You are not logged in.

#1 2004-08-23 23:46:54

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

SSH user accounts in a jail.

I am looking to have ssh users be able to login, but have limited access to things.
This is specifically for web hosting users.
Basically, they login, and are in a chrooted jail. They only have a few shell commands (manually copied into their chroot), and cannot leave their user dir.

Any ideas. I know it has been/can be done. I just don't know how...not having much experience with chrooting and jails.
I have read some literature on using a special jail shell, and chrooting that..but I really don't have the foggiest on this one..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#2 2004-11-09 02:45:18

Father
Member
From: Australia
Registered: 2004-06-01
Posts: 209

Re: SSH user accounts in a jail.

yeah.. im trying to do the same at the moment, but for sftp via rssh

ive gotten rssh to chroot specific users to a directory, but i havent put any exectuables in there yet so it just quits.
the main problem is, sftp needs sftp-server?
its meantioned in the `sftp' man and also in the rssh `chroot maker' script and help file... but i cant find it on my system anywhere...

but sftp works when i dont use chroot! so all of the required binaries are on my system.... im just not sure which ones i need to copy!

anyway help would be great
thanks

Offline

#3 2004-11-09 03:01:31

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

/usr/bin/sftp
/usr/lib/ssh/sftp-server


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#4 2004-11-09 03:26:39

Father
Member
From: Australia
Registered: 2004-06-01
Posts: 209

Re: SSH user accounts in a jail.

heh crap.. thanks!!!
i tried whereis but not locate..

Offline

#5 2004-11-09 03:27:53

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

wink


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#6 2004-11-28 16:48:42

Florin
Member
From: Verona, Italy.
Registered: 2004-11-21
Posts: 17

Re: SSH user accounts in a jail.

To me it sounds that this is what you are looking for: http://lids.org/

Offline

#7 2004-11-28 18:36:27

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

no, I am looking for chroot jailed ssh accounts, not a MAC layer over DAC. If I wanted that, I would use SELinux instead of LIDS anyway.

Basically, I was looking for a way to have it so that when a user logged in, they were in a jail...all the files they could see would be their home directory, and they would have their own copies of come useful utilities (ls, mkdir, etc.). This was primarily for webhosting issues and using ssh for that...


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#8 2004-12-02 15:31:07

Winkie
Member
Registered: 2004-09-30
Posts: 59

Re: SSH user accounts in a jail.

http://chrootssh.sourceforge.net/index.php?node=docs

That should do you just fine if you're using SSH.. All that needs to happen is before control is delegated to the user, chroot needs to be run.

Offline

#9 2004-12-02 17:15:56

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

hmm...thanks. 8)
something to think about.

also found this: http://olivier.sessink.nl/jailkit/index.html
it looks interesting too.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#10 2004-12-03 17:41:28

Winkie
Member
Registered: 2004-09-30
Posts: 59

Re: SSH user accounts in a jail.

cactus wrote:

also found this: http://olivier.sessink.nl/jailkit/index.html
it looks interesting too.

Yes, it does, so I packaged it.
http://bbs.archlinux.org/viewtopic.php?p=55372

Offline

#11 2004-12-03 21:53:10

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

lol..
yay!


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#12 2004-12-04 10:04:55

Dreameen
Member
From: Poland
Registered: 2004-09-06
Posts: 252

Re: SSH user accounts in a jail.

Has anyone tried building a chroot jail with this howto??

It seems quite simple, but the the problem is in the part where it says to copy certain libraries to /usr/chroot/usr/lib/:  ld.so.1, libc.so.1, libdl.so.1, libgen.so.1, libmp.so.2, libnsl.so.1, libsocket.so.1.

Some of these are not to be found in arch e.g. libgen.so.1, libsocket.so.1.

1. Are they necessary to build this jail??

Offline

#13 2004-12-07 06:00:17

colnago
Member
From: Victoria, BC
Registered: 2004-03-25
Posts: 438

Re: SSH user accounts in a jail.

UML was touted as one of the great features of the 2.6.x kernels.  This can be used instead of chroot.  One of the guys in the local LUG has this going and loves it, as he gives each user a virtual machine and none of them know they are sharing a computer. 

Arch has 'uml_utilities', so it must be possible.

Offline

#14 2004-12-07 07:26:56

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: SSH user accounts in a jail.

while indeed uml has nice stuff to offer, the overhead involved is considerable when comparing with a jailed ssh shell, or a chroot'ed daemon.
Nothing like trying to use a hammer for a screwdriver.  wink


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB