Creating a chrooted sftp server without giving shell

[OmniVector]

I found little documentation on this subject, and I'm sure if would be of interest to many people trying to create a secure ftp solution, and this is what I came up with.


Firstly you'll need to emerge the restricted rssh shell

Code: Select all

emerge rssh

To configure it, you'll need add /usr/bin/rssh to the list of accepted shells:

Code: Select all

echo /usr/bin/rssh >> /etc/shells

and you'll want to modify the rssh config and make some minor changes to enable chrooting, scp, and sftp.

/etc/rssh.conf:

Code: Select all

logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"

If you wish to disable scp, or sftp independently, just remove the line or comment it out with a #.

Next, we need to build a chroot environment for rssh to work.
This involves copying a few files to our chrooted folder (/home).

Code: Select all

cd /home

mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin

mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec

mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc

though we're not quite done copying files yet. now we need to copy the dependencies of those files. ldd will tell us what files are needed

Code: Select all

ldd /usr/bin/scp
        libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
        libc.so.6 => /lib/libc.so.6 (0x40106000)
        libdl.so.2 => /lib/libdl.so.2 (0x40235000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

so now we need to make the necessary folders, and copy the libs needed for scp

Code: Select all

cd /home

mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib

mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib

now run ldd on the other files we copied into our chroot environment

Code: Select all

ldd /usr/bin/rssh
ldd /usr/libexec/rssh_chroot_helper
ldd /usr/lib/misc/sftp-server

copy the libraries associated with those files if there are any we didn't already get from scp. note: for me, there were no other dependencies. copying all the dependencies for scp was enough for me. this should be the case for you as well unless your configuration is very different.

the only thing left to do now is create a user and change their shell to /usr/bin/rssh. there are a couple of ways to do this. you could run superadduser

Code: Select all

emerge superadduser
superadduser

Login name for new user []: testuser

User ID ('UID') [ defaults to next available ]:

Initial group [ users ]:

Additional groups (comma separated) []:

Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
  Do you wish to change the home directory path? (Y/n)  n

Shell [ /bin/bash ] /usr/bin/rssh

Expiry date (YYYY-MM-DD) []:

or simply modify an existing user account

Code: Select all

usermod -s /usr/bin/rssh testuser

finally make sure sshd is running

Code: Select all

/etc/init.d/sshd status
 * status:  started

if not run /etc/init.d/sshd start
and try connecting:

Code: Select all

sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:

This account is restricted to scp or sftp.

If you believe this is in error, please contact your system administrator.

Connection to yourip.com closed.

Viola! sftp with chrooting, and no shell allowed!

[carambola5]

I don't claim to be a genius in the field of the Linux virtual filesystem or chrooting, but wouldn't it make more sense to link those files rather than copy them? I believe softlinking won't work because of the chroot jail, but shouldn't hardlinking take care of this? That way, whenever you update a shared library that had been copied into your chroot, it will automatically update in the chroot jail.

Then again, I could be completely wrong.

[PowerFactor]

Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.

[carambola5]

Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.

Code: Select all

chown root:root *.so
chmod 644 *.so

Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too.

[thyrihad]

Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.

Also, you can't hard link accross partitions, and any sensible secure ftp setup would have /home on a different partition to /usr

[PowerFactor]

[

Code: Select all

chown root:root *.so
chmod 644 *.so

Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too.

Well, I would hope you would set permissions sensibly anyway. But what happens in the extreme case where someone manages find a hole and get a root shell. As I understand it that is one of the main purposes of a chroot, to contain such an exploit. But I'm no expert on such things either.

[sschlueter]

I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?

[s0da]

ey guys... this topic was very helpful to me... thanks! i would to know how to configure the stuff with shell access included... actually i would like to provide "shell only" access. currentyl, i'm not interested in providing "scp" and "sftp" access. sorry for my ignorance i'm a complete newbie... i would appreciate any suggestion or help anyone can give. Thanks

[mstamat]

Hi guys,
I just setup rssh for my box. I wanted to use the chroot feature, but I also wanted rssh user to run with the latest installed libs. So I made a little script to make things easier.

Here it is. The script uses ldd to find the runtime dependencies of each of the files listed on the third line of the scripts. The default files seem to work for gentoo, though I didn't tested it extensively. The script also includes a list file in the tarball.

Code: Select all

#!/bin/bash
#by mstamat: http://forums.gentoo.org/profile.php?mode=viewprofile&u=1205
files="/usr/bin/scp /usr/lib/misc/sftp-server /usr/libexec/rssh_chroot_helper"
tarball="chroot_tarball.tar"
tarball_listfile=".chroot_tarball_list"

#check if files exist
for i in $files; do
        if ! [ -f "$i" ]; then
                if [ "$missing" = "" ]; then
                        missing="$i"
                else
                        missing="$i $missing"
                fi
        fi
done

if ! [ "$missing" = "" ]; then
        printf "Cannot continue. The following files are missing: %s\n" "$missing"
        exit 1
fi

#check each file for deps
for i in $files; do
        printf "Getting dependencies for %s...\n" "$i"

        newdeps=$(ldd "$i" | gawk -F' |=>|\t' '{print $5}')
        if echo $newdeps | grep -q " not " ; then
                printf "Unresolved dependencies for %s. " "$i"
                printf "Run: 'ldd %s' to see the details.\n" "$i"
                exit 1;
        fi

        if [ "$alldeps" = "" ]; then
                alldeps="$newdeps"
        else
                alldeps="$newdeps $alldeps"
        fi
done

printf "\nAll needed dependencies found... Creating tarball...\n"

for i in $alldeps $files; do
        echo "$i"
done | sort | uniq > "$tarball_listfile"

#create tarball
tar cvhf "$tarball" $(cat "$tarball_listfile")

#remove slashes from list file and append it to tarball
sed -i 's/^\///'  "$tarball_listfile"
tar rvf "$tarball" "$tarball_listfile"

#remove list file
rm -f "$tarball_listfile"

When you first time configure rssh, you run the script and extract the created tarball in the directory where rssh chroots.

After an update that affects rssh (rssh itself, openssh, libc etc), you follow these steps to update the files used from chrooted rssh:

• cd /my/chroot/dir
• rm -rf $(cat .chroot_tarball_list)
• tar xvf /path/to/new/tarball/chroot_tarball.tar

And you are done

[dmck]

I followed exactly what you said to do, and it won't authenticate me via sftp, or ssh...

if i do an sftp testuser@localhost...
it asks me for a password 3 times and then asks for testuser@localhosts's password, and then fails...

any ideas?

-dave

[dmck]

N/M...i'm just an idiot, and forgot to allow the new user and group in my sshd.conf..






- dave

[Steffen]

Just a quick note for people trying to follow this nice tutorial. I had to copy /lib/ld-linux.so.2 to the chroot, because it it used by rssh!

Code: Select all

# ldd /usr/bin/rssh
libc.so.6 => /lib/libc.so.6 (0x4002b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

[Cicero]

I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?

I'm having the same problem, but have yet to figure it out. A bit of help, anyone?

[Steffen]

I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?

I'm having the same problem, but have yet to figure it out. A bit of help, anyone?

The same thing happens for me, too. I didn't even notice it, because I'm mainly interested in SFTP.

[Cicero]

I want to use CVS over it, so I suppose I need scp.

[Steffen]

I'm sorry, but I'm not an expert and unfortunately do not know a solution.

[rojaro]

Like Scotty said on StarTrek (i think it was in "The Final Frontier"): "How often do i have to tell you people - Always use the right tool for the right Job!"

This is also pretty much true for this case. scponly (net-misc/scponly) does IMHO a much better job in providing this kind of scp service. It provides chroot support out of the box, it has rsync support and is compatible to kind of sftp clients (such as gFTP, the Windows Commander SCP plug-in and also WinSCP), provides a pretty nice logging facility and it doesnt need much memory. I use it pretty much to give selected people access to my CVS server as well as providing an anonymous SFTP service.

[Cicero]

It doesn't seem to come with chroot functionality in portage.

[rojaro]

right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support.

[Steffen]

I think I've found the solution for the "SCP does not work with RSSH" problem!

The file CHROOT that comes with RSSH states:

You may need to copy additional libraries, if your system depends upon them for authentication. For example, in my testing, I needed to copy /lib/libnss_files.so.? into the chroot jail. Without it, the scp command failed, complaining that my user ID was an unknown user. If you use LDAP authentication on the server, you will probably need to also copy libnss_ldap.so.? into your chroot jail.[/code]

So I tried it with all /lib/libnss_* files and finally found out that on my Gentoo system (and probably yours) you have to copy /lib/libnss_compat.so.2 into your chroot jail to make SCP work with RSSH!

Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP...

[leon_73]

Hi,
first of all, thank foe the very well done guide!
Second, just a silly question...
What is the rssh_chroot_helper???

ldd /usr/libexec/rssh_chroot_helper

I don't have it!
Leo

[Steffen]

It's in /usr/lib/misc/ on my system.

[leon_73]

It's in /usr/lib/misc/ on my system.

Found! but what it is for???
It has no man or something else?

Leo

[Cicero]

right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support.

Great, why don't you file a bug report? And why wasn't this already done? I thought gentoo people liked chrooting.

[Cicero]

Well, I got rssh working with scp, but cvs gives the "this account restricted to scp and sftp" message. I thought cvs used scp, so why is is acting like it's trying to get a shell? How can I get this to work?