Sunday, April 06, 2008
Setting up a chroot SFTP only environment.
Options
I. chroot-ssh replacing normal openssh
For source install follow the directions from the chroot source forge page.
For building an RPM for Centos 4.4 go to
http://blog.wanderinglost.ca/?p=9
You can use the useradd script listed on the blog or skip it completely since I cover that below. In case I would read through the User and evironment setup section to make sure everything is covered.
II - chroot-sshd + normal sshd
If you want to run both a chroot ssh environment and a normal ssh server do the following.. Otherwise jump to the next section.
- chroot-ssh by itself
- chroot-ssh + normal openssh
- default openssh using modified sftp-server (no environment required)
There are other solutions such as rssh, scponly, and openssh versions 4.9+. These 3 were the most appropriate for the needs I had at the time.
I. chroot-ssh replacing normal openssh
For source install follow the directions from the chroot source forge page.
For building an RPM for Centos 4.4 go to
http://blog.wanderinglost.ca/?p=9
You can use the useradd script listed on the blog or skip it completely since I cover that below. In case I would read through the User and evironment setup section to make sure everything is covered.
II - chroot-sshd + normal sshd
If you want to run both a chroot ssh environment and a normal ssh server do the following.. Otherwise jump to the next section.
- change normal sshd (/etc/ssh/sshd_config) to listen to just the current interfaces.
- create a new interface and IP address for chroot ssh
- download and build chrootssh
tar jxvf openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --datarootdir=/opt/depot/$(basename `pwd`) --docdir=/opt/depot/$(basename `pwd`) --prefix=/opt/depot/$(basename `pwd`) --with-md5-passwords
*NOTE* add what other options you need such as those for Kerberos support. also --with-pid-dir=PATH
make
make install
To stop chroot users from getting in via the normal openssh do the following
cd openssh-4.5p1-chroot
./configure --datarootdir=/opt/depot/$(basename `pwd`) --docdir=/opt/depot/$(basename `pwd`) --prefix=/opt/depot/$(basename `pwd`) --with-md5-passwords
*NOTE* add what other options you need such as those for Kerberos support. also --with-pid-dir=PATH
make
make install
To stop chroot users from getting in via the normal openssh do the following
- add a group to /etc/group called chroot. Add all chroot users to the new group.
- add "DenyGroups chroot" to /etc/ssh/sshd_conf
- Send SIGHUP to the normal sshd PID to force re-read of config
Now jump to the User and environement setup section below
III. default openssh + sftp-server binary modifications by minstrel
Download openssh source (http://www.openssh.org/portable.html).
Download sftp-server.c from http://www.minstrel.org.uk/papers/sftp/
Either copy it in replacing the one from openssh or manually add the listed changes.
I suggest manually applying the changes unless you are getting the exact same version.
Build as needed to have sftp-server with correct options. Eg
./configure --with-md5-passwords --without-zlib-version-check --with-tcp-wrappers
make
Rename sftp-server to sftp-serverc so you know this version does chroot
Now copy it somewhere.. Such as
/opt/depot/openssh/libexec/sftp-serverc
It needs suid to do chroot
chmod +s /opt/depot/openssh/libexec/sftp-serverc
Edit /etc/ssh/sshd_conf and change Subsystem sftp to point to the new sftp-serverc
Subsystem sftp /usr/local/libexec/sftp-serverc
Send SIGHUP to the sshd PID to force re-read of config.
The following instructions will apply to the former. If you wish to have full separation adjust change CHROOT_DIR to be the users home directory. Eg.
CHROOT_DIR=/chroot/bob
Create a user with home dir like CHROOT_DIR/home/USERNAME. eg
useradd -d CHROOT_DIR/home/bob
Then set their home dir to be chroot
usermod -d CHROOT_DIR/./home/bob
If you want to chroot someone to their normal /home/USER dir then run
usermod -d /home/USER/./
To stop any other users from seeing their files run
chown USER CHROOT_DIR/home/USER
chmod 700 CHROOT_DIR/home/USER
You may want to remove their .bash files etc...
find CHROOT_DIR/home/USER -type f -exec rm '{}' \;
If you are using the shared chroot you can run the following
chmod 711 CHROOT_DIR/home
to make it so users will not be able to see what other chroot users are on the system. You can even do this to the top level chroot directory (eg. /chroot) and users will not be able to see any of the chroot system directories. These actions may alleviate the need for full duplication of the chroot environment for each user.
