Setup and Configuration for OpenSSH

Step 1 – Configure your client SSH configuration file

Using your favorite editor, open the ssh_config file. This is usually found in
/etc/ssh_conf. In most cases, this file can be left as its default; however, you can
change it to affect each user's session.

Step 2 – Configure your server SSH configuration file

1. Using your favorite editor, open the sshd_config file. This is usually found in
/etc/sshd_conf.
2. There is only one change that needs to be made to this file to enhance security.
You must make sure that the Authentication section of the file has the following
values set:
3. # Authentication:
4. LoginGraceTime 1m # only need 1 minute to allow
login time
5. PermitRootLogin no # do not allow root login
6. #StrictModes yes # default is yes – this should
stay
7. MaxAuthTries 3 # set max tries to 3 (default is
6)

8. All other settings are okay for the SFTP environment.

9. Start your SSH service and set it to run by default. This will differ from flavor to
flavor; I use Gentoo.
10. /etc/init.d/sshd start # this will start your ssh
service

11. Now, let's test your sftp connection by logging in as a user of the system. If you
do not have a user created on the system other than root, create one now.
12. $ sftp joeblow@localhost
13.
14. RSA keyfingerprint is ***********************.
15.
16. Are you sure you want to continue connecting (yes/no)?

17. After you have said "yes" to the above, your sftp connection will be established,
and you will have the following prompt waiting:
18. sftp>

19. As with FTP, you can use the get and put commands; we will not be interacting
at the commandline with the SFTP server, but you can.
Step 3 – Build a restricted shell for users using RSSH

1. Install RSSH. If you are using Gentoo, you can emerge the rssh package.
2. After installation, you need to add rssh to the list of allowed shells.
3. $ echo /usr/bin/rssh >> /etc/shells

4. You'll need to edit the /etc/rssh.conf file to allow chrooting and sftp:
5. logfacility = LOG_USER
6. allowsftp
7. umask = 022
8. chrootpath="/home"

9. You must build a chroot environment for rssh. You'll have to copy some files to
the /home directory to make it work properly:
10. $ cd /home
11. $ mkdir -p usr/bin
12. $ cp /usr/bin/sftp usr/bin
13. $ cp /usr/bin/rssh usr/bin
14. $ mkdir -p usr/libexec
15. $ cp /usr/libexec/rssh_chroot_helper usr/libexec
16. $ mkdir -p usr/lib/misc
17. $ cp /usr/lib/misc/sftp-server usr/lib/misc

18. You'll need to copy the dependencies of the above files. To do this properly,
you'll need to use the ldd command to list the dependencies needed:
19. $ ldd /usr/bin/sftp
20.
21. libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000)
22. libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7
(0xb7ece000)
23. libutil.so.1 => /lib/libutil.so.1 (0xb7eca000)
24. libz.so.1 => /lib/libz.so.1 (0xb7eba000)
25. libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000)
26. libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000)
27. libc.so.6 => /lib/libc.so.6 (0xb7d68000)
28. libdl.so.2 => /lib/libdl.so.2 (0xb7d64000)
29. /lib/ld-linux.so.2 (0xb7feb000)

30. You'll need to make directories for the above dependencies and copy the libs
needed for SFTP:
31. $ mkdir lib
32. $ cp /lib/<dependency>
33. $ mkdir -p usr/lib
34. $ cp /usr/lib/<dependency>

35. The above actions will need to be repeated for:

36. $ ldd /usr/bin/rssh
37. $ ldd /usr/libexec/rssh_chroot_helper
 38. $ ldd /usr/lib/misc/sftp-server

39. Once finished, you can add a user or modify a user. You must make sure that
when you add or modify, you set the user's shell to /usr/bin/rssh.

Step 4 - Implementing an interface for your SFTP server

Having non-technical individuals interface with your SFTP server via the commandline
isn't the best way. You will want to utilize a third party tool. There are two main ways
you can work with your SFTP server from the client side:

WinSCP
This is a free Windows-based sftp client. It is a great tool because it works the
same as most FTP clients.
A Web-based interface
Using a Web-based interface is by far the best way to allow interaction with your
SFTP server. The downside to this is that it is not free. If you choose this route, I
would recommend looking at JScape's SFTP applet.

