RE: Setting up a chroot ssh login

Dear Thomas,

doing a google search I found your post

http://archives.neohapsis.com/archives/linux/suse/2004-q1/0393.html

Because I'm interested in setting up a chroot ssh login, I'd like to know how you did it.

Thank you in advance!

Best regards,

Martin

No probs... I hope you don't mind, but I'm also sending it to the list which you found on Google. To those on the list who helped me get this set up - thanks!! As it happens, I've now moved away from the chroot login, but it did work very well (as far as I could tell). Here's what I had: I installed the "compart" (or was it "compartment"?) package from Yast. /etc/passwd contained: update:x:5000:65534:Update User:/home/update:/bin/compart.jail I used /home/update/JAIL not /home/update as /home/update/.ssh/authorised_keys contained the stuff to enable a passwordless login. /bin/compart.jail contained: #!/bin/bash sudo /usr/sbin/compartment --user update --group nogroup --chroot /home/update/JAIL /bin/bash "$@" /etc/sudoers contained: update ALL= NOPASSWD: /usr/sbin/compartment --user update --group nogroup --chroot /home/update/JAIL /bin/bash* The directory /home/update/JAIL ($JAIL) contained the full set of files that the update user required. `ldd` gave me the libraries that the programs all required, thus: .: total 1 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 . 0 drwxr-xr-x 4 root root 160 2004-01-29 16:03 .. 0 drwxr-xr-x 2 root root 192 2004-01-26 09:57 bin 0 drwxr-xr-x 2 root root 96 2004-01-23 14:08 dev 0 drwxr-xr-x 2 root root 128 2004-01-27 11:23 etc 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 lib 0 drwxr-xr-x 4 root root 112 2004-01-22 09:33 upload 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 usr ./bin: total 645 0 drwxr-xr-x 2 root root 192 2004-01-26 09:57 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 469 -rwxr-xr-x 1 root root 477132 2004-01-20 15:02 bash 68 -rwxr-xr-x 1 root root 68460 2004-01-20 15:02 ls 20 -rwxr-xr-x 1 root root 18928 2004-01-20 15:02 mkdir 52 -rwxr-xr-x 1 root root 52184 2004-01-20 15:02 mv 8 -rwxr-xr-x 1 root root 6096 2004-01-20 15:02 pwd 28 -rwxr-xr-x 1 root root 26656 2004-01-20 15:02 rm ./dev: total 0 0 drwxr-xr-x 2 root root 96 2004-01-23 14:08 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 crw-rw-rw- 1 root root 5, 0 2004-01-22 14:39 tty 0 crw-r--r-- 1 root root 1, 9 2004-01-20 16:00 urandom ./etc: total 12 0 drwxr-xr-x 2 root root 128 2004-01-27 11:23 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 4 -r-------- 1 root root 27 2004-01-22 16:11 group 4 -rw-r--r-- 1 root root 1722 2004-01-21 09:08 ld.so.cache 4 -r-------- 1 root root 65 2004-01-22 16:12 passwd ./lib: total 1789 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 2 root root 112 2004-01-23 14:08 i686 92 -rwxr-xr-x 1 root root 91085 2004-01-22 14:47 ld-linux.so.2 28 -rwxr-xr-x 1 root root 25416 2004-01-20 15:02 libacl.so.1 16 -rwxr-xr-x 1 root root 13974 2004-01-20 15:02 libattr.so.1 8 -rwxr-xr-x 1 root root 7518 2004-01-22 16:05 libcom_err.so.2 44 -rwxr-xr-x 1 root root 43395 2004-01-22 14:47 libcrypt.so.1 12 -rwxr-xr-x 1 root root 11856 2004-01-20 15:02 libdl.so.2 104 -rwxr-xr-x 1 root root 104452 2004-01-22 16:05 libext2fs.so.2 124 -rwxr-xr-x 1 root root 122891 2004-01-20 15:02 libhistory.so.4 304 -rwxr-xr-x 1 root root 307598 2004-01-20 15:02 libncurses.so.5 88 -rwxr-xr-x 1 root root 87717 2004-01-22 14:47 libnsl.so.1 52 -rwxr-xr-x 1 root root 50541 2004-01-21 09:11 libnss_compat.so.2 44 -rwxr-xr-x 1 root root 44639 2004-01-21 09:13 libnss_files.so.2 637 -rwxr-xr-x 1 root root 650278 2004-01-20 15:02 libreadline.so.4 72 -rwxr-xr-x 1 root root 70056 2004-01-22 14:47 libresolv.so.2 36 -rwxr-xr-x 1 root root 34085 2004-01-20 15:02 librt.so.1 12 -rwxr-xr-x 1 root root 10600 2004-01-22 14:47 libutil.so.1 52 -rwxr-xr-x 1 root root 52751 2004-01-21 11:35 libxcrypt.so.1 64 -rwxr-xr-x 1 root root 61850 2004-01-22 14:47 libz.so.1 ./lib/i686: total 1390 0 drwxr-xr-x 2 root root 112 2004-01-23 14:08 . 