Arch Linux

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

SSH Jails

Hi,

I have a user that I want to give give access to my server but only for a certain set of directories. For example, their home directory (/home/newuser) and a mounted drive (/mnt/somedrive). I want to use SSH/SCP only, no FTP protocol if possible.

Any idea how I can do this? I read online that a "Jail" of some sort must be setup but I'm not sure how this works or even if it is appropriate.

cactus

Taco Eater

From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰

Registered: 2004-05-25

Posts: 4,622

Website

Re: SSH Jails

openssh 5.0 (maybe since 4.8..i cant remember) has chroot functionality build it (ChrootDirectory), for sftp.
You should be able to find a tutorial on the web for it, or you could read the manpage with great detail if you are so inclined.

edit: quick google result: http://www.debian-administration.org/articles/590

Last edited by cactus (2009-02-05 00:25:54)

---

"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

Re: SSH Jails

I'm really going to need a lot more help than that. I've done tons of searching on google and I just can't find the answers I'm looking for, which is surprising since what I want to do seems simple.

I want to allow a remote user to only use SCP in a specific directory or set of directories. It would be convenient to create a fake root and have only the folders I designate them access to be in this root. So for example, if a particular user only has access to the following directories on my real root system:

/var/log
/home/userfoo

Then their fake root would look like this:

/log
/userfoo

The root "/" would be their home directory when they log into SSH and they would only have access to those directories (log and userfoo). Is this not possible? If not, at the very least I could use symlinks in their home directory to get the same effect right?

toxygen

Member

Registered: 2008-08-22

Posts: 713

Re: SSH Jails

The root "/" would be their home directory when they log into SSH and they would only have access to those directories (log and userfoo). Is this not possible? If not, at the very least I could use symlinks in their home directory to get the same effect right?

off the top of my head, so i'm not thinking too clearly:
ssh logs you to your home dir, so maybe create the folder to the drive with group permissions set to "sshuser" or something, and have your users be part of that group.. then make a link in their home folder to that drive, so they log in through ssh:
~ (their home)
~/link_to_drive (the drive with group permissions allowing users to read/write)

would that work?

---

"I know what you're thinking, 'cause right now I'm thinking the same thing. Actually, I've been thinking it ever since I got here:
Why oh why didn't I take the BLUE pill?"

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

Re: SSH Jails

This website seems to discuss the new ChrootDirectory feature which looks like what I want. However, it seems to me this only works for SFTP. Is this the case? I would expect this to work with SSH and SCP as well. Does anyone know specifically what I must do to get ChrootDirectory working with SSH/SCP? I could really care less about SFTP... it's a bit more complicated to use in scripts for automated file transfers.

Last edited by void.pointer (2009-02-05 02:30:30)

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

Re: SSH Jails

Okay I followed the instructions on the website I linked earlier (here it is again) and now I can connect to my SFTP server. My chroot directory's permissions are 0700. By having permissions like this, WinSCP reports:

Permission denied.
Error code: 3
Error message from server: Permission denied
Request code: 11

When I set the chroot directory to 0744 I get:

Server returned empty listing for directory '/'.

I actually have a text file in my chroot directory called "testing" so it should work...

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

Re: SSH Jails

Some more updates:

I found that setting the user of my chroot directory to 'root' and the group to 'sftp' it works. Note that the user given permission to enter the chroot directory is added to the 'sftp' group. I set the directory permissions of my chroot directory to 0750 and I am able to connect and see files and directories, however I cannot create directories or files. If I set permissions to 0770 it will not let me log into the account via SFTP.

Last edited by void.pointer (2009-02-05 02:41:09)

alessandro_ufms

Member

From: Campo Grande, MS - Brazil

Registered: 2008-06-25

Posts: 153

Re: SSH Jails

You can use rssh (http://www.archlinux.org/packages/extra/i686/rssh/) or mysecureshell (http://aur.archlinux.org/packages.php?ID=22573).

Last edited by alessandro_ufms (2009-02-05 11:25:15)

aglarond

Member

From: Texas, USA

Registered: 2008-11-20

Posts: 129

Re: SSH Jails

This page got me up and running. I'm going to write it up into the wiki when I get a chance.

http://www.minstrel.org.uk/papers/sftp/builtin/

Edit: It's now in the wiki at http://wiki.archlinux.org/index.php/SFTP-chroot

It's my first wiki entry, so hopefully it's easy to follow.

-mS

Last edited by aglarond (2009-02-05 14:18:22)

jordz

Member

Registered: 2006-02-01

Posts: 248

Re: SSH Jails

Thanks for the wiki, I was just looking for this

void.pointer

Member

From: Dallas, TX

Registered: 2008-07-30

Posts: 239

Re: SSH Jails

Are there any articles on how to setup writable Chroot's using rssh?