List,
I am putting together a sftp server and would like to use a restrictive shell with a chroot jail. I was wondering what members of the list thought about rssh as opposed to scponly.
Greg Ennis
Am 27.03.2011 um 21:53 schrieb Gregory P. Ennis:
List,
I am putting together a sftp server and would like to use a restrictive shell with a chroot jail. I was wondering what members of the list thought about rssh as opposed to scponly.
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
That is certainly the best - scponly chroot is a hack IMO.
Rainer
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ? the only mention of chroot in man sshd is the /var/empty/sshd dir used during preauthorization.
I'd be very cautious on setting this up, or you could easily lose access to ssh shell sessions since ssh/scp/sftp are all so tightly coupled.
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
Oh-dear.
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
Oh-dear.
-----------------------------------------------------------
Rainer,
I am running Centos 5.5. which has OpenSSH_4.3p2. I guess this means I am back to using rssh or scponlyc. So far I have not been able to get either of these to work properly with chroot.
Any suggestions ?
Greg
Am 28.03.2011 um 00:20 schrieb Gregory P. Ennis:
I am running Centos 5.5. which has OpenSSH_4.3p2. I guess this means I am back to using rssh or scponlyc. So far I have not been able to get either of these to work properly with chroot.
Any suggestions ?
I haven't been using scponly for a long time. There are instructions on the scponly wiki on how to get the chroot working. They should work. (Basically, they involve setting-up a complete chroot-environment with /dev etc.)
I suggest you consult their sourceforge resources for specific question or problems with the setup.
Am 28.03.2011 um 00:20 schrieb Gregory P. Ennis:
I am running Centos 5.5. which has OpenSSH_4.3p2. I guess this means I am back to using rssh or scponlyc. So far I have not been able to get either of these to work properly with chroot.
Any suggestions ?
I haven't been using scponly for a long time. There are instructions on the scponly wiki on how to get the chroot working. They should work. (Basically, they involve setting-up a complete chroot-environment with /dev etc.)
I suggest you consult their sourceforge resources for specific question or problems with the setup.
-------------------------------------
Thanks for your help
Greg
2011/3/28 Rainer Duffner rainer@ultra-secure.de:
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
rhel / centos contains openssh with backported chroot:
rpm -q --changelog openssh-server | grep chroot - minimize chroot patch to be compatible with upstream (#522141) - tiny change in chroot sftp capability into openssh-server solve ls speed problem (#440240) - add chroot sftp capability into openssh-server (#440240) - enable the subprocess in chroot to send messages to system log
-- Eero
-- Eero
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
rhel / centos contains openssh with backported chroot:
rpm -q --changelog openssh-server | grep chroot - minimize chroot patch to be compatible with upstream (#522141) - tiny change in chroot sftp capability into openssh-server solve ls speed problem (#440240) - add chroot sftp capability into openssh-server (#440240) - enable the subprocess in chroot to send messages to system log
-- Eero
-----------------------------
Eero,
That is very interesting. I found the same on my OpenSSH_4.3p2 system. I tried to use it, but could not make it work. Are you aware of any documentation or others that have made this work.
Greg
On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis PoMec@pomec.net wrote:
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
rhel / centos contains openssh with backported chroot:
rpm -q --changelog openssh-server | grep chroot
- minimize chroot patch to be compatible with upstream (#522141)
- tiny change in chroot sftp capability into openssh-server solve ls
speed problem (#440240)
- add chroot sftp capability into openssh-server (#440240)
- enable the subprocess in chroot to send messages to system log
Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by getting "Centrify" and their tools from www.centrify.com. Centrify also includes good tools for integration with Active Directory based authentication, very useful in a mixed environment where you don't have the political pull to get the AD administratiors in the same room to discuss how LDAP and Kerberos actually work and why Linux can cooperate with it. Being able to wave that magic "commercially supported" wand seems to help with those meetings, and it's actually a pretty good toolkit.
On Sun, 27 Mar 2011, Nico Kadel-Garcia wrote:
On Sun, Mar 27, 2011 at 10:12 PM, Gregory P. Ennis PoMec@pomec.net wrote:
Am 27.03.2011 um 22:57 schrieb John R Pierce:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ?
I don't know. ;-) I only used it in FreeBSD - but it's included there since at least 7.2. That was released in May 2009. OpenSSH 5.1p1
Looking, sshd in my latest CentOS shows v 4.6p2
rhel / centos contains openssh with backported chroot:
rpm -q --changelog openssh-server | grep chroot
- minimize chroot patch to be compatible with upstream (#522141)
- tiny change in chroot sftp capability into openssh-server solve ls
speed problem (#440240)
- add chroot sftp capability into openssh-server (#440240)
- enable the subprocess in chroot to send messages to system log
Only by recompiling and backporting OpenSSH 5.x from RHEL 6, or by getting "Centrify" and their tools from www.centrify.com. Centrify also includes good tools for integration with Active Directory based authentication, very useful in a mixed environment where you don't have the political pull to get the AD administratiors in the same room to discuss how LDAP and Kerberos actually work and why Linux can cooperate with it. Being able to wave that magic "commercially supported" wand seems to help with those meetings, and it's actually a pretty good toolkit.