Now run the following script passing the base chroot... Eg
./mkchroot-env /chroot
or
./mkchroot-env /chroot/bob
I did not feel like finishing the formatting as I wrote all of this out in plain text originally while documenting what I was doing. I'll come back later and clean things up.
Download sftp-server.c from http://www.minstrel.org.uk/papers/sftp/
Either copy it in replacing the one from openssh or manually add the listed changes.
I suggest manually applying the changes unless you are getting the exact same version.
Build as needed to have sftp-server with correct options. Eg
./configure --with-md5-passwords --without-zlib-version-check --with-tcp-wrappers
make
Rename sftp-server to sftp-serverc so you know this version does chroot
Now copy it somewhere.. Such as
/opt/depot/openssh/libexec/sftp-serverc
It needs suid to do chroot
chmod +s /opt/depot/openssh/libexec/sftp-serverc
Edit /etc/ssh/sshd_conf and change Subsystem sftp to point to the new sftp-serverc
Subsystem sftp /usr/local/libexec/sftp-serverc
Send SIGHUP to the sshd PID to force re-read of config.
NOTE: If you are using option 3 (sftp-server source modifications for chroot) you do not need to setup any chroot environment. Just follow these next user setup instructions and you are done. The following will chroot them to their home dir.
User setup
add a user normally then run
usermod -d /home/USER/./ USER
Set the users shell
usermod -s /opt/depot/openssh/libexec/sftp-serverc USER
sftp-server will just sit for a minute and then drop the connection for SSH. As an alternative you can use minstrel's sftpsh which is listed on the website above.
User and environment setup for options 1 and 2
NOTE: Either all chroot users can share a common chroot virtual root or you can have each user have all the needed system files.
The following instructions will apply to the former. If you wish to have full separation adjust change CHROOT_DIR to be the users home directory. Eg.
CHROOT_DIR=/chroot/bob
Create a user with home dir like CHROOT_DIR/home/USERNAME. eg
useradd -d CHROOT_DIR/home/bob
Then set their home dir to be chroot
usermod -d CHROOT_DIR/./home/bob
If you want to chroot someone to their normal /home/USER dir then run
usermod -d /home/USER/./
To stop any other users from seeing their files run
chown USER CHROOT_DIR/home/USER
chmod 700 CHROOT_DIR/home/USER
You may want to remove their .bash files etc...
find CHROOT_DIR/home/USER -type f -exec rm '{}' \;
If you are using the shared chroot you can run the following
chmod 711 CHROOT_DIR/home
to make it so users will not be able to see what other chroot users are on the system. You can even do this to the top level chroot directory (eg. /chroot) and users will not be able to see any of the chroot system directories. These actions may alleviate the need for full duplication of the chroot environment for each user.
Now run the following script passing the base chroot... Eg
./mkchroot-env /chroot
or
./mkchroot-env /chroot/bob
#!/bin/sh
if [ "$1" = "" ] ; then
CHROOT_DIR=/chroot
else
CHROOT_DIR="$1"
fi
REQUIRED_CHROOT_FILES=" /bin/cp \
/bin/ls \
/bin/mkdir \
/bin/mv \
/bin/rm \
/bin/rmdir \
/lib/libnss_files.so.2 \
/lib/ld-linux.so.2 \
/lib/libtermcap.so.2"
# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR
# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment
for FILE in $REQUIRED_CHROOT_FILES
do
DIR=`dirname $FILE | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
cp $FILE `echo $FILE | cut -c2-`
for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
do
DIR=`dirname $SHARED_LIBRARY | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
[ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
done
done
# Create device files
mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/null c 1 3
mknod $CHROOT_DIR/dev/zero c 1 5
# Create chroot /etc/passwd placeholder
mkdir $CHROOT_DIR/etc
touch $CHROOT_DIR/etc/passwd
Since we do not want the users to ssh we want to set their shell to the sftp-server binary and make a few more changes. First copy the sftp-server(c) binary into the chroot... Adjust the paths based on your install choices earlier. Example for sftp-serverc (minsterl version)
mkdir -pv CHROOT_DIR/opt/depot/openssh/libexec
cp PATH/TO/sftp-serverc $CHROOT_DIR/opt/depot/openssh/libexec/
Set the users shell
usermod -s /opt/depot/openssh/libexec/sftp-serverc USER
Copy the passwd entry into the chroot
grep USER /etc/passwd >> /chroot/etc/passwd
REFERENCES
chrootssh project - http://chrootssh.sourceforge.net/
minsterel sftp-server modifications - http://www.minstrel.org.uk/papers/sftp/
OpenSSH + ChRoot RPM for CentOS 4.4
http://blog.wanderinglost.ca/?p=9
chroot sshd/sftp tips and scripts
http://www.brandonhutchinson.com/chroot_ssh.html
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
SSH Chroot in ISPConfig Centos-4.6
http://www.linuxweblog.com/blogs/sandip/20080228/ssh-chroot-ispconfig-centos-46
Various other howtos, mailing list posts, etc... including
http://www.debian-administration.org/articles/94
http://www.howtoforge.com/chrooted_ssh_howto_debian
http://www.technicalarticles.org/index.php/How_to_Setup_a_Chroot_Jail
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-10/0202.html
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
Debugging and other issues
http://www.snailbook.com/faq/sftp-corruption.auto.html
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
Alternatives not pursued in full but were considered and researched thoroughly.
