Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Creating a chrooted sftp server without giving shell
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
OmniVector
n00b
n00b


Joined: 21 Oct 2002
Posts: 37
Location: Rochester, NY

PostPosted: Tue Aug 12, 2003 12:26 am    Post subject: Creating a chrooted sftp server without giving shell Reply with quote

I found little documentation on this subject, and I'm sure if would be of interest to many people trying to create a secure ftp solution, and this is what I came up with.


Firstly you'll need to emerge the restricted rssh shell
Code:

emerge rssh


To configure it, you'll need add /usr/bin/rssh to the list of accepted shells:
Code:

echo /usr/bin/rssh >> /etc/shells

and you'll want to modify the rssh config and make some minor changes to enable chrooting, scp, and sftp.

/etc/rssh.conf:
Code:

logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"

If you wish to disable scp, or sftp independently, just remove the line or comment it out with a #.

Next, we need to build a chroot environment for rssh to work.
This involves copying a few files to our chrooted folder (/home).
Code:

cd /home

mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin

mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec

mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc

though we're not quite done copying files yet. now we need to copy the dependencies of those files. ldd will tell us what files are needed
Code:

ldd /usr/bin/scp
        libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
        libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
        libc.so.6 => /lib/libc.so.6 (0x40106000)
        libdl.so.2 => /lib/libdl.so.2 (0x40235000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

so now we need to make the necessary folders, and copy the libs needed for scp
Code:

cd /home

mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib

mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib

now run ldd on the other files we copied into our chroot environment
Code:

ldd /usr/bin/rssh
ldd /usr/libexec/rssh_chroot_helper
ldd /usr/lib/misc/sftp-server

copy the libraries associated with those files if there are any we didn't already get from scp. note: for me, there were no other dependencies. copying all the dependencies for scp was enough for me. this should be the case for you as well unless your configuration is very different.

the only thing left to do now is create a user and change their shell to /usr/bin/rssh. there are a couple of ways to do this. you could run superadduser
Code:

emerge superadduser
superadduser

Login name for new user []: testuser

User ID ('UID') [ defaults to next available ]:

Initial group [ users ]:

Additional groups (comma separated) []:

Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
  Do you wish to change the home directory path? (Y/n)  n

Shell [ /bin/bash ] /usr/bin/rssh

Expiry date (YYYY-MM-DD) []:

or simply modify an existing user account
Code:

usermod -s /usr/bin/rssh testuser




finally make sure sshd is running
Code:

/etc/init.d/sshd status
 * status:  started

if not run /etc/init.d/sshd start
and try connecting:
Code:

sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:

This account is restricted to scp or sftp.

If you believe this is in error, please contact your system administrator.

Connection to yourip.com closed.



Viola! sftp with chrooting, and no shell allowed!
_________________
-Tristan
Back to top
View user's profile Send private message
carambola5
Apprentice
Apprentice


Joined: 10 Jul 2002
Posts: 214

PostPosted: Tue Aug 12, 2003 1:01 am    Post subject: Reply with quote

I don't claim to be a genius in the field of the Linux virtual filesystem or chrooting, but wouldn't it make more sense to link those files rather than copy them? I believe softlinking won't work because of the chroot jail, but shouldn't hardlinking take care of this? That way, whenever you update a shared library that had been copied into your chroot, it will automatically update in the chroot jail.

Then again, I could be completely wrong.
Back to top
View user's profile Send private message
PowerFactor
Veteran
Veteran


Joined: 30 Jan 2003
Posts: 1693
Location: out of it

PostPosted: Tue Aug 12, 2003 1:23 am    Post subject: Reply with quote

Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.
Back to top
View user's profile Send private message
carambola5
Apprentice
Apprentice


Joined: 10 Jul 2002
Posts: 214

PostPosted: Tue Aug 12, 2003 5:17 am    Post subject: Reply with quote

PowerFactor wrote:
Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.


Code:
chown root:root *.so
chmod 644 *.so


Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too.
Back to top
View user's profile Send private message
thyrihad
n00b
n00b


Joined: 17 Jun 2003
Posts: 45

PostPosted: Tue Aug 12, 2003 7:19 am    Post subject: Reply with quote

Quote:
Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot.


Also, you can't hard link accross partitions, and any sensible secure ftp setup would have /home on a different partition to /usr
Back to top
View user's profile Send private message
PowerFactor
Veteran
Veteran


Joined: 30 Jan 2003
Posts: 1693
Location: out of it

PostPosted: Tue Aug 12, 2003 8:13 pm    Post subject: Reply with quote

carambola5 wrote:
[
Code:
chown root:root *.so
chmod 644 *.so


Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too.