Problems with the system

As with implementing any type of technology, there are always limits. The limit to SFTP
is that the users cannot be virtual users as they were with FTP. Each user that interacts
with the system must have her own account. (Don't worry; this is why you create the
restricted shell and only give them access to the sftp command.)

If you choose to implement the client side using a Web-based client, you should consider
having the client interface with a user database for authentication. The reason for this is
that Web-based SFTP clients such as JScape offer the ability to further restrict
individuals to a specified directory. In essence, you could have a table that contains the
username, password, and user's home directory. When the user logs in using the Web
client, the table is queried and the user is logged in based on her record in the database.
This is more work on your part, but it gives the users the feeling of a well-integrated
system.

Conclusion
SFTP and OpenSSH are great solutions for providing a secured file transfer system. The
system takes time to implement, but the return on investment is very apparent... no
eavesdropping or hacked FTP.
Installing and Configuring rssh
You'll need to emerge the restricted rssh shell, and then add it to the list of accepted
shells:

# emerge rssh
# echo /usr/bin/rssh >> /etc/shells

and you'll want to modify the rssh config and make some minor changes to enable
chrooting, scp, and sftp.

File: /etc/rssh.conf
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"

If you wish to disable scp, or sftp independently, just remove the line or comment it out
with a #.

[edit] What is scp/sftp?

FTP transmits data in "cleartext," meaning anyone between your computer and the host
server you're connected to can potentially intercept critical information such as
passwords. Fortunately, there are several file transfer standards (Scp and Sftp, for
example) that are similar in function to FTP but utilize Secure Shell encryption to protect
your information in transit. If you use a Unix-based server, you should be able to invoke
either sftp or scp from the command line. GL cluster servers have scp installed on them.

[edit] Building the Chrooted Environment

• Next, we need to build a chroot environment for rssh to work.

This involves copying a few files to our chrooted folder (/home).

Code: copying essential files into chroot

# cd /home/
# mkdir -p usr/bin
# cp /usr/bin/scp usr/bin
# cp /usr/bin/rssh usr/bin
# mkdir -p usr/libexec
# mkdir -p usr/lib/misc
# cp /usr/lib/misc/rssh_chroot_helper usr/lib/misc
# cp /usr/lib/misc/sftp-server usr/lib/misc
Though we're not quite done copying files yet. Now we need to copy the dependencies of
those files. ldd will tell us what files are needed

Code: Finding dependent libraries

# ldd /usr/bin/scp
libutil.so.1 => /lib/libutil.so.1 (0x4001c000)
libz.so.1 => /usr/lib/libz.so.1 (0x4001f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4002d000)
libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40042000)
libc.so.6 => /lib/libc.so.6 (0x40106000)
libdl.so.2 => /lib/libdl.so.2 (0x40235000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

So now we need to make the necessary folders, and copy the libs needed for scp.

Code: copying libraries

# cd /home
# mkdir lib
# cp /lib/libutil.so.1 lib
# cp /lib/libnsl.so.1 lib
# cp /lib/libc.so.6 lib
# cp /lib/libdl.so.2 lib
# cp /lib/ld-linux.so.2 lib
# mkdir -p usr/lib
# cp /usr/lib/libz.so.1 usr/lib
# cp /usr/lib/libcrypto.so.0.9.6 usr/lib

Now run ldd on the other files we copied into our chroot environment.

Code: Finding other essential libraries

# ldd /usr/bin/rssh
# ldd /usr/lib/misc/rssh_chroot_helper
# ldd /usr/lib/misc/sftp-server

Copy the libraries associated with those files if there are any we didn't already get from
scp. Note: for me, there were no other dependencies. copying all the dependencies for scp
was enough for me. This should be the case for you as well unless your configuration is
very different.

Or you can run the following copy these dependency files to your chroot for you

Code: Script to finding and install other essential libraries

# chroot=`sed -ne's/^chrootpath[^=]*=[^"/]*\(\|"\)\([^"]*\).*/\2/p'
/etc/rssh.conf`
# for f in `ldd /usr/bin/rssh /usr/lib/misc/rssh_chroot_helper
/usr/lib/misc/sftp-server /usr/bin/scp | sed -ne's/.*=> \([^ ]
*\).*/\1/p' | sort -u | grep -v "^$"`; do echo "Copying $f to ${chroot}$
{f}"; cp $f ${chroot}${f}; done

Note: You must have the destination directories setup before hand
Finally add the also required ld-linux.so.2 and libcrypt.so.1 libraries to the jail (otherwise
sftp/scp won't work).

Code: copying ld-linux.so.2

# cp /lib/ld-linux.so.2 lib
# cp /lib/libcrypt.so.1 lib

Note:If you are using /dev/log don`t forget to mkdir dev in your chroot and edit
/etc/syslog-ng/syslog-ng.conf accordingly.

[edit] rssh_chroot_helper & suid

You have to check the rssh_chroot_helper to ensure it has SUID perm:

Code: Setting Suid in rssh_chroot_helper

# chmod u+s rssh_chroot_helper
# ls -alh rssh_chroot_helper
-rwsr-xr-x 1 root root 19K 2007-02-16 05:39 rssh_chroot_helper

If SUID is not set, the chroot() call will not work and you will see this in
/var/log/messages :

Code: chroot() call fails if not suid

Sep 27 09:17:14 server2 rssh_chroot_helper[26106]: chroot() failed, 2:
Operation not permitted

[edit] Note for AMD64 Users

AMD64 users need to have libraries in /lib64 and /usr/lib64. I made this work by:

Code: Adding AMD64 links

# ln -s lib lib64
# cd usr; ln -s lib lib64; cd ..

[edit] Defining Users

• The only thing left to do now is create a user and change their shell to
/usr/bin/rssh. there are a couple of ways to do this. you could run
superadduser

Code:
# emerge superadduser
...
# superadduser
Login name for new user []: testuser
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []:
Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
Do you wish to change the home directory path? (Y/n) n
Shell [ /bin/bash ] /usr/bin/rssh
Expiry date (YYYY-MM-DD) []:

or simply modify an existing user account

# usermod -s /usr/bin/rssh testuser

[edit] Starting the Daemon and Testing

• Finally make sure sshd is running

Code: checking sshd

# /etc/init.d/sshd status
: * status: started

if not, run #/etc/init.d/sshd start and try connecting:

Code: testing your connection

# sftp testuser@yourip.com
Connecting to yourip.com...
testuser@yourip.com's password:
sftp> ls
.
..
.bash_profile
.bashrc
.qmail
sftp> pwd
Remote working directory: /testuser
sftp> exit
ssh testuser@yourip.com
testuser@yourip.com's password:

This account is restricted to scp or sftp.

If you believe this is in error, please contact your system
administrator.
Connection to yourip.com closed.

Voilà! sftp with chrooting, and no shell allowed!

Possible problems: a user can create .ssh unless it already exists and add some
LD_PRELOAD stuff to .ssh/environment resulting in arbitrary code execution (within
the chroot). Also tools like courier-maildrop might induce problems, because .mailfilter
may contain shell commands.

[edit] See Also

Original Forum Post

[edit] Getting scp to work

To get scp working I have learned you must copy these files too:

cd /home
cp /lib/libnss_compat.so.2 lib

mkdir etc
cp /etc/passwd etc
### Be sure to edit the password after copying!
### Leave only the user needed to login with.

[edit] Easier passwd example

cd /home/(user)
mkdir etc
cd etc
getent passwd (user) > passwd

[edit] Solution to "connection closed"

If you get "connection closed" when trying to log on via sftp, try:

mkdir /your/chroot/dir/dev
mknod -m 666 /your/chroot/dir/dev/null c 1 3

Sometimes one of /lib/libnss_* files may be required. In my case it was

/lib/libnss_compat.so.2

cp /lib/libnss_compat.so.2 /your/chroot/dir/lib/

If you are using one chroot per user wrong permissions in rssh.conf can also cause
"connection closed":

user=adam:077:00010:/home/rssh_chroot/adam

in my case mis-typing 077 as 0077 or 00010 as 0010 or 000010

[edit] Any idea how to have one chroot per user?

This is done by creating separate chroot directories for each user. Let's take our user
Adam as an example.

First, make a parent chroot dir. Nothing will actually chroot to this, it's just a tidy way to
do this. You can use regular home dirs if you want, it really doesn't matter. I do it this
way so I know at a glance that these users are rssh chroot'ed users.

1. mkdir /home/rssh_chroot

Now create Adam's dir:

1. mkdir -p /home/rssh_chroot/adam
2. chown adam:adam /home/rssh_chroot/adam
3. chmod 770 /home/rssh_chroot/adam

Now, follow the above instructions for creating a chroot WITHIN the adam directory,
replacing "/home" with "/home/rssh_chroot/adam" in the procedures. Add the following
line, edited as you want, to /etc/rssh.conf:

user=adam:077:00010:/home/rssh_chroot/adam

Once the files necessary for a chroot are in place:

1. cd /home/rssh_chroot
2. chown -R root:root adam/lib
3. chmod –R 755 adam/lib
4. chown -R root:root adam/usr
5. chmod –R 755 adam/usr
6. chown adam:adam /home/rssh_chroot/adam
7. chmod 770 /home/rssh_chroot/adam

You can now repeat this for any other user. Each will have a separate copy of the
necessary libraries, but this is the only way to accomplish this. I would start by copying
the entire adam dir to a new name, and simply chown-ing the dir to the new user:

1. cp –Rp adam betty

2. chown betty:betty betty

Then add the right line to /etc/rssh.conf:

user=betty:077:00010:/home/rssh_chroot/betty

Rinse. Repeat.
[edit] Additional tips and tricks

There were a few other things I had to do to get this working. I was having a problem that
appears to be common: you get a "connection closed" with no other hint of what's going
wrong and you are positive that your shared libs are set up correctly. Well, I figured it
out!

First, you definitely want to set things up so that you can see the log messages that
rssh_chroot_helper will log while executing in the jail. This was the key to solving the
problem. For syslog-ng, this is easy; look for the source src section in the
/etc/syslog-ng/syslog-ng.conf file and add unix-
string("/chroot/jail/dev/log"); just after the unix-string("/dev/log");
line. Be sure to restart syslog-ng.

Once I did this, I started seeing log messages from rssh_chroot_helper in

/var/log/messages, and in fact saw this nasty one: sftp-server[4589]: fatal: No
user found for uid xxxx. This indicated that I was missing an
/etc/passwd file in the chroot jail. I copied a minimal version of my
system /etc/passwd to /chroot/jail/etc/passwd, and also a minimal
/etc/group to /chroot/jail/etc/group and wonder of wonders, it all
worked perfectly.

A few additional things I noticed after getting the basic configuration working:

• Your jailed /etc/passwd can be mostly fake; apparently the only thing that sftp-
server really cares about are the usernames, uids, and gids. I used /dev/null as the
homedir and /bin/false as the shell even though I didn't have /bin/false in the jail.
Didn't seem to matter.
• Your jailed /etc/group is mostly fake too. Again, it only cares about group names
and gids. Specifically group membership is taken from the system's /etc/group not
/chroot/jail/etc/group
• You only need a very minimal set of executables in your jail. I narrowed it down
to /chroot/jail/usr/bin/sftp and /chroot/jail/usr/lib/misc/sftp-server. Specifically
you don't need rssh or rssh_chroot_helper in the jail. Note that I'm only allowing
sftp so if you allow other rssh programs (e.g. scp) you'll have to put them up there
too.
• You do need a /chroot/jail/dev/null as described above. You don't need to
create /chroot/jail/dev/log as syslog-ng will create it correctly.
• The minimal set of shared libs I needed to copy were:
o lib/ld-linux.so.2
o lib/libc.so.6
o lib/libcrypt.so.1
o lib/libdl.so.2
o lib/libncurses.so.5
o lib/libnsl.so.1
o lib/libnss_compat.so.2
o lib/libresolv.so.2
 o lib/libutil.so.1
o lib/libz.so.1
o usr/lib/libcrypto.so.0.9.8
o usr/lib/libssl.so.0.9,8

And that's it! Hope that helps. pumpichank on gentoo forums

[edit] Alternative (Simpler) Solution

I used a similar method to the above for a long time, but got tired of having to update
libraries within the chroot'd jail every time I updated OpenSSL, OpenSSH and a variety
of other bits and pieces. Also, the users themselves had a habit of breaking things, as they
had access to the library directories, which only confused them!

