[CentOS] RE: chroot over ssh

Thu Nov 16 03:14:50 UTC 2006
Maciej Zenczykowski <maze at cela.pl>

> > I have a file server that has ssh on a public IP. We've been using
> > SCP/FTPS
> > over ssh to get to the server, but since it's sshd the users can see
> > the
> > entire file system.

I have a yum repository at http://tcs.uj.edu.pl/~buildcentos/ which 
includes the centos ssh rebuilt with a tiny patch which makes sshd chroot 
on login if it sees a /./ in the users home directory.

ie. setting a users home directory to /home/user/./home/user
makes the sshd chroot into /home/user for the session.
For this to be usable the /home/user chroot directory requires some basic 
libs, a shell, possibly /etc/passwd and /etc/shells maybe some others.

As an example I have:
[root at gaia ~]# cat /etc/passwd | grep jail
jail:x:1000:1000:Jail SSH Port Forwarding 
Receiver:/home/jail/./:/sbin/nologin
[root at gaia ~]# ls -laR /home/jail
/home/jail:
total 56
drwx------  6 jail jail 4096 Jul  4 23:55 .
drwxr-xr-x  8 root root 4096 Jul 25 00:22 ..
drwxr-xr-x  2 jail jail 4096 Jun  5 00:52 etc
drwxr-xr-x  3 jail jail 4096 Jun  5 00:47 lib
-rw-r--r--  1 jail jail  319 Jul  4 23:55 nologin.c
drwxr-xr-x  2 jail jail 4096 Jul  4 23:55 sbin
drwx------  2 jail jail 4096 Jun  5 01:27 .ssh

/home/jail/etc:
total 24
drwxr-xr-x  2 jail jail 4096 Jun  5 00:52 .
drwx------  6 jail jail 4096 Jul  4 23:55 ..
-rw-r--r--  1 jail jail   55 Jun  5 00:53 passwd

/home/jail/lib:
total 140
drwxr-xr-x  3 jail jail   4096 Jun  5 00:47 .
drwx------  6 jail jail   4096 Jul  4 23:55 ..
-rwxr-xr-x  1 jail jail 106397 Mar  8  2006 ld-2.3.4.so
lrwxrwxrwx  1 jail jail     11 Jun  5 00:47 ld-linux.so.2 -> ld-2.3.4.so
drwxr-xr-x  2 jail jail   4096 Jun  5 00:48 tls

/home/jail/lib/tls:
total 1452
drwxr-xr-x  2 jail jail    4096 Jun  5 00:48 .
drwxr-xr-x  3 jail jail    4096 Jun  5 00:47 ..
-rwxr-xr-x  1 jail jail 1454546 Mar  8  2006 libc-2.3.4.so
lrwxrwxrwx  1 jail jail      13 Jun  5 00:48 libc.so.6 -> libc-2.3.4.so

/home/jail/sbin:
total 28
drwxr-xr-x  2 jail jail 4096 Jul  4 23:55 .
drwx------  6 jail jail 4096 Jul  4 23:55 ..
-rwxr-xr-x  1 jail jail 4957 Jul  4 23:55 nologin

/home/jail/.ssh:
total 24
drwx------  2 jail jail 4096 Jun  5 01:27 .
drwx------  6 jail jail 4096 Jul  4 23:55 ..
-rw-r--r--  1 jail jail 2828 Jul 24 03:34 authorized_keys
[root at gaia ~]# cat /home/jail/etc/passwd 
jail:x:1000:1000:Jail user:/home/jail/./:/sbin/nologin
[root at gaia ~]# cat /home/jail/.ssh/authorized_keys 
command="/sbin/nologin",permitopen="x.x.x.x:22",no-X11-forwarding,no-agent-forwarding,no-pty 
ssh-dss AAAAB3NzaC1kc3MAAACBAPBOE...7HgvH7w== maze at athena
[root at gaia ~]# cat /home/jail/nologin.c 
#include <stdio.h>
#include <time.h>

int main (void) {
  fprintf(stderr, "Infinite loop shell initialized...\r\n");
  for (;;) {
    static struct timespec ts;
    ts.tv_sec = 86400;
    ts.tv_nsec = 0;
    nanosleep(&ts, &ts);
  };
  return 0;
};




What is perhaps not obvious is that the above allows the 'jail' user to 
login remotely with an ssh key getting a no-op infinite loop shell, which 
only permits port forwarding to the ssh port (which is not used) - but 
more importantly allows reverse port forwarding on any port.

I use this to allow dynamic ip'ed clients (laptops and the like) to always 
be accessible (for maintenance) at a static port (ie like an ssh daemon on 
a different port) on my server.

Use as you see fit...

Maciej