Well, I would hope you would set permissions sensibly anyway. ;) But what happens in the extreme case where someone manages find a hole and get a root shell. As I understand it that is one of the main purposes of a chroot, to contain such an exploit. But I'm no expert on such things either.
Back to top
View user's profile Send private message
sschlueter
Guru
Guru


Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany

PostPosted: Mon Sep 01, 2003 5:40 pm    Post subject: Reply with quote

I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?
Back to top
View user's profile Send private message
s0da
n00b
n00b


Joined: 31 Jul 2003
Posts: 11

PostPosted: Sun Sep 07, 2003 5:58 am    Post subject: how about with a shell? Reply with quote

ey guys... this topic was very helpful to me... thanks! i would to know how to configure the stuff with shell access included... actually i would like to provide "shell only" access. currentyl, i'm not interested in providing "scp" and "sftp" access. sorry for my ignorance i'm a complete newbie... i would appreciate any suggestion or help anyone can give. Thanks :lol:
_________________
love after all is being vulnerable...
Back to top
View user's profile Send private message
mstamat
Tux's lil' helper
Tux's lil' helper


Joined: 09 May 2002
Posts: 130
Location: Greece

PostPosted: Wed Sep 10, 2003 1:42 pm    Post subject: script to make things easier Reply with quote

Hi guys,
I just setup rssh for my box. I wanted to use the chroot feature, but I also wanted rssh user to run with the latest installed libs. So I made a little script to make things easier.

Here it is. The script uses ldd to find the runtime dependencies of each of the files listed on the third line of the scripts. The default files seem to work for gentoo, though I didn't tested it extensively. The script also includes a list file in the tarball.

Code:

#!/bin/bash
#by mstamat: http://forums.gentoo.org/profile.php?mode=viewprofile&u=1205
files="/usr/bin/scp /usr/lib/misc/sftp-server /usr/libexec/rssh_chroot_helper"
tarball="chroot_tarball.tar"
tarball_listfile=".chroot_tarball_list"

#check if files exist
for i in $files; do
        if ! [ -f "$i" ]; then
                if [ "$missing" = "" ]; then
                        missing="$i"
                else
                        missing="$i $missing"
                fi
        fi
done

if ! [ "$missing" = "" ]; then
        printf "Cannot continue. The following files are missing: %s\n" "$missing"
        exit 1
fi

#check each file for deps
for i in $files; do
        printf "Getting dependencies for %s...\n" "$i"

        newdeps=$(ldd "$i" | gawk -F' |=>|\t' '{print $5}')
        if echo $newdeps | grep -q " not " ; then
                printf "Unresolved dependencies for %s. " "$i"
                printf "Run: 'ldd %s' to see the details.\n" "$i"
                exit 1;
        fi

        if [ "$alldeps" = "" ]; then
                alldeps="$newdeps"
        else
                alldeps="$newdeps $alldeps"
        fi
done

printf "\nAll needed dependencies found... Creating tarball...\n"

for i in $alldeps $files; do
        echo "$i"
done | sort | uniq > "$tarball_listfile"

#create tarball
tar cvhf "$tarball" $(cat "$tarball_listfile")

#remove slashes from list file and append it to tarball
sed -i 's/^\///'  "$tarball_listfile"
tar rvf "$tarball" "$tarball_listfile"

#remove list file
rm -f "$tarball_listfile"



When you first time configure rssh, you run the script and extract the created tarball in the directory where rssh chroots.

After an update that affects rssh (rssh itself, openssh, libc etc), you follow these steps to update the files used from chrooted rssh:

  • cd /my/chroot/dir
  • rm -rf $(cat .chroot_tarball_list)
  • tar xvf /path/to/new/tarball/chroot_tarball.tar


And you are done :)
_________________
Manolis
Back to top
View user's profile Send private message
dmck
n00b
n00b


Joined: 22 Jan 2003
Posts: 43
Location: Rochester, NY

PostPosted: Wed Oct 01, 2003 1:47 am    Post subject: Reply with quote

I followed exactly what you said to do, and it won't authenticate me via sftp, or ssh...

if i do an sftp testuser@localhost...
it asks me for a password 3 times and then asks for testuser@localhosts's password, and then fails...

any ideas?

-dave
Back to top
View user's profile Send private message
dmck
n00b
n00b


Joined: 22 Jan 2003
Posts: 43
Location: Rochester, NY

PostPosted: Wed Oct 01, 2003 4:10 am    Post subject: Reply with quote

N/M...i'm just an idiot, and forgot to allow the new user and group in my sshd.conf..




:oops:

- dave
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Sat Oct 25, 2003 6:58 pm    Post subject: Reply with quote

Just a quick note for people trying to follow this nice tutorial. I had to copy /lib/ld-linux.so.2 to the chroot, because it it used by rssh!
Code:
# ldd /usr/bin/rssh
libc.so.6 => /lib/libc.so.6 (0x4002b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
Back to top
View user's profile Send private message
Cicero
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 220

PostPosted: Sun Oct 26, 2003 5:23 am    Post subject: Reply with quote

sschlueter wrote:
I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?


I'm having the same problem, but have yet to figure it out. A bit of help, anyone?
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Sun Oct 26, 2003 9:54 am    Post subject: Reply with quote

Cicero wrote:
sschlueter wrote:
I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.

I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.

Any ideas what I'm doing wrong here?


I'm having the same problem, but have yet to figure it out. A bit of help, anyone?
The same thing happens for me, too. I didn't even notice it, because I'm mainly interested in SFTP.
Back to top
View user's profile Send private message
Cicero
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 220

PostPosted: Sun Oct 26, 2003 8:46 pm    Post subject: Reply with quote

I want to use CVS over it, so I suppose I need scp.
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Sun Oct 26, 2003 11:28 pm    Post subject: Reply with quote

I'm sorry, but I'm not an expert and unfortunately do not know a solution. :(
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Mon Oct 27, 2003 1:41 pm    Post subject: Reply with quote

Like Scotty said on StarTrek (i think it was in "The Final Frontier"): "How often do i have to tell you people - Always use the right tool for the right Job!"

This is also pretty much true for this case. scponly (net-misc/scponly) does IMHO a much better job in providing this kind of scp service. It provides chroot support out of the box, it has rsync support and is compatible to kind of sftp clients (such as gFTP, the Windows Commander SCP plug-in and also WinSCP), provides a pretty nice logging facility and it doesnt need much memory. I use it pretty much to give selected people access to my CVS server as well as providing an anonymous SFTP service.
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
Cicero
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 220

PostPosted: Mon Oct 27, 2003 5:00 pm    Post subject: Reply with quote

It doesn't seem to come with chroot functionality in portage.
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Mon Oct 27, 2003 9:37 pm    Post subject: Reply with quote

right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support.
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Mon Oct 27, 2003 11:07 pm    Post subject: Reply with quote

I think I've found the solution for the "SCP does not work with RSSH" problem! :)

The file CHROOT that comes with RSSH states:
[quote]You may need to copy additional libraries, if your system depends upon them for authentication. For example, in my testing, I needed to copy /lib/libnss_files.so.? into the chroot jail. Without it, the scp command failed, complaining that my user ID was an unknown user. If you use LDAP authentication on the server, you will probably need to also copy libnss_ldap.so.? into your chroot jail.[/code]

So I tried it with all /lib/libnss_* files and finally found out that on my Gentoo system (and probably yours) you have to copy /lib/libnss_compat.so.2 into your chroot jail to make SCP work with RSSH!

Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP...
Back to top
View user's profile Send private message
leon_73
Guru
Guru


Joined: 13 Mar 2003
Posts: 505
Location: Milano

PostPosted: Tue Oct 28, 2003 1:00 pm    Post subject: Re: Creating a chrooted sftp server without giving shell Reply with quote

Hi,
first of all, thank foe the very well done guide! :D
Second, just a silly question...
What is the rssh_chroot_helper???
OmniVector wrote:
ldd /usr/libexec/rssh_chroot_helper

I don't have it! 8O
Leo
Back to top
View user's profile Send private message
Steffen
Apprentice
Apprentice


Joined: 14 Jul 2002
Posts: 159

PostPosted: Tue Oct 28, 2003 1:17 pm    Post subject: Reply with quote

It's in /usr/lib/misc/ on my system.
Back to top
View user's profile Send private message
leon_73
Guru
Guru


Joined: 13 Mar 2003
Posts: 505
Location: Milano

PostPosted: Tue Oct 28, 2003 1:34 pm    Post subject: Reply with quote

Steffen wrote:
It's in /usr/lib/misc/ on my system.

Found! but what it is for???
It has no man or something else?

Leo
Back to top
View user's profile Send private message
Cicero
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 220

PostPosted: Tue Oct 28, 2003 11:49 pm    Post subject: Reply with quote

rojaro wrote:
right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support.


Great, why don't you file a bug report? And why wasn't this already done? I thought gentoo people liked chrooting.
Back to top
View user's profile Send private message
Cicero
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 220

PostPosted: Wed Oct 29, 2003 12:58 am    Post subject: Reply with quote

Well, I got rssh working with scp, but cvs gives the "this account restricted to scp and sftp" message. I thought cvs used scp, so why is is acting like it's trying to get a shell? How can I get this to work?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4  Next
Page 1 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum