the same type of abilities, then per-user config can be skipped.
create chroot jail
# mkdir /home/jail
and again the nixcraft guide is very good, but I found it much easier than they indicate (for sftp-only anyway). Copying all the required .so’s is easy with the l2chroot script, which parses ldd output for a given binary and automatically mirrors a tree containing all the mentioned files.
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt # chmod +x l2chroot
Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/home/jail"
and then do the copy:
# l2chroot /usr/lib/openssh/sftp-server # l2chroot /usr/libexec/rssh_chroot_helper
There is no need for copying anything in /etc or /dev.
and finally create a home sweet home for our new semi-welcome guest:
# mkdir -p /home/jail/home/adama
no need to copy /etc/skel or anything because the whole point is for them not to get a shell.
setup system user account
give them a home dir inside the jail and a shell of rssh:
# /usr/sbin/useradd -d /home/jail/home/adama -s /usr/bin/rssh adama
mount other system locations
The best part is, you can give the guest access to any other node on the system with the –bind option to mount.
So if you want to give them access to /var/www/sites/special, you could mount that from inside the jail with
# mount --bind -o noexec,nosuid /var/www/sites/special /home/jail/home/adama/ext_special
for instance. The noexec,nosuid options provide a bit of extra security, and in fact ideally should be set on whatever partition the jail resides on as well.
According to the mount man page, --bind option is supported in linux kernels 2.4.0+
And to see the appropriate entry to add to fstab (to do the mount automatically after reboot), you can do
# cat /etc/mtab
I installed resticted shell on a centos 5.3 box. I could not contain the user to his directory. When I tried to set the entry in the /etc/rssh.conf to:
user=girishram:011:00010:/users/girishram
I won’t allow me to login. but if I set it to :user=girishram:011:00010:, it will allow me to login but does not prevent me from seeing the other directiries under /users.
Any way around this?
Thanks
Girish
@Girish Try commenting that line out entirely. I found it is not necessary at all and should update this howto (consider this the update)
If you still can’t login, check logs for the reason. Could be a permissions problem. And make sure the chroot environment is set up correctly under /users (I’d suggest making a separate chroot area for clarity, like /users/jail)
Thank you sbeam, commenting that line worked. Now my problem I have is that I am unable to contain the user to their home directory.
when I set the chrootpath the user is able to see everything under the path. When I disable the path and try to set the path on the user entry, the login fails:
user girishram attempted to execute forbidden commands
command: /usr/libexec/openssh/sftp-server
Any thing I can do confine the user to their home directory?
Thanks
Girish
the behavior sounds like what is expected, the user can move around within the jail as the permissions let him. If you want to prevent him from seeing other user’s directories under /home/, then turn off the read bit in that directory.
$ chmod 711 /home/jail/home
or
$ chmod go-r /home/jail/home
Then in the SFTP shell he should get ‘permission denied’ upon trying to view the contents of /home
enjoy!
sbeam,
Thank you. I will use this approach to contain the user from being able to see the contents of other peoples folders.
Thanks
Girish