With the use of RSSH ( http://www.pizzashack.org/rssh/ ), the setup is non intrusive and fairly painless. However there are still a few quirks that need to be addressed before it would work. I will describe the steps to setup a CHROOT jail on Red Hat ES4 .
Download, compile and install RSSH source from http://www.pizzashack.org/rssh/ .
1) Make it easy on yourself and select /usr as the install prefix. There are other tools in the distribution ( which you will use further in ) that are hard coded to /usr as the install prefix.
./configure --prefix=/usr
make
install
2) Setup CHROOT JAIL. The tool mkchroot.sh makes setting this quite easy. The concepts behind the tool is described in great detail in the documentation ( same directory as source ).
I used :
[root]# /opt/SWINSTALL/rrsh/rssh-2.3.2/mkchroot.sh /alcatraz
NOT changing owner of root jail.
NOT changing perms of root jail.
setting up /alcatraz/usr/bin
setting up /alcatraz/usr/libexec/openssh
setting up /alcatraz/usr/libexec
Copying libraries for /usr/bin/scp.
/lib/libcrypto.so.4
/lib/libutil.so.1
/usr/lib/libz.so.1
/lib/libnsl.so.1
................
................
................
lib/libnss1_files-2.3.4.so
lib/libnss1_files.so.1
Setting up /etc in the chroot jail
cp: omitting directory `/etc/ld.so.conf.d'
Chroot jail configuration completed.
NOTE: if you are not using the passwd file for authentication,
you may need to copy some of the /lib/libnss_* files into the jail.
NOTE: you must MANUALLY edit your syslog rc script to start syslogd
with appropriate options to log to /alcatraz/dev/log. In most cases,
you will need to start syslog as:
/sbin/syslogd -a /alcatraz/dev/log
NOTE: we make no guarantee that ANY of this will work for you... if it
doesn't, you're on your own. Sorry!
3) Its is recommended that a dedicated group be created for all the users that will be jailed. So we will
create the group and add a new user to it. Also, it is recommended that the user's home be created under the
chroot jail you just created.
[root]# mkdir /alcatraz/home
[root]# groupadd jailedgroup
[root]# adduser -c 'User is in chroot jail' -d /alcatraz/home/convict -g jailedgroup -s /usr/bin/rssh convict
4) Configure the rssh options ( /usr/etc/rssh.conf ). To understand all the available options, do a man rssh.conf.
I am interested in only allowing sftp for my user "convict". Some relevent lines
allowsftp
chrootpath = /alcatraz
user=convict:077:00010:/alcatraz
The access bits 00010 indicates that the user is allowed sftp access only( refer to man pages ).
Your chroot jail is ready and you are ready to let the convict in ;-).
*******I was running in a "Connection closed" problem when I tried to connect in.
$ sftp convict@mysftpserver
Connecting to mysftpserver...
convict@mysftpserver's password:
Connection closed
On google of this problem, I saw a few different issues/solutions. Copying all of /lib into the jail seems to fix it.
[root]# cp /lib/* /alcatraz/lib
3 comments:
Another scenario of "Connection closed" needed the following solution :
mkdir /your/chroot/dir/dev
mknod -m 666 /your/chroot/dir/dev/null c 1 3
FROM :
http://gentoo-wiki.com/HOWTO_SFTP_Server_(chrooted,_without_shell)#Solution_to_.22connection_closed.22
Hi,
I got through the entire tutorial and it all works, however when I use Filezilla . .the user is not chrooted . .they can browse and see all the other directories other then just there home folder? How can I limit them only to their home folder?
You will be able to see the directories under the chroot jail ( in the example : /alcatraz ) including the other user's home directories. However if the permissions are set right ( based on the tutorial) , you should not be able to cd into the other user's home directories.
The purpose of this program is to confine the users under the CHROOT JAIL.
I have seen other paid programs that confine to the home directory. This does not. However, the security downside is little since the user CANNOT
1) get out of the chroot jail
2) browse the home directories of other users.
One concern I can see is that the userids of other users are exposed via the home directory names. My suggestion around that would be to use generic userids like "sftpuser8346".
Hope this helps.... NN
Post a Comment