Security Webmaster OKDesign oHG wrote:
Does anyone know how to do a chroot for users logging in via SSH ? You know, like the chroot that can automatically be done when ftp'ing onto the server.
Search for the Virtual Services How-To by Brian Ackermann (brian@nycrc.net). It includes some examples (which, however, have to be adapted to work with Linux) how to "virtualize" all daemons and services. In principle it uses getsockname() to determine which IP is being accessed, then reads the virtual info from a configuration file to chroot() to the defined directory and hand over the connection to the service. In conjunction with inetd, virtuald can virtualize any service (with more or less changes). I tried pop3, telnet, ssh, ftp and some more, and it was hard (impossible?) to discover that you are connected only on a virtual server, not a stand-alone-machine. Even "virtual root" on a virtual machine cannot escape the chroot (must be fun to watch the virtual r00t on a compromised machine ;-) ). This means, that you have to have IP-aliases up and running and need to copy some directory trees (/bin, /usr/bin, /etc (don't use your main /etc!) ...) into the virtual machines to give your users a full working environment. A "naked" virtual machine here took up about 50MB, not too much regarding the average size of HDDs nowadays... ;-). I recommend a profound knowledge of what you are doing and how the whole thing works. virtuald is great as a security concept, but it's easy to mess things up. regards, Alexander Wolf