[CentOS] Jailing SSH users

Sun Jun 4 00:13:05 UTC 2006
Maciej Żenczykowski <maze at cela.pl>

On Sun, 4 Jun 2006, Maciej Żenczykowski wrote:

> I think the classic solution is to patch ssh (trivial patch, search around on 
> the internet...) with the chroot on /./ in home directory patch, then make a 
> users home directory /home/user/./home/user copying (linking) all needed libs 
> and binaries into /home/user/{bin,lib,usr,...}
>
> Not the best solution but it works...

In case you're interested I just tried this out with the CentOS4 sshd and 
the resulting rpms are available at
http://tcs.ii.uj.edu.pl/~buildcentos/chrootssh/

This is a clean (hopefully) rebuild of the openssh from CentOS4.3 with the 
extra couple line chroot on ssh patch added in.

All you need to do is make a users home dir contain /./ and he'll be 
chrooted to that spot after password verification.  Please note - if there 
is insufficient stuff in there to run his default shell then it'll bomb 
and log back out immediately...

Here's a list of files which I copied and managed to start up a bash 
shell:

The files needed to start up bash (ie ldd `which bash`):

/bin
/bin/bash
/lib
/lib/libdl-2.3.4.so
/lib/ld-2.3.4.so
/lib/libtermcap.so.2.0.8
/lib/tls
/lib/tls/libc.so.6
/lib/tls/libc-2.3.4.so
/lib/ld-linux.so.2
/lib/libtermcap.so.2
/lib/libdl.so.2

And, seemingly needed by sshd (sad that it can't use the normal 
/etc/passwd)

/etc
/etc/passwd - just the line with the logging in user needed

Possibly also useful, though not strictly needed:
/dev
/dev/zero
/dev/null
/dev/console
/dev/tty

Cheers,
MaZe.