Hi,
H D Moore wrote:
Secured file and directory permissions are good, but I would love to
restrict my users to a 'jail' virtual root. Create a new root directory
at /jail and move all of thier home directories there as well as copies
of system binaries. Then you could symlink the orignal directories back
to the chrooted ones and maybe even symlink the jail bin directory to
symlinking is not enough, you must hardlink them
the system one. Hence you get full functionality is a chrooted
environment, the problem is HOW DO YOU DO THIS WITH SSH (outside of
patching the code, which is probably trivial).
the following is not tested, but may work:
create a user (here uid 1123) with a login shell "/bin/jailshell",
jailshell.c could look like this:
#include
main(argc, argv)
int argc;
char** argv;
{
chroot("/jail");
setuid(1123);
system("/bin/bash");
}
compile it (gcc -o jailshell jailshell.c)
chown root jailshell
chmod 4555 jailshell
disallow .shosts/.rhosts and password authentication, only allow
RSA-Authentication:
put into /etc/sshd_config:
IgnoreRhosts yes
RhostsAuthentication no
PasswordAuthentication no
KerberosAuthentication no
RSAAuthentication yes
create a key (ssh-keygen) on the host where the user comes from
restrict the commands users with certain keys can execute to jailshell:
put the public key in .ssh/authorized_keys
command="/bin/jailshell",no-port-forwarding the_public_key....
see 'man sshd', especially the section 'AUTHORIZED_KEYS FILE FORMAT'
Ciao,
Robert
--
Robert Hoffmann Robert.Hoffmann@consol.de
ConSol* Software GmbH http://www.consol.de
Franziskanerstr. 38 Tel: +49-89-45841-294
81669 Muenchen Fax: +49-89-45841-111
Tel. (BMW): +49-89-382-45889