We have a requirement to allow ssh access to a server in order to provide a secure link to one of our legacy systems. I would like to chroot these accounts.
I have this working except for one small detail, the user's prompt in the ssh session. Each user has their shell set to /bin/bash in /etc/passwd. However, instead of getting the prompt defined in their .bash_profiles we see this:
-bash-4.1$
when we are expecting this:
[username@hostname dir]$
So, before I go messing around moving files I would some information from you as tio what I have overlooked. Do I need to move something like etc/passwd and /etc/group into the chroot/etc?
TIA
James B. Byrne wrote:
We have a requirement to allow ssh access to a server in order to provide a secure link to one of our legacy systems. I would like to chroot these accounts.
I have this working except for one small detail, the user's prompt in the ssh session. Each user has their shell set to /bin/bash in /etc/passwd. However, instead of getting the prompt defined in their .bash_profiles we see this:
-bash-4.1$
when we are expecting this:
[username@hostname dir]$
So, before I go messing around moving files I would some information from you as tio what I have overlooked. Do I need to move something like etc/passwd and /etc/group into the chroot/etc?
When ssh'ing into the chrooted directories, where's their /home/<user>? I'd set the prompt in ~/.bash_profile.
mark
James B. Byrne wrote:
So, before I go messing around moving files I would some information from you as tio what I have overlooked. Do I need to move something like etc/passwd and /etc/group into the chroot/etc?
You haven't said anything about the process you used, so it's hard to say what you've overlooked.
The basics thing to remember is that the chroot is expected to be a complete system. If you need name resolution, then /etc/passwd and /etc/group need to be present in the chroot. If you need DNS resolution, /etc/resolv.conf, too. If your system uses sssd, chroot won't have access to it. The shell and all of the commands and all of the associated libraries must be in the chroot. Finally, the user's home directory has to exist within and relative to the chroot directory.
So, if the user's home directory is /home/user and you want to chroot them there, you would expect to have something like:
/home/user/bin/bash /home/user/etc/bash_profile /home/user/home/user/.bash_profile
You could symlink /home/user/home/user to /, as well.
On Jul 6, 2015, at 2:49 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
However, instead of getting the prompt defined in their .bash_profiles we see this:
-bash-4.1$
when we are expecting this:
[username@hostname dir]$
So, before I go messing around moving files I would some information from you as tio what I have overlooked. Do I need to move something like etc/passwd and /etc/group into the chroot/etc?
This just means that your users don’t have a ~/.bashrc that can sources /etc/bashrc (either/both are missing), where the traditional $PS1 is set.
-- Jonathan Billings billings@negate.org
-
Gordon Messmer -
James B. Byrne -
Jonathan Billings -
m.roth@5-cent.us