SFTP chroot

From WBITT's Cooker!

Jump to: navigation, search
[root@lnxlan215 ~]# tail /etc/ssh/sshd_config 
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

Match Group webmasters 
	ChrootDirectory %h
[root@lnxlan215 ~]# 

service sshd restart


[root@bilaltest ~]# ssh web1@192.168.122.1
web1@192.168.122.1's password: 
Read from remote host 192.168.122.1: Connection reset by peer
Connection to 192.168.122.1 closed.
[root@bilaltest ~]# 



[root@lnxlan215 ~]# tail -f /var/log/secure
May 21 11:20:54 lnxlan215 sshd[23458]: pam_unix(sshd:session): session opened for user kamran by (uid=0)
May 21 11:20:58 lnxlan215 sshd[23458]: pam_unix(sshd:session): session closed for user kamran
May 21 11:21:09 lnxlan215 sshd[23502]: Accepted password for web1 from 192.168.122.119 port 40135 ssh2
May 21 11:21:09 lnxlan215 sshd[23502]: pam_unix(sshd:session): session opened for user web1 by (uid=0)
May 21 11:21:09 lnxlan215 sshd[23511]: fatal: bad ownership or modes for chroot directory "/home/web1"
May 21 11:21:09 lnxlan215 sshd[23502]: pam_unix(sshd:session): session closed for user web1
May 21 11:21:39 lnxlan215 sshd[23554]: Accepted password for web1 from 192.168.122.119 port 40136 ssh2
May 21 11:21:39 lnxlan215 sshd[23554]: pam_unix(sshd:session): session opened for user web1 by (uid=0)
May 21 11:21:39 lnxlan215 sshd[23562]: fatal: bad ownership or modes for chroot directory "/home/web1"
May 21 11:21:39 lnxlan215 sshd[23554]: pam_unix(sshd:session): session closed for user web1
^C
[root@lnxlan215 ~]# 



---------

Right, this is on purpose. We ban this because allowing a user write
access to a chroot target is dangerously similar to equivalence with
allowing write access to the root of a filesystem.

If you want the default directory that users start in to be writable
then you must create their home directory under the chroot. After
sshd(8) has chrooted to the ChrootDirectory, it will chdir to the
home directory as normal. So, for a passwd line like:

djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh

Create a home directory "/chroot/djm/home/djm". Make the terminal "djm"
directory user-owned and writable (everything else must be root-owned).
Set "ChrootDirectory /chroot" in /etc/config.

The directory specified for “ChrootDirectory” and all its parents up to / should be :
# owned by root
# not group or other writable

A variant of this that yields less deep directory trees would be to set
the passwd file up as:

djm:*:1000:1000:Damien Miller:/upload:/bin/ksh

Create "/chroot/djm/upload", with "upload" the only user-owned and writable
component. 

------------



[root@lnxlan215 ~]# mkdir /ssh-chroot/home/web1 -p


man 5 sshd_config

     ChrootDirectory
             Specifies the pathname of a directory to chroot(2) to after authentication.  All components of the pathname must be root-owned directories
             that are not writable by any other user or group.  After the chroot, sshd(8) changes the working directory to the user's home directory.

             The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced
             by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.

             The ChrootDirectory must contain the necessary files and directories to support the user's session.  For an interactive session this
             requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and
             tty(4) devices.  For file transfer sessions using “sftp”, no additional configuration of the environment is necessary if the in-process sftp
             server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details).

             The default is not to chroot(2).

----------

http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229
-----------

Notice that if any of the following is missing the users will not be able to logon to the chroot:

    *The /proc filesystem needs to be mounted in the users' chroot.

    *The necessary /dev/pts/ devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot's /dev/.

    *The user's home directory has to exist in the chroot, otherwise the ssh daemon will not continue.




Personal tools