[CentOS] Prompt for chrooted users

Tue Jul 7 20:30:50 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

Well, I seem to have resolved most of this.  In the end I had to
create a separate logical link for the chrooted users' home
directories that pointed back to their actual directory.  It sounds
confusing because it is.

I first tried this in sshd_conf

    ChrootDirectory %h

and in ~/%h I had created the following mount points:

bin dev etc lib lib64 tmp usr

Upon which I had hung mounts to directories containing the chroot
reduced functionality.

mount --bind /path/to/chroot/bin bin


However, that did not work.  I next tried this:
    ChrootDirectory /path/to/chroot

And that did not work either. By not work I really mean did not
execute the user's bash_profile script at login, which is why the
prompt was screwed up.  Of course that was simply the most immediately
visible problem.

What did work, eventually, was this combination:

In sshd_conf
    ChrootDirectory /path/to/chroot

plus:

cd /path/to/chroot

mkdir -p path/to/chroot

cd /path/to/chroot//path/to/chroot

ln -s ../../user_home_dir  user_home_dir

I infer from the documentation that sshd first switches to the chroot
and then to the user's home directory from within the chroot.  Which
makes sense but the implications for correct implementation are not
exactly obvious.  The result of not recreating the home directory path
under chroot was that the programs in chroot/bin were not found and
did not execute while the user stayed in chroot.

This is also why using %h in sshd_conf did not work.  For that to
succeed I need to recreate the user's entire home directory tree
inside each user's home directory.  Since using a common root and
logical links is less burdensome from a maintenance point of view I
choose the later.  I was also too lazy to return to the first approach
once I got the second working.

So, that mystery is cleared up. I have others, and of course SELinux
is in there, but this one is put to bed.


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3