You are not logged in.

#1 2009-09-18 19:58:50

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

new to chroot - security question

I'd like to add a user that will have the sole purpose of serving as a way I can come into my Arch box via ssh and grab a document when I need to do so.  What is the best way to chroot the user so it can't leave its own home directory, at least when logging in via ssh?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2009-09-18 20:00:53

Mr.Elendig
#archlinux@freenode channel op
From: The intertubes
Registered: 2004-11-07
Posts: 4,092

Re: new to chroot - security question

you can user a restricted shell to lock the user in.
Eg there is rssh, wich you can set to only allow scp and/or sftp access.

Last edited by Mr.Elendig (2009-09-18 20:02:21)


Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest

Offline

#3 2009-09-18 20:12:33

bender02
Member
From: UK
Registered: 2007-02-04
Posts: 1,328

Re: new to chroot - security question

man sshd_config wrote:

ChrootDirectory
              Specifies a path to chroot(2) to after authentication.  This path, and all its  compo‐
              nents,  must  be  root-owned  directories  that  are not writable by any other user or
              group.

              The path may contain the following tokens that are expanded at runtime once  the  con‐
              necting  user  has been authenticated: %% is replaced by a literal '%', %h is replaced
              by the home directory of the user being authenticated, and %u is replaced by the user‐
              name of that user.

              The  ChrootDirectory  must  contain the necessary files and directories to support the
              users' session.  For an interactive session this requires at least a shell,  typically
              sh(1),  and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
              arandom(4) and tty(4) devices.  For file transfer sessions using  ``sftp'',  no  addi‐
              tional  configuration of the environment is necessary if the in-process sftp server is
              used (see Subsystem for details).

              The default is not to chroot(2).

Offline

#4 2010-04-01 21:49:55

tcp
Member
Registered: 2010-04-01
Posts: 14

Re: new to chroot - security question

Create sftp only access on OpenSSH v5.4:

Add a group for limited users.

groupadd sshlim

Using /home/%u as the chrooted directory doesn't seem to work as expected. Instead, create a universal chrooted directory (jail).
Set permissions so that traversing into subdirectories is allowed but the directory is not viewable itself.
It should already be owned by root. /home/public will become / for jailed users, but they will be not be able to navigate to / and view other's directories.

mkdir /home/public
chmod 611 /home/public

After regular SSH access is setup (as per the Arch Wiki), edit /etc/ssh/sshd_config and make the following changes.

Subsystem       sftp    internal-sftp

Match Group sshlim
    ChrootDirectory /home/public
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Have an existing user or add a user as normal.
A default home directory will be created, but it is not useable and can  be deleted later.
Change the user's default group or just add the user to the limited group:

gpasswd -a myuser sshlim

Add the user's jailed home directory and give him exclusive permissions.

mkdir /home/public/mydir
chown myuser /home/public/mydir
chmod 600 /home/public/mydir

Change their home directory (relative to the chrooted directory) and disable their shell (although they wouldn't have access to it anyway).

usermod -d /mydir -s /bin/false myuser

The user now has SFTP only access. If he tries to login to the shell, it will inform him of such.

In the future, you may be able to experiment with no forcecommand and allow limited shell access, but that requires a full environment be set up in the jail. I have not tried yet.

Last edited by tcp (2010-04-04 20:23:22)

Offline

Board footer

Powered by FluxBB