OpenSSH Chroot

Submitted by saoullabit on Fri, 11/13/2009 - 03:54 Pro Licensee

Can virt/web-min can use a "chroot" for ssh ? As my users can login with SSH on their own virtual server I want them to be jailed ibn their own home directory.

Is it possible to do/implement that ?

Regards, SaouLLaBiT

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Fri, 11/13/2009 - 13:14

Currently, no - the trouble with chrooting SSH is that you need a full copy of /etc , /bin , /usr and so on in the chroot directory. So even though openssh does support this, in practice it is troublesome to setup.

Submitted by saoullabit on Wed, 12/02/2009 - 04:59 Pro Licensee

Maybe modifying the /etc/passwd changing :

ducamp:x:1000:1000:Denis Ducamp,,,:/home/ducamp:/bin/bash

to :

ducamp:x:1000:1000:Denis Ducamp,,,:/home/./ducamp:/bin/bash

In the second case, the sshd server uses the chroot need, and /home/ducamp is the top of the "cage"

We need to populate the "cage" with some use-able executables

If we need a shell , we need to copy the shell in the cage les bibliothèques nécessaires à celui-ci :

ldd /home/ducamp/bin/bash 
    libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001c000)
    libdl.so.2 => /lib/libdl.so.2 (0x40020000)
    libc.so.6 => /lib/libc.so.6 (0x40023000)
    /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
mkdir -p $CAGE/bin $CAGE/lib cp /bin/bash $CAGE/bin cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 $CAGE/bin

Do we really need the /etc and /bin in that kind of configuration ? The home drive is useable caged via SSH for the user, but may the web server can still work ?

Submitted by JamieCameron on Wed, 12/02/2009 - 12:34

Yes, you would need /bin too, so that commands like ls and rm can be run.

Also, /etc would be needed for config files like resolv.conf so that DNS lookups work, /etc/passwd to show usernames in ls -l output and so on.

Submitted by saoullabit on Tue, 12/22/2009 - 10:14 Pro Licensee

ok :-] Let's close !