RE: restricting sftp/ssh login access

To: Ehren Wilson <ewilson@echostar.ca>, Robert Cates <robert@kormar.de>, debian-isp@lists.debian.org
Subject: RE: restricting sftp/ssh login access
From: MB <sparkynine@yahoo.com>
Date: Mon, 28 Jun 2004 11:28:05 -0700 (PDT)
Message-id: <[🔎] 20040628182805.40896.qmail@web54101.mail.yahoo.com>
In-reply-to: <[🔎] NFBBKACNPBMJOOINNINBMEODBOAB.ewilson@echostar.ca>
I agree that a jail is the cleanest way.  My setup is as follows:

chroot jail:
/home/jailedUsers


dirs and files within the jail:
./lib
./lib/libnsl.so.1
./lib/libnsl-2.3.2.so
./lib/libc.so.6
./lib/libc-2.3.2.so
./lib/ld-linux.so.2
./lib/ld-2.3.2.so
./lib/libnss_compat.so.2
./lib/libnss_compat-2.3.2.so
./lib/libnss_files.so.2
./lib/libnss_files-2.3.2.so
./lib/libresolv.so.2
./lib/libresolv-2.3.2.so
./lib/libutil.so.1
./lib/libutil-2.3.2.so
./lib/libcrypt.so.1
./lib/libcrypt-2.3.2.so
./lib/libdl.so.2
./lib/libdl-2.3.2.so
./lib/libncurses.so.5
./lib/libncurses.so.5.4
./lib/librt.so.1
./lib/librt-2.3.2.so
./lib/libpthread.so.0
./lib/libpthread-0.10.so
./lib/libacl.so.1
./lib/libacl.so.1.1.0
./lib/libattr.so.1
./lib/libattr.so.1.1.0
./lib/libm.so.6
./lib/libm-2.3.2.so
./lib/libpam.so.0
./lib/libpam_misc.so.0
./etc
./etc/nsswitch.conf
./etc/passwd
./etc/group
./etc/jailkit
./etc/jailkit/jk_lsh.ini
./etc/resolv.conf
./etc/host.conf
./etc/hosts
./etc/protocols
./etc/motd
./etc/issue
./etc/bash.bashrc
./etc/profile
./etc/terminfo -- bunch of dirs in here ---
./usr
./usr/bin
./usr/bin/jk_lsh
./usr/bin/ssh
./usr/bin/nvi
./usr/bin/scp
./usr/bin/awk
./usr/bin/bzip2
./usr/bin/bunzip2
./usr/bin/away
./usr/lib
./usr/lib/sftp-server
./usr/lib/i586
./usr/lib/i586/libcrypto.so.0.9.7
./usr/lib/libz.so.1
./usr/lib/libz.so.1.2.1
./usr/lib/libbz2.so.1.0
./usr/lib/libbz2.so.1.0.2
./dev
./dev/urandom
./dev/tty
./dev/log
./bin
./bin/sh
./bin/bash
./bin/ls
./bin/cat
./bin/chmod
./bin/mkdir
./bin/cp
./bin/cpio
./bin/date
./bin/dd
./bin/echo
./bin/egrep
./bin/false
./bin/sleep
./home
./home/drocke
./root

And by only allowing the user write access to his/her own directory
(within the jail) will limit the liability to the system.

