Showing posts with label linux. Show all posts
Showing posts with label linux. Show all posts

Saturday, November 10, 2007

Setting up an SFTP chroot jail using rssh

Setting up a CHROOT JAIL for SFTP has been a convoluted task without the use of RSSH. Typically , you are required to recompile SSH ( ugg! ).
With the use of RSSH ( http://www.pizzashack.org/rssh/ ), the setup is non intrusive and fairly painless. However there are still a few quirks that need to be addressed before it would work. I will describe the steps to setup a CHROOT jail on Red Hat ES4 .

Download, compile and install RSSH source from http://www.pizzashack.org/rssh/ .

1) Make it easy on yourself and select /usr as the install prefix. There are other tools in the distribution ( which you will use further in ) that are hard coded to /usr as the install prefix.
./configure --prefix=/usr
make
install

2) Setup CHROOT JAIL. The tool mkchroot.sh makes setting this quite easy. The concepts behind the tool is described in great detail in the documentation ( same directory as source ).

/mkchroot.sh /my/chroot/jail

I used :
[root]# /opt/SWINSTALL/rrsh/rssh-2.3.2/mkchroot.sh /alcatraz
NOT changing owner of root jail.
NOT changing perms of root jail.
setting up /alcatraz/usr/bin
setting up /alcatraz/usr/libexec/openssh
setting up /alcatraz/usr/libexec
Copying libraries for /usr/bin/scp.
/lib/libcrypto.so.4
/lib/libutil.so.1
/usr/lib/libz.so.1
/lib/libnsl.so.1
................
................
................
lib/libnss1_files-2.3.4.so
lib/libnss1_files.so.1
Setting up /etc in the chroot jail
cp: omitting directory `/etc/ld.so.conf.d'
Chroot jail configuration completed.

NOTE: if you are not using the passwd file for authentication,
you may need to copy some of the /lib/libnss_* files into the jail.

NOTE: you must MANUALLY edit your syslog rc script to start syslogd
with appropriate options to log to /alcatraz/dev/log. In most cases,
you will need to start syslog as:

/sbin/syslogd -a /alcatraz/dev/log

NOTE: we make no guarantee that ANY of this will work for you... if it
doesn't, you're on your own. Sorry!


3) Its is recommended that a dedicated group be created for all the users that will be jailed. So we will
create the group and add a new user to it. Also, it is recommended that the user's home be created under the
chroot jail you just created.

[root]# mkdir /alcatraz/home
[root]# groupadd jailedgroup
[root]# adduser -c 'User is in chroot jail' -d /alcatraz/home/convict -g jailedgroup -s /usr/bin/rssh convict
[root]# passwd convict

4) Configure the rssh options ( /usr/etc/rssh.conf ). To understand all the available options, do a man rssh.conf.
I am interested in only allowing sftp for my user "convict". Some relevent lines

allowsftp
chrootpath = /alcatraz
user=convict:077:00010:/alcatraz

The access bits 00010 indicates that the user is allowed sftp access only( refer to man pages ).


Your chroot jail is ready and you are ready to let the convict in ;-).

*******I was running in a "Connection closed" problem when I tried to connect in.


$ sftp convict@mysftpserver
Connecting to mysftpserver...
convict@mysftpserver's password:
Connection closed

On google of this problem, I saw a few different issues/solutions. Copying all of /lib into the jail seems to fix it.
[root]# cp /lib/* /alcatraz/lib
Posted by at 3 comments:
Labels: , , , ,

Saturday, September 22, 2007

Record your command line session

The commands you execute on the command line and their outputs are very helpful to debug problems. You might even want to record your sessions as part of an audit policy.

Linux and Unix systems make it very easy using the script command:

script [-a] [-c COMMAND] [-f] [-q] [-t] [file]

DESCRIPTION
Script makes a typescript of everything printed on your terminal. It is useful for students who need a hardcopy record of an interactive session as proof of an
assignment, as the typescript file can be printed out later with lpr(1).

If the argument file is given, script saves all dialogue in file. If no file name is given, the typescript is saved in the file typescript.

Options:

-a Append the output to file or typescript, retaining the prior contents.

-c COMMAND
Run the COMMAND rather than an interactive shell. This makes it easy for a script to capture the output of a program that behaves differently when its std-
out is not a tty.

-f Flush output after each write. This is nice for telecooperation: One person does âmkfifo foo; script -f fooâ and another can supervise real-time what is
being done using âcat fooâ.

-q Be quiet.

-t Output timeing data to standard error. This data contains two fields, separated by a space. The first field indicates how much time elapsed since the previ-
ous output. The second field indicates how many characters were output this time. This information can be used to replay typescripts with realistic typing
and output delays.
Posted by at No comments:
Labels: ,

Saturday, August 25, 2007

Howto use the "screen" utility to keep commands running even when you logout

#screen
#command to run in background
CTRL-a DD ( detach and logout)

To reattach to an existing detached session
#screen -R
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)

About Me

California, United States