Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
RE: [suse-security] SSH and CHROOT alternatives...
  • From: "Dirk Schreiner" <dirk.schreiner@xxxxxxx>
  • Date: Thu, 22 May 2003 19:03:10 +0200
  • Message-id: <000e01c32084$0612e7a0$6901060a@xxxxxxx>
Hi,

i guess there are 2 Ways to do the job:

1:] using Pub/Pirv. - Key Authenticating, with the chroot Command
included in the public-Key of the user in known_hosts on the server.

2:] giving the user the chroot-command as default-Shell
(witch might fail)

For both:
You need a {chroot}/dev/random in the chroot-jail
(use mknod)
and you need the commands the user should be able to use
in {chroot}/bin
(you might visit http://www.busybox.net/ )

For the /home/user use a _hardlink_ created by 1:] or 2:]

this should work.
(Did something similar 1 Year ago.)

Greetings
Dirk



> -----Original Message-----
> From: jonathanneto@xxxxxxxxxxx [mailto:jonathanneto@xxxxxxxxxxx]
> Sent: Thursday, May 22, 2003 5:54 PM
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] SSH and CHROOT alternatives...
>
>
> Hi,
>
> I never did what you mean but here is what I have in mind.
> The problem with chroot with ssh (if it really can be run
> this way), seems
> to be that the users could not access /bin /usr/bin,etc
> so they can not even list files using ls. Of course you can copy this
> directories to the chrooted directory.
> To access the home you could use a workaround
> mounting the homes with nfs and using iptables to allow only
> localhost to
> use nfs at all.
>
> I think the easiest way is to get another machine just for
> ssh, and mount
> the home using nfs as soon as user logs in.
> You can also replace nfs for another network file system like samba.
>
> You can also forget about chroot and treat with the filesystem
> permission, puttin 700 mode on the directories you dont want users to
> access. Eg. you can let users access /usr, but not /var.
> In this case care must be taken on directories like /etc.
>
> Hope it helps
>
> Regards
> Jonathan
>
> > Howdoo all,
> >
> > I've been looking at trying to secure SSH sessions so that specified
> users
> > can
> > only browse their home diretories.
> >
> > I've found a couple of bodges that can be made to do the
> trick, but none of
> > them seem particulalry ideal.
> >
> > Has anyone got any suggestions on how I could secure SSH in this
> fashion,
> > whether using CHROOT or something else entirely I don't mind.
> >
> > Cheers.
> >
> >
> >
> > ----~~~~==oOo==~~~~----
> > Duncan Carter
> > ----~~~~==oOo==~~~~----
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>



< Previous Next >
References