Hi,
Is anyone chrooting users that connect through SSH?
I looked for it on Google and I basically saw several methods: - OpenSSH 5 supports ChrootDirectory (FC9 apparently has RPMs that probably could be rebuilt under CentOS 5) - There seem to be several patches for OpenSSH 4.x to do the chroot, the most popular seems to be http://chrootssh.sf.net/ - There appears to be a pam_chroot - There are solutions based on setting the user's shell to a script/binary that does the chroot
By quickly looking at yum list, it doesn't seem like neither RHEL nor CentOS directly support any of those, at least I didn't find any RPMs for any of those.
If anyone is doing it, I would like to know what were your experiences and if you would recommend doing it or not.
I'm specially interested in anything that doesn't involve replacing the OpenSSH that comes with CentOS, after all, that's what CentOS is all about, if you start replacing the pieces, what's the point...
Thanks a lot! Filipe
Filipe Brandenburger wrote:
Hi,
Is anyone chrooting users that connect through SSH?
Just the other week sshd 4.9 enabled chroot for the first time I think. Fairly new stuff. You'll have to roll your own rpm for CentOS as it will be unlikely that they roll it - probably not even for 5.2 either.
* Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully. (bz#177 bz#1352)
pam_chroot might get deprecated.
-eric
On Sat, Jun 7, 2008 at 12:18 AM, Eric Wood eric@interplas.com wrote:
Just the other week sshd 4.9 enabled chroot for the first time I think. Fairly new stuff. You'll have to roll your own rpm for CentOS as it will be unlikely that they roll it - probably not even for 5.2 either.
Yeah, I was considering rebuilding FC9 RPM of OpenSSH 5.0 which would include the feature. However, I would rather avoid using an SSH server other than the one provided by CentOS, since the whole point of RHEL/CentOS is to have a certified platform, if you start replacing packages you might break that.
pam_chroot might get deprecated.
I was digging into the issue and I realised pam_chroot is actually installed in CentOS 5 by default:
$ rpm -ql pam.x86_64 | grep chroot /etc/security/chroot.conf /lib64/security/pam_chroot.so /usr/share/doc/pam-0.99.6.2/txts/README.pam_chroot
I googled around but I didn't find any howto's on how to enable it and set it up. Is anyone using it successfully? Does it integrate seamlessly with OpenSSH? How should I set it up?
Thanks! Filipe
easy way to get sshd ver.5 installed on centos5 http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/SRPMS/ rpmbuild --rebuild openssh-5.0p1-1.el5.hrb.src.rpm worked for me .. but honestly, has excited has I was, I do not find chroot to be that useful .. if I remember correctly, the chroot directory has to be owned by root and was not possible with my setup.
alternative "scponly" from from the EPEL Repositories (http://download.fedora.redhat.com/pub/epel/5/x86_64/) will give your users secure file transfers access without a terminal
my favorite "rssh" rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
hope this help alain
Filipe Brandenburger wrote:
Hi,
Is anyone chrooting users that connect through SSH?
I looked for it on Google and I basically saw several methods:
- OpenSSH 5 supports ChrootDirectory (FC9 apparently has RPMs that
probably could be rebuilt under CentOS 5)
- There seem to be several patches for OpenSSH 4.x to do the chroot,
the most popular seems to be http://chrootssh.sf.net/
- There appears to be a pam_chroot
- There are solutions based on setting the user's shell to a
script/binary that does the chroot
By quickly looking at yum list, it doesn't seem like neither RHEL nor CentOS directly support any of those, at least I didn't find any RPMs for any of those.
If anyone is doing it, I would like to know what were your experiences and if you would recommend doing it or not.
I'm specially interested in anything that doesn't involve replacing the OpenSSH that comes with CentOS, after all, that's what CentOS is all about, if you start replacing the pieces, what's the point...
Thanks a lot! Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alain Terriault -
Eric Wood -
Filipe Brandenburger