Re: Chroot environment for ssh

From: Wincent Colaiuta (wincentcolaiuta@mac.com)
Date: 08/20/02


Date: Tue, 20 Aug 2002 08:35:46 +0930
To: Philip Paeps <philip@paeps.cx>
From: Wincent Colaiuta <wincentcolaiuta@mac.com>

El Thursday, 15 August, 2002, a las 11:13 PM, Philip Paeps escribió:

> I'm in the process of setting up a form of fileserver, and I'd like for
> my
> users to be able to work only in their home directories, not anywhere
> else. I
> would like to use SSH for the connections, as opposed to FTP, but I
> don't want
> users to be able to log into an interactive shell (only SCP/SFTP) and I
> don't
> want them to 'escape' out of their home directories.

Use ssh2 from the ports collection:
cd /usr/ports/security/ssh2 && make install

In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers
directives to chroot the group(s) and/or user(s) that are to have
ChRooted access.

Turn off the default ssh (OpenSSH) by setting in /etc/rc.conf:
sshd_enable="NO"

Start the new ssh:
/usr/local/etc/rc.d/sshd.sh start

When you create the user's account, make sure the shell is set to
/bin/nologin or something similar.

With this setup, they can sftp in and are chroot to the home dir, and
they can't get a shell when they connect via ssh.

In my opinion, OpenSSH should have this feature. We are told not to use
ftp because of clear-text passwords, so we have to use ssh/sftp, but
when we do that we can no longer chroot people to their home dirs! And
if we're not careful, we end up giving them a login shell. Using ssh2
from the ports gets around this limitation, but just check the licence
before you install to make sure that you qualify (otherwise it's not
free).

Cheers :-)
Wincent

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)
    ... >> It used a chrooted sshd with private passwd/shadow files in the ... >> chroot jail. ... The login shell for the users in that private passwd ... >> config file to get a destination host, and execed an ssh client to ...
    (Firewall-Wizards)
  • Re: ssh and /etc/group
    ... What OS are you using and what version of SSH? ... login name, shell, UID and GID from the passwd file information, obtained ... First things first: replace with OpenSSH. ... ssh-2.2.0 as under OpenSSH with the 2.9.x chroot patch? ...
    (comp.security.ssh)
  • Re: FTP Access
    ... only allow SSH / SFTP. ... going outside their home directories. ... The SSH server supports an internal chroot option; ... only changes the "root directory", it does not relieve you of the ...
    (comp.os.linux.setup)
  • Re: SSH with no home directory
    ... > nonexistent home directories. ... If I use ssh then an error about the home directory appears ... Executing .profile and friends is a function of the shell not of sshd. ...
    (comp.security.ssh)
  • Re: ssh chrooted enviroment WITHOUT /bin /etc /lib - etc etc in the users dir ?
    ... > I have been looking for a chroot patch to ssh for a while. ... If you don't care that they can see each other's home directories, ... I don't know what you mean by bin/lib dirs confusing a user. ...
    (comp.os.linux.security)