Scponly
http://sublimation.org/scponly/wiki/index.php/Main_Page
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
http://www.freebsdwiki.net/index.php/SSH:_Limiting_to_SCP_or_Rsync_only
http://dag.wieers.com/rpm/packages/scponly/
http://ubuntuforums.org/showthread.php?t=451510
http://lists.freebsd.org/pipermail/freebsd-isp/2003-August/000921.html
http://www.nslu2-linux.org/wiki/Optware/Scponly
Rssh
http://www.pizzashack.org/rssh/
http://dag.wieers.com/rpm/packages/rssh/
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
http://ubuntuforums.org/showthread.php?t=195266
http://ubuntuforums.org/showthread.php?t=128206
http://www.mail-archive.com/rssh-discuss@lists.sourceforge.net/msg00064.html
mkdir -pv CHROOT_DIR/opt/depot/openssh/libexec
cp PATH/TO/sftp-serverc $CHROOT_DIR/opt/depot/openssh/libexec/
Set the users shell
usermod -s /opt/depot/openssh/libexec/sftp-serverc USER
Copy the passwd entry into the chroot
grep USER /etc/passwd >> /chroot/etc/passwd
REFERENCES
chrootssh project - http://chrootssh.sourceforge.net/
minsterel sftp-server modifications - http://www.minstrel.org.uk/papers/sftp/
OpenSSH + ChRoot RPM for CentOS 4.4
http://blog.wanderinglost.ca/?p=9
chroot sshd/sftp tips and scripts
http://www.brandonhutchinson.com/chroot_ssh.html
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
SSH Chroot in ISPConfig Centos-4.6
http://www.linuxweblog.com/blogs/sandip/20080228/ssh-chroot-ispconfig-centos-46
Various other howtos, mailing list posts, etc... including
http://www.debian-administration.org/articles/94
http://www.howtoforge.com/chrooted_ssh_howto_debian
http://www.technicalarticles.org/index.php/How_to_Setup_a_Chroot_Jail
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-10/0202.html
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config
Debugging and other issues
http://www.snailbook.com/faq/sftp-corruption.auto.html
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html
Alternatives not pursued in full but were considered and researched thoroughly.
Scponly
http://sublimation.org/scponly/wiki/index.php/Main_Page
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
http://www.freebsdwiki.net/index.php/SSH:_Limiting_to_SCP_or_Rsync_only
http://dag.wieers.com/rpm/packages/scponly/
http://ubuntuforums.org/showthread.php?t=451510
http://lists.freebsd.org/pipermail/freebsd-isp/2003-August/000921.html
http://www.nslu2-linux.org/wiki/Optware/Scponly
Rssh
http://www.pizzashack.org/rssh/
http://dag.wieers.com/rpm/packages/rssh/
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
http://ubuntuforums.org/showthread.php?t=195266
http://ubuntuforums.org/showthread.php?t=128206
http://www.mail-archive.com/rssh-discuss@lists.sourceforge.net/msg00064.html
I did not feel like finishing the formatting as I wrote all of this out in plain text originally while documenting what I was doing. I'll come back later and clean things up.
Labels: chroot, scp, security, sftp, ssh, unix
