gentoo.LinuxHowtos.org
edit this article
Teaser
:
Content
:
==Create a chrooted ssh user==This tutorial explains how to install and configure a chroot enviroment for an ssh user. This setup enables you to give out ssh accounts without having to fear that this user can see all files on the system.
===Installing ssh===First you need to have a patched version of the sshd server. Luckily these patches can be enabled with the use flag "chroot" in the sshd use flags.
#echo "net-misc/openssh chroot" >> /etc/portage/package.use #emerge openssh
====creating the chroot enviroment====We will create our chroot enviroment in /home/chroot.
To make the chroot work, run the following commands to make the needed directories and devices for the chrooted user.
mkdir /home/chroot/ mkdir /home/chroot/home/ cd /home/chroot mkdir etc mkdir bin mkdir lib mkdir usr mkdir usr/bin mkdir dev mknod dev/null c 1 3 mknod dev/zero c 1 5
Now we need to populate the directories with some binaries.
copy the following script into a file. If you need more apps, add them
to the APPS line.
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors" for prog in $APPS; do cp $prog ./$prog # obtain a list of related libraries ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done
After you have run the script, your chroot enviroment is almost done.
run
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/ echo '#!/bin/bash' > usr/bin/groups echo "id -Gn" >> usr/bin/groups touch etc/passwd grep /etc/passwd -e "^root" > etc/passwd to copy some libraries and user information into the chroot.
You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:
grep /etc/group -e "^root" -e "^users" > etc/group
and restart SSH:
/etc/init.d/ssh restart
====Creating chrooted users====ssh decides which user should be chrooted and which not by the "home directory" entry in the /etc/passwd.
Example for a non-chrooted user:
user_a:x:2002:100:User A:/home/user_a:/bin/bash
This user will be chrooted:
user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash
Now lets add a testuser to the chrooted user list:
useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c "testuser" -g users testuser
Then we give testuser a password:
passwd testuser
Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:
grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd
Now log in as testuser and see if everything worked.
Have fun
Note: The changes you made will be manually reviewed for spam before appearing online. This might take a while.
rate this article:
current rating: average rating: 1.2 (48 votes) (1=very good 6=terrible)
Your rating:
Very good (1)
Good (2)
ok (3)
average (4)
bad (5)
terrible (6)
back