[CentOS] Jailing SSH users
Maciej Żenczykowski
maze at cela.pl
Sun Jun 4 00:13:05 UTC 2006
On Sun, 4 Jun 2006, Maciej Żenczykowski wrote:
> I think the classic solution is to patch ssh (trivial patch, search around on
> the internet...) with the chroot on /./ in home directory patch, then make a
> users home directory /home/user/./home/user copying (linking) all needed libs
> and binaries into /home/user/{bin,lib,usr,...}
>
> Not the best solution but it works...
In case you're interested I just tried this out with the CentOS4 sshd and
the resulting rpms are available at
http://tcs.ii.uj.edu.pl/~buildcentos/chrootssh/
This is a clean (hopefully) rebuild of the openssh from CentOS4.3 with the
extra couple line chroot on ssh patch added in.
All you need to do is make a users home dir contain /./ and he'll be
chrooted to that spot after password verification. Please note - if there
is insufficient stuff in there to run his default shell then it'll bomb
and log back out immediately...
Here's a list of files which I copied and managed to start up a bash
shell:
The files needed to start up bash (ie ldd `which bash`):
/bin
/bin/bash
/lib
/lib/libdl-2.3.4.so
/lib/ld-2.3.4.so
/lib/libtermcap.so.2.0.8
/lib/tls
/lib/tls/libc.so.6
/lib/tls/libc-2.3.4.so
/lib/ld-linux.so.2
/lib/libtermcap.so.2
/lib/libdl.so.2
And, seemingly needed by sshd (sad that it can't use the normal
/etc/passwd)
/etc
/etc/passwd - just the line with the logging in user needed
Possibly also useful, though not strictly needed:
/dev
/dev/zero
/dev/null
/dev/console
/dev/tty
Cheers,
MaZe.
More information about the CentOS
mailing list