View previous topic :: View next topic |
Author |
Message |
OmniVector n00b
Joined: 21 Oct 2002 Posts: 37 Location: Rochester, NY
|
Posted: Tue Aug 12, 2003 12:26 am Post subject: Creating a chrooted sftp server without giving shell |
|
|
I found little documentation on this subject, and I'm sure if would be of interest to many people trying to create a secure ftp solution, and this is what I came up with.
Firstly you'll need to emerge the restricted rssh shell
To configure it, you'll need add /usr/bin/rssh to the list of accepted shells:
Code: |
echo /usr/bin/rssh >> /etc/shells
|
and you'll want to modify the rssh config and make some minor changes to enable chrooting, scp, and sftp.
/etc/rssh.conf:
Code: |
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"
|
If you wish to disable scp, or sftp independently, just remove the line or comment it out with a #.
Next, we need to build a chroot environment for rssh to work.
This involves copying a few files to our chrooted folder (/home).
Code: |
cd /home
mkdir -p usr/bin
cp /usr/bin/scp usr/bin
cp /usr/bin/rssh usr/bin
mkdir -p usr/libexec
cp /usr/libexec/rssh_chroot_helper usr/libexec
mkdir -p usr/lib/misc
cp /usr/lib/misc/sftp-server usr/lib/misc
|
though we're not quite done copying files yet. now we need to copy the dependencies of those files. ldd will tell us what files are needed
Code: |
ldd /usr/bin/scp
libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
libc.so.6 => /lib/libc.so.6 (0x40106000)
libdl.so.2 => /lib/libdl.so.2 (0x40235000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
|
so now we need to make the necessary folders, and copy the libs needed for scp
Code: |
cd /home
mkdir lib
cp /lib/libutil.so.1 lib
cp /lib/libnsl.so.1 lib
cp /lib/libc.so.6 lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib
mkdir -p usr/lib
cp /usr/lib/libz.so.1 usr/lib
cp /usr/lib/libcrypto.so.0.9.6 usr/lib
|
now run ldd on the other files we copied into our chroot environment
Code: |
ldd /usr/bin/rssh
ldd /usr/libexec/rssh_chroot_helper
ldd /usr/lib/misc/sftp-server
|
copy the libraries associated with those files if there are any we didn't already get from scp. note: for me, there were no other dependencies. copying all the dependencies for scp was enough for me. this should be the case for you as well unless your configuration is very different.
the only thing left to do now is create a user and change their shell to /usr/bin/rssh. there are a couple of ways to do this. you could run superadduser
Code: |
emerge superadduser
superadduser
Login name for new user []: testuser
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []:
Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
Do you wish to change the home directory path? (Y/n) n
Shell [ /bin/bash ] /usr/bin/rssh
Expiry date (YYYY-MM-DD) []:
|
or simply modify an existing user account
Code: |
usermod -s /usr/bin/rssh testuser
|
finally make sure sshd is running
Code: |
/etc/init.d/sshd status
* status: started
|
if not run /etc/init.d/sshd start
and try connecting:
Code: |
sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:
This account is restricted to scp or sftp.
If you believe this is in error, please contact your system administrator.
Connection to yourip.com closed.
|
Viola! sftp with chrooting, and no shell allowed! _________________ -Tristan |
|
Back to top |
|
|
carambola5 Apprentice
Joined: 10 Jul 2002 Posts: 214
|
Posted: Tue Aug 12, 2003 1:01 am Post subject: |
|
|
I don't claim to be a genius in the field of the Linux virtual filesystem or chrooting, but wouldn't it make more sense to link those files rather than copy them? I believe softlinking won't work because of the chroot jail, but shouldn't hardlinking take care of this? That way, whenever you update a shared library that had been copied into your chroot, it will automatically update in the chroot jail.
Then again, I could be completely wrong. |
|
Back to top |
|
|
PowerFactor Veteran
Joined: 30 Jan 2003 Posts: 1693 Location: out of it
|
Posted: Tue Aug 12, 2003 1:23 am Post subject: |
|
|
Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot. |
|
Back to top |
|
|
carambola5 Apprentice
Joined: 10 Jul 2002 Posts: 214
|
Posted: Tue Aug 12, 2003 5:17 am Post subject: |
|
|
PowerFactor wrote: | Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot. |
Code: | chown root:root *.so
chmod 644 *.so |
Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too. |
|
Back to top |
|
|
thyrihad n00b
Joined: 17 Jun 2003 Posts: 45
|
Posted: Tue Aug 12, 2003 7:19 am Post subject: |
|
|
Quote: | Well, the problem with hardlinking libs in a chroot to the real libs is that if someone manages to muck them up in the chroot they got the real ones too. Kinda defeats at least one purpose of the chroot. |
Also, you can't hard link accross partitions, and any sensible secure ftp setup would have /home on a different partition to /usr |
|
Back to top |
|
|
PowerFactor Veteran
Joined: 30 Jan 2003 Posts: 1693 Location: out of it
|
Posted: Tue Aug 12, 2003 8:13 pm Post subject: |
|
|
carambola5 wrote: | [ Code: | chown root:root *.so
chmod 644 *.so |
Once again, I claim ignorance. For all I know, this could set the permissions on the original versions too. |
Well, I would hope you would set permissions sensibly anyway. But what happens in the extreme case where someone manages find a hole and get a root shell. As I understand it that is one of the main purposes of a chroot, to contain such an exploit. But I'm no expert on such things either. |
|
Back to top |
|
|
sschlueter Guru
Joined: 26 Jul 2002 Posts: 578 Location: Dortmund, Germany
|
Posted: Mon Sep 01, 2003 5:40 pm Post subject: |
|
|
I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.
I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.
Any ideas what I'm doing wrong here? |
|
Back to top |
|
|
s0da n00b
Joined: 31 Jul 2003 Posts: 11
|
Posted: Sun Sep 07, 2003 5:58 am Post subject: how about with a shell? |
|
|
ey guys... this topic was very helpful to me... thanks! i would to know how to configure the stuff with shell access included... actually i would like to provide "shell only" access. currentyl, i'm not interested in providing "scp" and "sftp" access. sorry for my ignorance i'm a complete newbie... i would appreciate any suggestion or help anyone can give. Thanks _________________ love after all is being vulnerable... |
|
Back to top |
|
|
mstamat Tux's lil' helper
Joined: 09 May 2002 Posts: 130 Location: Greece
|
Posted: Wed Sep 10, 2003 1:42 pm Post subject: script to make things easier |
|
|
Hi guys,
I just setup rssh for my box. I wanted to use the chroot feature, but I also wanted rssh user to run with the latest installed libs. So I made a little script to make things easier.
Here it is. The script uses ldd to find the runtime dependencies of each of the files listed on the third line of the scripts. The default files seem to work for gentoo, though I didn't tested it extensively. The script also includes a list file in the tarball.
Code: |
#!/bin/bash
#by mstamat: http://forums.gentoo.org/profile.php?mode=viewprofile&u=1205
files="/usr/bin/scp /usr/lib/misc/sftp-server /usr/libexec/rssh_chroot_helper"
tarball="chroot_tarball.tar"
tarball_listfile=".chroot_tarball_list"
#check if files exist
for i in $files; do
if ! [ -f "$i" ]; then
if [ "$missing" = "" ]; then
missing="$i"
else
missing="$i $missing"
fi
fi
done
if ! [ "$missing" = "" ]; then
printf "Cannot continue. The following files are missing: %s\n" "$missing"
exit 1
fi
#check each file for deps
for i in $files; do
printf "Getting dependencies for %s...\n" "$i"
newdeps=$(ldd "$i" | gawk -F' |=>|\t' '{print $5}')
if echo $newdeps | grep -q " not " ; then
printf "Unresolved dependencies for %s. " "$i"
printf "Run: 'ldd %s' to see the details.\n" "$i"
exit 1;
fi
if [ "$alldeps" = "" ]; then
alldeps="$newdeps"
else
alldeps="$newdeps $alldeps"
fi
done
printf "\nAll needed dependencies found... Creating tarball...\n"
for i in $alldeps $files; do
echo "$i"
done | sort | uniq > "$tarball_listfile"
#create tarball
tar cvhf "$tarball" $(cat "$tarball_listfile")
#remove slashes from list file and append it to tarball
sed -i 's/^\///' "$tarball_listfile"
tar rvf "$tarball" "$tarball_listfile"
#remove list file
rm -f "$tarball_listfile"
|
When you first time configure rssh, you run the script and extract the created tarball in the directory where rssh chroots.
After an update that affects rssh (rssh itself, openssh, libc etc), you follow these steps to update the files used from chrooted rssh:
- cd /my/chroot/dir
- rm -rf $(cat .chroot_tarball_list)
- tar xvf /path/to/new/tarball/chroot_tarball.tar
And you are done _________________ Manolis |
|
Back to top |
|
|
dmck n00b
Joined: 22 Jan 2003 Posts: 43 Location: Rochester, NY
|
Posted: Wed Oct 01, 2003 1:47 am Post subject: |
|
|
I followed exactly what you said to do, and it won't authenticate me via sftp, or ssh...
if i do an sftp testuser@localhost...
it asks me for a password 3 times and then asks for testuser@localhosts's password, and then fails...
any ideas?
-dave |
|
Back to top |
|
|
dmck n00b
Joined: 22 Jan 2003 Posts: 43 Location: Rochester, NY
|
Posted: Wed Oct 01, 2003 4:10 am Post subject: |
|
|
N/M...i'm just an idiot, and forgot to allow the new user and group in my sshd.conf..
- dave |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Sat Oct 25, 2003 6:58 pm Post subject: |
|
|
Just a quick note for people trying to follow this nice tutorial. I had to copy /lib/ld-linux.so.2 to the chroot, because it it used by rssh!
