rssh chroot jail per user

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
weslowsk
Posts: 51
Joined: 2008/04/09 04:45:34
Location: Canada

rssh chroot jail per user

Post by weslowsk » 2008/04/20 04:08:00

Hi,

I tried to restrict the sftp access to my centos 4 box so that the user logging in gets their home directory and it appears to be the filesystem root. So, I tried using rssh and I followed the instructions here:

http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
http://www.cyberciti.biz/tips/linux-unix-restrict-shell-access-with-rssh.html
http://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html
http://www.cyberciti.biz/tips/linux-unix-configuration-for-rssh.html

And it all seems to work until the last step (where I want a separate chroot jail per user) and I don't know if I'm interpreting the capabilities incorrectly or if I've got something configured incorrectly...maybe someone can offer their opinion?

Referring to the links above, I set up my "global" chroot jail at /home instead of /users. sftp works for "myuser" in this scenario.
Then, as the last step, I tried to add a "user" line to my rssh.conf file that specifies my user and its own chroot jail:

user=myuser:011:00010:/home/myuser

When I try to sftp now, it fails. Should it, or have I misconfigured something? I'm getting the feeling that if I want a chroot jail at /home/myuser, I need to reconfigure the whole thing again, but with /home/myuser as the chroot jail path instead of /home...and the reason it doesn't work is that I don't have all the binaries copied into that "virtual root" space...is that it?

Also, should this post be in the security forum instead of the server forum?

Here's the log snip before I add the "user" line in rssh.conf:

Apr 19 22:02:34 localhost sshd(pam_unix)[5955]: session opened for user myuser by (uid=0)
Apr 19 22:02:34 localhost rssh[5958]: setting log facility to LOG_USER
Apr 19 22:02:34 localhost rssh[5958]: allowing sftp to all users
Apr 19 22:02:34 localhost rssh[5958]: setting umask to 022
Apr 19 22:02:34 localhost rssh[5958]: chrooting all users to /home
Apr 19 22:02:34 localhost rssh[5958]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"
Apr 20 04:02:34 localhost rssh_chroot_helper[5958]: new session for myuser, UID=500
Apr 20 04:02:34 localhost rssh_chroot_helper[5958]: user's home dir is /home/myuser
Apr 20 04:02:34 localhost rssh_chroot_helper[5958]: chrooted to /home
Apr 20 04:02:34 localhost rssh_chroot_helper[5958]: changing working directory to /myuser (inside jail)

Here's after I add the "user" line:

Apr 19 22:04:02 localhost sshd(pam_unix)[5978]: session opened for user myuser by (uid=0)
Apr 19 22:04:02 localhost rssh[5981]: setting log facility to LOG_USER
Apr 19 22:04:02 localhost rssh[5981]: allowing sftp to all users
Apr 19 22:04:02 localhost rssh[5981]: setting umask to 022
Apr 19 22:04:02 localhost rssh[5981]: chrooting all users to /home
Apr 19 22:04:02 localhost rssh[5981]: line 31: configuring user myuser
Apr 19 22:04:02 localhost rssh[5981]: setting myuser's umask to 011
Apr 19 22:04:02 localhost rssh[5981]: allowing sftp to user myuser
Apr 19 22:04:02 localhost rssh[5981]: chrooting myuser to /home/myuser
Apr 19 22:04:02 localhost rssh[5981]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"
Apr 19 22:04:02 localhost sshd(pam_unix)[5978]: session closed for user myuser

Thanks in advance...

Kevin

Post Reply

Return to “CentOS 4 - Server Support”