[CentOS] RE: chroot over ssh
Maciej Zenczykowski
maze at cela.pl
Thu Nov 16 03:14:50 UTC 2006
> > I have a file server that has ssh on a public IP. We've been using
> > SCP/FTPS
> > over ssh to get to the server, but since it's sshd the users can see
> > the
> > entire file system.
I have a yum repository at http://tcs.uj.edu.pl/~buildcentos/ which
includes the centos ssh rebuilt with a tiny patch which makes sshd chroot
on login if it sees a /./ in the users home directory.
ie. setting a users home directory to /home/user/./home/user
makes the sshd chroot into /home/user for the session.
For this to be usable the /home/user chroot directory requires some basic
libs, a shell, possibly /etc/passwd and /etc/shells maybe some others.
As an example I have:
[root at gaia ~]# cat /etc/passwd | grep jail
jail:x:1000:1000:Jail SSH Port Forwarding
Receiver:/home/jail/./:/sbin/nologin
[root at gaia ~]# ls -laR /home/jail
/home/jail:
total 56
drwx------ 6 jail jail 4096 Jul 4 23:55 .
drwxr-xr-x 8 root root 4096 Jul 25 00:22 ..
drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 etc
drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 lib
-rw-r--r-- 1 jail jail 319 Jul 4 23:55 nologin.c
drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 sbin
drwx------ 2 jail jail 4096 Jun 5 01:27 .ssh
/home/jail/etc:
total 24
drwxr-xr-x 2 jail jail 4096 Jun 5 00:52 .
drwx------ 6 jail jail 4096 Jul 4 23:55 ..
-rw-r--r-- 1 jail jail 55 Jun 5 00:53 passwd
/home/jail/lib:
total 140
drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 .
drwx------ 6 jail jail 4096 Jul 4 23:55 ..
-rwxr-xr-x 1 jail jail 106397 Mar 8 2006 ld-2.3.4.so
lrwxrwxrwx 1 jail jail 11 Jun 5 00:47 ld-linux.so.2 -> ld-2.3.4.so
drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 tls
/home/jail/lib/tls:
total 1452
drwxr-xr-x 2 jail jail 4096 Jun 5 00:48 .
drwxr-xr-x 3 jail jail 4096 Jun 5 00:47 ..
-rwxr-xr-x 1 jail jail 1454546 Mar 8 2006 libc-2.3.4.so
lrwxrwxrwx 1 jail jail 13 Jun 5 00:48 libc.so.6 -> libc-2.3.4.so
/home/jail/sbin:
total 28
drwxr-xr-x 2 jail jail 4096 Jul 4 23:55 .
drwx------ 6 jail jail 4096 Jul 4 23:55 ..
-rwxr-xr-x 1 jail jail 4957 Jul 4 23:55 nologin
/home/jail/.ssh:
total 24
drwx------ 2 jail jail 4096 Jun 5 01:27 .
drwx------ 6 jail jail 4096 Jul 4 23:55 ..
-rw-r--r-- 1 jail jail 2828 Jul 24 03:34 authorized_keys
[root at gaia ~]# cat /home/jail/etc/passwd
jail:x:1000:1000:Jail user:/home/jail/./:/sbin/nologin
[root at gaia ~]# cat /home/jail/.ssh/authorized_keys
command="/sbin/nologin",permitopen="x.x.x.x:22",no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss AAAAB3NzaC1kc3MAAACBAPBOE...7HgvH7w== maze at athena
[root at gaia ~]# cat /home/jail/nologin.c
#include <stdio.h>
#include <time.h>
int main (void) {
fprintf(stderr, "Infinite loop shell initialized...\r\n");
for (;;) {
static struct timespec ts;
ts.tv_sec = 86400;
ts.tv_nsec = 0;
nanosleep(&ts, &ts);
};
return 0;
};
What is perhaps not obvious is that the above allows the 'jail' user to
login remotely with an ssh key getting a no-op infinite loop shell, which
only permits port forwarding to the ssh port (which is not used) - but
more importantly allows reverse port forwarding on any port.
I use this to allow dynamic ip'ed clients (laptops and the like) to always
be accessible (for maintenance) at a static port (ie like an ssh daemon on
a different port) on my server.
Use as you see fit...
Maciej
More information about the CentOS
mailing list