In the end, I cobbled a better solution together from a variety of papers out there on the
'net, and came up with a chroot'd SFTP solution (no SCP, unfortunately) that requires no
messing about with libraries and so forth.

I've written this up: http://www.minstrel.org.uk/papers/sftp/

Note: my system runs Solaris, but I've had feedback from others that have successfully
followed the instructions on a variety of Linux-based systems. The page has recently
been updated to include detailed instructions for OpenBSD, and I have had reports of
successful builds on SuSE (with minor tweaks), RedHat and, of course, Gentoo!

Hope this helps.

[edit] Yet Another (Simpler) Alternative Solution

[edit] Building a simplified chroot jail with static builds of rssh and
openssh.

The hardest (time consuming) part about the setup discussed above is chasing dynamic
libraries around with ldd and getting them into the chroot jail. This especially messy if
you have a separate jail for each user. To get around this we compile rssh and sftp-server
as static binaries. Download openssh and rssh. Configure them as:

CC='gcc -static' ./configure your-args-here && make

Then copy (or hardlink) and setuid rssh_chroot_helper

mkdir -p /chroot/user/usr/libexec/openssh
ln sftp-server /chroot/user/usr/libexec/openssh/
ln rssh_chroot_helper /chroot/user/usr/libexec/
chmod 4755 /chroot/user/usr/libexec/rssh_chroot_helper
I recommend that you use your distro version of openssh and rssh for everything except
the files which need to be in the jail. There is no need to 'make install' as we don't wish to
install openssh or rssh over our existing distro copies. Just copy the ones out of the static-
build tree and use 'em in the chroot jail!

Sure enough, sftp-server and rssh_chroot_helper are static:

[root@backup1 testuser]# find usr/ -type f -print -exec ldd {} \;

usr/libexec/openssh/sftp-server
not a dynamic executable
usr/libexec/rssh_chroot_helper
not a dynamic executable

Since sftp-server calls getpwnam(), glibc still dynamic links in the libnss code for doing
password file lookups. For this reason, you will still need all the libraries referenced by
libnss_files.so.X, in addition to libnss_files.so.X itself:

[root@backup1 testuser]# ldd /lib64/libnss_files.so.2

libc.so.6 => /lib64/libc.so.6 (0x00002aaaaacc6000)
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)

These files you will need to copy to your /chroot/user/lib(64) directory or sftp-server will
complain in a hard-to-troubleshoot way:

sftp-server[2361]: fatal: No user found for uid 501

We also added "-a /chroot/user/dev/log" to syslogd's command line so that jailed users
can still log to syslog. Your syslog may be configured differently here.

Below are all of the files in our jail, most of which can be hard-linked. etc/passwd must
contain at least the line(s) of the user(s) logging into jail.

[root@backup1 testuser]# find dev/ etc/ lib64/ usr/ -not -type d

dev/log
dev/null
etc/passwd
lib64/libnss_files.so.2
lib64/ld-linux-x86-64.so.2
lib64/libc.so.6
usr/libexec/openssh/sftp-server
usr/libexec/rssh_chroot_helper

Our (simple) /etc/rssh.conf:

[root@backup1 testuser]# cat /etc/rssh.conf | grep -v \# | grep .

logfacility = LOG_USER
allowsftp
umask = 022
user=testuser:077:00010:/chroot/user/testuser
That's it! I hope this helps simplify the task of chrooting SFTP!

[edit] The Simplest Solution of Them All

Apparently the newest OpenSSH CVS already contains support for chrooting SFTP users
(ChroootDirectory directive):

http://undeadly.org/cgi?action=article&sid=20080220110039

There is only support for SFTP though (no SCP). This appeared in OpenSSH 4.9 and
higher