Mark

--- Ehren Wilson <ewilson@echostar.ca> wrote:
> The cleanest way I have found was using rssh.  All you do is change
> the
> shell to /usr/bin/rssh.  The only issue I have with it is that to
> jail them
> to their home directory you need a separate chroot for each folder of
> the
> following.  I jailed the /home folder and thus only need one jail, if
> you
> want each user to be jailed to ~/ as / then you need a separate jail
> for
> each user through copying or linking the files.
> 
> 
> Ehren Wilson
> 
> jail components:
> ./etc
> ./etc/ld.so.cache
> ./etc/ld.so.conf
> ./usr
> ./usr/bin
> ./usr/bin/scp
> ./usr/lib
> ./usr/lib/i686
> ./usr/lib/i686/cmov
> ./usr/lib/i686/cmov/libcrypto.so.0.9.7
> ./usr/lib/libz.so.1
> ./usr/lib/rssh
> ./usr/lib/rssh/rssh_chroot_helper
> ./usr/lib/sftp-server
> 
> > -----Original Message-----
> > From: Robert Cates [mailto:robert@kormar.de]
> > Sent: Monday, June 28, 2004 11:54 AM
> > To: debian-isp@lists.debian.org
> > Cc: Andreas John; MB; hiren@obsidian.co.za
> > Subject: Re: restricting sftp/ssh login access
> >
> >
> > Hi, and thanks for the quick replies!
> > Just to be a bit clearer in what I'm asking: I would like to be
> able to
> > allow my customers to access their accounts (update their web
> sites) with
> > sftp which as I understand it is an extention to (Open)SSH, and
> > not FTP.  I
> > know for example that the Windows application - WS_FTP Pro - has an
> option
> > to use sftp/ssh on port 22 and when I tested it, I landed way up at
> root
> > "/".  So, I'd like to be able to allow secure access, but with an
> > ftp client
> > like WS_FTP Pro using sftp, and not a Secure SHell.  I have my
> > server setup
> > so that the customer can use SSH to change their password, and
> that's all
> > they can do with SSH.
> >
> > Is there nothing in the ssh_config or sshd_config which can be set
> to
> > restrict sftp access to a designated directory?
> >
> > It seems to me that the patched OpenSSH way that Hiren pointed out
> is
> > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html
> but I'm
> > open to other maybe better ways.
> >
> > Thanks again,
> > Robert
> > ----- Original Message -----
> > From: "MB" <sparkynine@yahoo.com>
> > To: "Andreas John" <aj@net-lab.net>
> > Cc: <debian-isp@lists.debian.org>
> > Sent: Monday, June 28, 2004 6:47 PM
> > Subject: Re: restricting sftp/ssh login access
> >
> >
> > > John,
> > >
> > > First off, I make a small mistake, the package I used was
> "jailkit",
> > > from either:
> > >
> > >
> http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html
> > > or
> > > http://freshmeat.net/projects/jailkit/
> > >
> > > It has tons of documentation to help you create a jailed
> environment,
> > > including loading your jail with whatever executables needed.
> > >
> > > Looks like I simplified my script to one line:
> > >
> > > -----------------------
> > > #!/bin/bash
> > >
> > > /usr/sbin/jk_socketd
> > > ------------------------
> > >
> > > This produces a group of daemonized processes:
> > > nobody   13659 13658  0 Apr18 ?        00:00:00 [jk_socketd]
> > >
> > >
> > > but I think that I had a much more elaborate script to
> > > {start|stop|restart} this daemon, something like:
> > >
> > >
> > > /etc/init.d/chroot_jail
> > > ------------------------
> > > #!/bin/bash
> > >
> > > case "$1" in
> > >   start)
> > >         echo -n "Starting Chroot Jail Server: chroot jail"
> > >         start-stop-daemon --start --quiet --pidfile
> > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> > >         echo "."
> > >         ;;
> > >   stop)
> > >         echo -n "Stopping Chroot Jail Server: chroot jail"
> > >         start-stop-daemon --stop --quiet --oknodo --pidfile
> > > /var/run/jk_socketd.pid
> > >         echo "."
> > >         ;;
> > >
> > >   restart)
> > >         echo -n "Restarting Chroot Jail Server: chroot jail"
> > > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile
> > > /var/run/jk_socketd.pid
> > >         start-stop-daemon --start --quiet --pidfile
> > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd --
> > >         echo "."
> > >         ;;
> > >
> > >   *)
> > >         echo "Usage: /etc/init.d/chroot_jail
> {start|stop|restart}"
> > >         exit 1
> > > esac
> > >
> > > exit 0
> > > ---------------------------------------
> > >
> > >
> > > Mark
> > >
> > >
> > > --- Andreas John <aj@net-lab.net> wrote:
> > > > Hi Mark!
> > > >
> > > > > You will need to run a special daemon (jk_socketd) to log
> users
> > > > into the
> > > > > jail, but that is about the hardest part.  I'll post my
> startup
> > > > script
> > > > > if you would like.
> > > >
> > > > Do I need the ssh-patch if I run this jk_socketd? Does it
> replace
> > > > that
> > > > patch? It's pain in the ass to maintain an ssh package that is
> > > > seperate
> > > > from the debian tree.
> > > >
> > > > And yes - please post me that startup-script. Would be nice.
> > > >
> > > > Best regards and many pengiuns,
> > > > Andreas
> > > >
> > > >
> > > > --
> > > > Andreas John
> > > > net-lab GmbH
> > > > Luisenstrasse 30b
> > > > 63067 Offenbach
> > > > Tel: +49 69 85700331
> > > >
> > > > http://www.net-lab.net
> > > >
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
>
Reply to:
References:
- RE: restricting sftp/ssh login access
  - From: "Ehren Wilson" <ewilson@echostar.ca>
Prev by Date: Re: restricting sftp/ssh login access
Next by Date: nat ipchains on debian woody
Previous by thread: RE: restricting sftp/ssh login access
Next by thread: Re: restricting sftp/ssh login access
Index(es):
- Date
- Thread