from small one page howto to huge articles all in one place
Last additions: May, 25th 2007: April, 26th 2007: Apr, 10th. 2007: |
. You are here: Tutorials per portage category->net-misc->openssh
Create a chrooted ssh userThis tutorial explains how to install and configure a chroot enviroment for an ssh user. This setup enables you to give out ssh accounts without having to fear that this user can see all files on the system.
Installing sshFirst you need to have a patched version of the sshd server. Luckily these patches can be enabled with the use flag "chroot" in the sshd use flags.
#echo "net-misc/openssh chroot" >> /etc/portage/package.use #emerge openssh
creating the chroot enviromentWe will create our chroot enviroment in /home/chroot. To make the chroot work, run the following commands to make the needed directories and devices for the chrooted user.
mkdir /home/chroot/ mkdir /home/chroot/home/ cd /home/chroot mkdir etc mkdir bin mkdir lib mkdir usr mkdir usr/bin mkdir dev mknod dev/null c 1 3 mknod dev/zero c 1 5 Now we need to populate the directories with some binaries. copy the following script into a file. If you need more apps, add them to the APPS line.
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors" for prog in $APPS; do cp $prog ./$prog
# obtain a list of related libraries ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir ./`dirname $l` > /dev/null 2>&1 cp $l ./$l done fi done
After you have run the script, your chroot enviroment is almost done. run
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/ echo '#!/bin/bash' > usr/bin/groups echo "id -Gn" >> usr/bin/groups touch etc/passwd grep /etc/passwd -e "^root" > etc/passwd to copy some libraries and user information into the chroot. You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:
grep /etc/group -e "^root" -e "^users" > etc/group and restart SSH:
/etc/init.d/ssh restart
Creating chrooted usersssh decides which user should be chrooted and which not by the "home directory" entry in the /etc/passwd. Example for a non-chrooted user: user_a:x:2002:100:User A:/home/user_a:/bin/bash This user will be chrooted: user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash Now lets add a testuser to the chrooted user list:
useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c "testuser" -g users testuser Then we give testuser a password:
passwd testuser Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:
grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd
Now log in as testuser and see if everything worked.
Have fun rate this article: current rating: average rating: 1.2 (48 votes) (1=very good 6=terrible) Your rating:
back
|