Code: | # ldd /usr/bin/rssh
libc.so.6 => /lib/libc.so.6 (0x4002b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) |
|
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Sun Oct 26, 2003 5:23 am Post subject: |
|
|
sschlueter wrote: | I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.
I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.
Any ideas what I'm doing wrong here? |
I'm having the same problem, but have yet to figure it out. A bit of help, anyone? |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Sun Oct 26, 2003 9:54 am Post subject: |
|
|
Cicero wrote: | sschlueter wrote: | I think I have set up the chroot environment just as you said and sftp seems to be working fine but scp doesn't. It says "unknown user" followed by the uid of the user that I'm trying to log on as.
I have even created etc/passwd and etc/shadow (each containing a single line for that user) inside the chroot but this doesn't help.
Any ideas what I'm doing wrong here? |
I'm having the same problem, but have yet to figure it out. A bit of help, anyone? | The same thing happens for me, too. I didn't even notice it, because I'm mainly interested in SFTP. |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Sun Oct 26, 2003 8:46 pm Post subject: |
|
|
I want to use CVS over it, so I suppose I need scp. |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Sun Oct 26, 2003 11:28 pm Post subject: |
|
|
I'm sorry, but I'm not an expert and unfortunately do not know a solution. |
|
Back to top |
|
|
rojaro l33t
Joined: 06 May 2002 Posts: 732
|
Posted: Mon Oct 27, 2003 1:41 pm Post subject: |
|
|
Like Scotty said on StarTrek (i think it was in "The Final Frontier"): "How often do i have to tell you people - Always use the right tool for the right Job!"
This is also pretty much true for this case. scponly (net-misc/scponly) does IMHO a much better job in providing this kind of scp service. It provides chroot support out of the box, it has rsync support and is compatible to kind of sftp clients (such as gFTP, the Windows Commander SCP plug-in and also WinSCP), provides a pretty nice logging facility and it doesnt need much memory. I use it pretty much to give selected people access to my CVS server as well as providing an anonymous SFTP service. _________________ A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Mon Oct 27, 2003 5:00 pm Post subject: |
|
|
It doesn't seem to come with chroot functionality in portage. |
|
Back to top |
|
|
rojaro l33t
Joined: 06 May 2002 Posts: 732
|
Posted: Mon Oct 27, 2003 9:37 pm Post subject: |
|
|
right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support. _________________ A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Mon Oct 27, 2003 11:07 pm Post subject: |
|
|
I think I've found the solution for the "SCP does not work with RSSH" problem!
The file CHROOT that comes with RSSH states:
[quote]You may need to copy additional libraries, if your system depends upon them for authentication. For example, in my testing, I needed to copy /lib/libnss_files.so.? into the chroot jail. Without it, the scp command failed, complaining that my user ID was an unknown user. If you use LDAP authentication on the server, you will probably need to also copy libnss_ldap.so.? into your chroot jail.[/code]
So I tried it with all /lib/libnss_* files and finally found out that on my Gentoo system (and probably yours) you have to copy /lib/libnss_compat.so.2 into your chroot jail to make SCP work with RSSH!
Edit: I forgot to say that I had to copy my /etc/passwd file into the chroot, too. I don't know, but this makes SCP a bit less attractive for me than SFTP... |
|
Back to top |
|
|
leon_73 Guru
Joined: 13 Mar 2003 Posts: 505 Location: Milano
|
Posted: Tue Oct 28, 2003 1:00 pm Post subject: Re: Creating a chrooted sftp server without giving shell |
|
|
Hi,
first of all, thank foe the very well done guide!
Second, just a silly question...
What is the rssh_chroot_helper???
OmniVector wrote: | ldd /usr/libexec/rssh_chroot_helper |
I don't have it!
Leo |
|
Back to top |
|
|
Steffen Apprentice
Joined: 14 Jul 2002 Posts: 159
|
Posted: Tue Oct 28, 2003 1:17 pm Post subject: |
|
|
It's in /usr/lib/misc/ on my system. |
|
Back to top |
|
|
leon_73 Guru
Joined: 13 Mar 2003 Posts: 505 Location: Milano
|
Posted: Tue Oct 28, 2003 1:34 pm Post subject: |
|
|
Steffen wrote: | It's in /usr/lib/misc/ on my system. |
Found! but what it is for???
It has no man or something else?
Leo |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Tue Oct 28, 2003 11:49 pm Post subject: |
|
|
rojaro wrote: | right, the "--enable-chrooted-binary" configure flag is missing plus the "make jail" ... but thats fairly easy to enable - just edit the ebuild, emerge and it should work with chroot support. |
Great, why don't you file a bug report? And why wasn't this already done? I thought gentoo people liked chrooting. |
|
Back to top |
|
|
Cicero Apprentice
Joined: 21 Jul 2003 Posts: 220
|
Posted: Wed Oct 29, 2003 12:58 am Post subject: |
|
|
Well, I got rssh working with scp, but cvs gives the "this account restricted to scp and sftp" message. I thought cvs used scp, so why is is acting like it's trying to get a shell? How can I get this to work? |
|
Back to top |
|
|
|