The above appears to be wrong wrt to chrooting sftp on C5.
According to https://bugzilla.redhat.com/show_bug.cgi?id=440240 and http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem. Alternately the name internal-sftp implements an in-process sftp server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.
By default no subsystems are defined. Note that this option applies to protocol version 2 only.
http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in setting this up.
Of course I could be wrong since I have not tried this yet but it is on my short list for this week.
Regards,
On 28.3.2011 05:53, Tom Diehl wrote:
According to https://bugzilla.redhat.com/show_bug.cgi?id=440240 and http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem. Alternately the name internal-sftp implements an in-process sftp server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients. By default no subsystems are defined. Note that this option applies to protocol version 2 only.http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in setting this up.
Yes, it is possible to chroot with stock openssh in recent CentOS !
1. Unfortunately the Match directive is not backported, so the only possibility is to chroot all users including root. 2. The chroot is not restricted to sftp. ssh is chrooted also. 3. All users are chrooted including root
I am aware of 2 possible methods to workaround this limitations:
Configure 2 ssh daemons, one chrooted for sftp and one default. The chrooted sshd has to listen on another ip or port.
Or, alternatively (only one sshd needed) ChrootDirectory %h and change home for root to / (sounds nasty and it is ;-)
However you do it, the directory given to ChrootDirectory has to be read-only for normal users. If it were writable the user could manipulate the content of the chroot. Write access has to be restricted to a subdirectory of ChrootDirectory.
On 28.3.2011 05:53, Tom Diehl wrote:
According to https://bugzilla.redhat.com/show_bug.cgi?id=440240 and http://rhn.redhat.com/errata/RHSA-2009-1287.html the ability to chroot was backported into rhel/centos 5 back in 2009-09-02.
In addition sshd_config(5) says the following:
Subsystem Configures an external subsystem (e.g., file transfer daemon). Arguments should be a subsystem name and a command (with optional arguments) to execute upon subsystem request.
The command sftp-server(8) implements the sftp file transfer subsystem. Alternately the name internal-sftp implements an in-process sftp server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients. By default no subsystems are defined. Note that this option applies to protocol version 2 only.http://undeadly.org/cgi?action=article&sid=20080220110039 might be useful in setting this up.
Yes, it is possible to chroot with stock openssh in recent CentOS !
1. Unfortunately the Match directive is not backported, so the only possibility is to chroot all users including root. 2. The chroot is not restricted to sftp. ssh is chrooted also. 3. All users are chrooted including root
I am aware of 2 possible methods to workaround this limitations:
Configure 2 ssh daemons, one chrooted for sftp and one default. The chrooted sshd has to listen on another ip or port.
Or, alternatively (only one sshd needed) ChrootDirectory %h and change home for root to / (sounds nasty and it is ;-)
However you do it, the directory given to ChrootDirectory has to be read-only for normal users. If it were writable the user could manipulate the content of the chroot. Write access has to be restricted to a subdirectory of ChrootDirectory.
-------------------------------------------------------------------
Markus,
Thanks for taking the time to respond. I was hoping I could chroot for just one user without running two sshd's; Being able to restrict one user sure is needed. Do you know if Centos 5.6 or 6.0 will allow this?
I have not been able to get rssh or scponlyc to work yet, but have not stopped trying.
Greg
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ? the only mention of chroot in man sshd is the /var/empty/sshd dir used during preauthorization.
I'd be very cautious on setting this up, or you could easily lose access to ssh shell sessions since ssh/scp/sftp are all so tightly coupled.
_______________________________________________
Thank you for your post, I have sure not been able to find the appropriate references in the man pages. I am running Centos 5.5
I did try putting a copy of /etc/ssh/ssh_config as /home/user/.ssh/config
with the addition of :
Subsystem sftp internal-sftp
Match User ftp ForceCommand internal-sftp ChrootDirectory /home/user
But this did not work
Any suggestions ???
Greg
On Sun, Mar 27, 2011 at 4:57 PM, John R Pierce pierce@hogranch.com wrote:
On 03/27/11 1:03 PM, Rainer Duffner wrote:
If you use sftp, it can be chroot'ed by default (see man-page). (In reasonably recent version of sshd)
I gather thats a sshd somewhat newer than the one included in CentOS 5 ? the only mention of chroot in man sshd is the /var/empty/sshd dir used during preauthorization.
Yeah, it's not supported until OpenSSH version 5.x. That upgrade will cause other surprises. Some colleagues ran headlong into it no longer reading ".bashrc" unless it's an actual login sessin, and became quite concerned when their local host-specific aliases were no longer available to their remote "ssh" commands.
I'd be very cautious on setting this up, or you could easily lose access to ssh shell sessions since ssh/scp/sftp are all so tightly coupled.
Yeah, I used to publish chroot cage tools for ssh-1, ssh-2, and OpenSSH years ago.
-
Eero Volotinen -
Gregory P. Ennis -
John R Pierce -
Markus Falb -
Nico Kadel-Garcia -
Rainer Duffner -
Tom Diehl