chroot to homedir for SSH user

7 posts / 0 new
Topic locked
Last post
#1 Thu, 05/02/2013 - 06:34
remibruggeman

chroot to homedir for SSH user

Hello,

I read http://www.virtualmin.com/node/14537 to allow SSH access. This works great, except for the tiny problem that the user has access to the whole server; Would it be possible to chroot him to the homedir?

Thu, 05/02/2013 - 07:19
remibruggeman

I tried to add the following to /etc/ssh/ssh_config:

Match Group dev
        ChrootDirectory /home/cavaria

This did not work

Fri, 09/20/2013 - 11:41 (Reply to #2)
steen

Hello !

This thread is a bit aged, but I had same problem, what I did was to use chroot, ssh_chroot, sftp and some things, also ldap and bind mounts where used for logfiles.

I made a bunch of scripts to get it work in virtualmin without any hands on, beside basic configuration of virtualmin and webmin.

It took long time to make the scripts, I am not a programmer so it was hundreds of trial and errors to get all logics in place, trying to use virtualmin commands and webmin commands, and the pre post scripts and its environment variables as much as possible to secure for future updates.

And I am not fully there yet, some features is lacking, and some bugs remains, but i got it 95% working as I wanted it.

Now afterwards, a cloudmin setup with better rack servers which has supports for KVM would spend me some headache. But I have time, not money :-)

I can share the scripts and how I did if someone is interested, the scripts and ways of doing things could be improved by someone with more skills than I have. But to publish the scripts for the public I am not ready to do yet.

All scripts and stuff Centos 6.x on Intel, and AIX/RedHat on Power.

Thu, 05/02/2013 - 07:32
remibruggeman

I read this: http://www.cyberciti.biz/faq/restrict-linux-users-to-their-home-director...

This 'trick' advices you to create a new bin: rbash (cp /bin/bash /bin/rbash) This will actually disable the cd command. But testing this: I can still read the whole server, list other directories and vim config files.

Still no solution

Thu, 05/02/2013 - 10:03
andreychek

Howdy,

There's not a simple fix, unfortunately.

Take a look at the second question here, titled "How can I prevent other types of users from browsing the entire filesystem":

http://virtualmin.com/documentation/security/faq

Sat, 09/21/2013 - 09:10
jimdunn

Regarding "chroot" with SSH, I was never able to truly jail the user, so, I moved to Encrypted FTP instead.

I am able to keep them "chrooted" and they only need to change FTP to FTPS in their client config.

See: http://www.virtualmin.com/node/29262

Sun, 11/24/2013 - 17:02
Lucrian

Also I search for a solution for this, but it seems that is no integrated solution in Virtualmin / Webmin. Until now I've used (and it seems that I will continue to use) Jailkit. It uses chroot and is not so hard to use. You can find it at http://olivier.sessink.nl/jailkit/ Use tutorials to install it and configure it.

Topic locked