1 drwxr-xr-x 3 root root 664 2004-01-26 09:55 .. 1289 -rwxr-xr-x 1 root root 1315242 2004-01-20 15:02 libc.so.6 100 -rwxr-xr-x 1 root root 98628 2004-01-20 15:02 libpthread.so.0 ./usr: total 0 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 2 root root 192 2004-01-26 09:56 bin 0 drwxr-xr-x 2 root root 280 2004-01-23 14:08 lib ./usr/bin: total 504 0 drwxr-xr-x 2 root root 192 2004-01-26 09:56 . 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 .. 8 -rwxr-xr-x 1 root root 6056 2004-01-22 16:03 env 4 -rw-r--r-- 1 root root 19 2004-01-20 15:00 groups 12 -rwxr-xr-x 1 root root 9400 2004-01-20 15:02 id 192 -rwxr-xr-x 1 root root 196256 2004-01-20 15:02 rsync 32 -rwxr-xr-x 1 root root 28772 2004-01-22 14:33 scp 256 -rwxr-xr-x 1 root root 260976 2004-01-20 15:02 ssh ./usr/lib: total 2221 0 drwxr-xr-x 2 root root 280 2004-01-23 14:08 . 0 drwxr-xr-x 4 root root 96 2004-01-22 14:50 .. 148 -rwxr-xr-x 1 root root 147873 2004-01-22 14:48 libasn1.so.5 8 -rwxr-xr-x 1 root root 7801 2004-01-22 14:48 libcom_err.so.1 941 -r-xr-xr-x 1 root root 961852 2004-01-22 14:47 libcrypto.so.0.9.6 729 -rwxr-xr-x 1 root root 744626 2004-01-22 14:48 libdb-4.0.so 52 -rwxr-xr-x 1 root root 53230 2004-01-22 14:48 libgssapi.so.1 260 -rwxr-xr-x 1 root root 263374 2004-01-22 14:48 libkrb5.so.17 84 -rwxr-xr-x 1 root root 84253 2004-01-22 14:48 libroken.so.9 upload/: total 0 0 drwxr-xr-x 4 root root 112 2004-01-22 09:33 . 0 drwxr-xr-x 8 root root 192 2004-01-27 09:54 .. 0 drwxr-xr-x 7 update nogroup 256 2004-02-09 23:04 catalogue 0 drwxrwxrwx 2 update nogroup 48 2004-01-30 08:35 publicsite $JAIL/etc/passwd contained: root:x:0:0:root:/root:/bin/bash update:x:5000:65534::/:/bin/bash $JAIL/etc/group contained: root:x:0: nogroup:x:65534: I think my biggest problem was tweaking the sudoers and the conmpart.jail files to work properly together. Possible improvements and other security thoughts: 1. I think to make it more secure I'd put it in a separate partition, with appropriate security options set. The only problem is that given that this user would be allowed to upload files (to $JAIL/upload/catalogue and $JAIL/upload/publicsite), I wouldn't be able to make it readonly. 2. PAM was to be used to limit upload's logon times to certain times of day, and to only allow root@other_host to login as update. This wouyld mean that the other machine would have to be root-compromised to let an unauthorised user log in to the chroot jail. 3. A cron job that performs and compares checksums on files in $JAIL, replacing them if required (and reporting if this happens). 4. The files uploaded by the update user are copied out of the jail undergo a set of sanity checks and are _then_ put in place of the current website and catalogue. 5. I though about using `chattr` to make files really difficult to modify, but I find out much about it before I discovered that it's not so available for ReiserFS. The reason I'm not using this system now is that I couldn't get rsync to work, and if I'm reduced to having all files uploaded I may as well use sftp and have no direct shell access whatsoever. Hell, it's only bandwidth! Tom.