Академический Документы
Профессиональный Документы
Культура Документы
0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/03/2007
This tutorial describes two ways how to give users chrooted SSH access. With this setup, you can
give your users shell access without having to fear that they can see your whole system. Your
users will be jailed in a specific directory which they will not be able to break out of. The users
will also be able to use SFTP in their chroot jails.
This document comes without warranty of any kind! I want to say that this is not the only way of
setting up such a system. There are many ways of achieving this goal but this is the way I take. I
do not issue any guarantee that this will work for you!
1 Preliminary Note
This setup is based on a Debian Etch (Debian 4.0) system.
The first way to set up chrooted SSH is by hand and very similar to the method shown in this
tutorial for Debian Sarge: http://www.howtoforge.com/chrooted_ssh_howto_debian. The
chrooted SSH will be installed in such a way that it will still use the configuration files of the
standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the
standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your
own init script and configuration file.
The second way is to use the make_chroot_jail.sh script from
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. This setup is different from the
first one in that we don't need to recompile OpenSSH. Instead of /bin/sh or /bin/bash, the
chrooted users use /bin/chroot-shell which uses the sudo and chroot commands to chroot the
users. This method is also different in that the users don't have a dot in their homedirs in
/etc/passwd (therefore it cannot be used by control panels such as ISPConfig, which is no
problem with the first method). Please take a look at http://www.fuschlberger.net/programs/sshscp-sftp-chroot-jail/ to see what this script can do for you and what not.
You should decide for one way - please don't use both ways at the same time!
cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh build-essential
bzip2
Then we download the patched OpenSSH sources, and we configure them with /usr as directory
for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for
configuration files, and we also allow PAM authentication:
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
vi /usr/local/sbin/create_chroot_env
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv
/bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping
/usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftpserver"
for prog in $APPS; do
mkdir -p ./`dirname $prog` > /dev/null 2>&1
cp $prog ./$prog
# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l > /dev/null 2>&1
done
fi
done
(If you want to make more programs available to your chrooted users, just add these programs to
the APPS line.)
Now we make the script executable and run it:
chmod 700 /usr/local/sbin/create_chroot_env
create_chroot_env
Next we have to copy a few additional files and libraries to the chroot jail:
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1
/lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/
Then we do this:
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
You should also copy the line of the group in which you will create new users from /etc/group
to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:
grep /etc/group -e "^root" -e "^users" > etc/group
and restart OpenSSH:
/etc/init.d/ssh restart
Now we create the user testuser with the home directory /home/chroot/./home/testuser and the
group users (which is the default group for users on Debian so you do not have to specify it
explicitly):
useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c "testuser" -g users testuser
Langkah 2
make_chroot_jail.sh testuser
I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell
as well:
make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot
This will create/update the user testuser with the chroot jail /home/chroot.
To update all files/libraries in the chroot jail, run
make_chroot_jail.sh update
or
make_chroot_jail.sh update /bin/chroot-shell /home/chroot
depending on how you created your users.
3.3 ProFTPd
If you use ProFTPd, you should read this:
As mentioned on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/, you should not
add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail.
This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a
shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell
cannot use ProFTPd.
To change this, open /etc/proftpd/proftpd.conf and add:
vi /etc/proftpd/proftpd.conf
[...]
RequireValidShell
[...]
off