Dear all
I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for Centos7
Thanks Regards Adrian
Am 20.10.2017 um 15:58 schrieb Adrian Jenzer a.jenzer@herzogdemeuron.com:
Dear all
I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for Centos7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
-----"CentOS" centos-bounces@centos.org wrote: -----To: CentOS mailing list centos@centos.org From: Rainer Duffner Sent by: "CentOS" Date: 10/20/2017 08:00PM Subject: Re: [CentOS] scp setup jailed chroot on Centos7
Am 20.10.2017 um 15:58 schrieb Adrian Jenzer a.jenzer@herzogdemeuron.com:
Dear all
I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for Centos7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of tbuchanan@vinu.edu Sent: Samstag, 21. Oktober 2017 02:14 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7
-----"CentOS" centos-bounces@centos.org wrote: -----To: CentOS mailing list centos@centos.org From: Rainer Duffner Sent by: "CentOS" Date: 10/20/2017 08:00PM Subject: Re: [CentOS] scp setup jailed chroot on Centos7
Am 20.10.2017 um 15:58 schrieb Adrian Jenzer a.jenzer@herzogdemeuron.com:
Dear all
I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for Centos7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
https://github.com/mysecureshell/mysecureshell _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Thanks for this. Didn't know about it. And setup is pretty straight forward. The repo for Centos6 works with 7 too.
[mysecureshell] name=MySecureShell baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/ enabled=1 gpgcheck=0
regards Adrian
-----Original Message----- From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of Rainer Duffner Sent: Samstag, 21. Oktober 2017 00:41 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7
Am 20.10.2017 um 15:58 schrieb Adrian Jenzer a.jenzer@herzogdemeuron.com:
Dear all
I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for Centos7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
Hi Rainer I would if I could but external offers only FTP and SCP...
Regards Adrian _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 2017-10-24 12:19, schrieb Adrian Jenzer:
Hi Rainer I would if I could but external offers only FTP and SCP...
Regards Adrian
AFAIK, for scp you need a proper shell.
I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again.
The problem is that inside the chroot, you need:
- nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak)
Somebody sent me the link to these scripts:
https://github.com/codelibre-net/schroot
Maybe you can use those scripts - I've never tried them.
Also, there's scp-only: https://github.com/scponly/scponly/wiki
Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it.
That's correct, forgot to mention it. We ended up using SFTP (or at least offering it to external).
-----Original Message----- From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of rainer@ultra-secure.de Sent: Dienstag, 24. Oktober 2017 15:24 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7
Am 2017-10-24 12:19, schrieb Adrian Jenzer:
Hi Rainer I would if I could but external offers only FTP and SCP...
Regards Adrian
AFAIK, for scp you need a proper shell.
I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again.
The problem is that inside the chroot, you need:
- nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak)
Somebody sent me the link to these scripts:
https://github.com/codelibre-net/schroot
Maybe you can use those scripts - I've never tried them.
Also, there's scp-only: https://github.com/scponly/scponly/wiki
Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[Sorry about "top posting": my OT question arises from the subject..]
Could someone elaborate on the "jail" under CentOS. I'm used to FreeBSD jails, and as I run CentOS and some other Linuxes for quite some time I was under impression that there is no such thing as jail under Linux [at least those flavors I run]. Under Linux I did use in variety of places chrooted environment, but that only separates stuff on the filesystem level (and other things such as devices and others accessed via filesystem). There is no other resource separation (which I'm used to have control over in case of FreeBSD jail).
Am I wrong, and what am I wrong about?
Valeri
On Tue, October 24, 2017 8:24 am, rainer@ultra-secure.de wrote:
Am 2017-10-24 12:19, schrieb Adrian Jenzer:
Hi Rainer I would if I could but external offers only FTP and SCP...
Regards Adrian
AFAIK, for scp you need a proper shell.
I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again.
The problem is that inside the chroot, you need:
- nameresolution
- a minimal passwd/shadow/group file (or ldap)
- maybe for scp, you can get away with a rather minimal device-tree -
but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...).
- that was with FreeBSD 10, I never tried it with anything else (due to
its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak)
Somebody sent me the link to these scripts:
https://github.com/codelibre-net/schroot
Maybe you can use those scripts - I've never tried them.
Also, there's scp-only: https://github.com/scponly/scponly/wiki
Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 10/24/2017 7:40 AM, Valeri Galtsev wrote:
[Sorry about "top posting": my OT question arises from the subject..]
Could someone elaborate on the "jail" under CentOS. I'm used to FreeBSD jails, and as I run CentOS and some other Linuxes for quite some time I was under impression that there is no such thing as jail under Linux [at least those flavors I run]. Under Linux I did use in variety of places chrooted environment, but that only separates stuff on the filesystem level (and other things such as devices and others accessed via filesystem). There is no other resource separation (which I'm used to have control over in case of FreeBSD jail).
Am I wrong, and what am I wrong about?
while I've never used them, my understanding is, lxcontainers are at the level of a jail, network isolation as well as file system.
-
Adrian Jenzer -
John R Pierce -
Rainer Duffner -
rainer@ultra-secure.de
-
tbuchanan@vinu.edu -
Valeri Galtsev