Académique Documents
Professionnel Documents
Culture Documents
Using your favorite editor, open the ssh_config file. This is usually found in
/etc/ssh_conf. In most cases, this file can be left as its default; however, you can
change it to affect each user's session.
1. Using your favorite editor, open the sshd_config file. This is usually found in
/etc/sshd_conf.
2. There is only one change that needs to be made to this file to enhance security.
You must make sure that the Authentication section of the file has the following
values set:
3. # Authentication:
4. LoginGraceTime 1m # only need 1 minute to allow
login time
5. PermitRootLogin no # do not allow root login
6. #StrictModes yes # default is yes – this should
stay
7. MaxAuthTries 3 # set max tries to 3 (default is
6)
11. Now, let's test your sftp connection by logging in as a user of the system. If you
do not have a user created on the system other than root, create one now.
12. $ sftp joeblow@localhost
13.
14. RSA keyfingerprint is ***********************.
15.
16. Are you sure you want to continue connecting (yes/no)?
17. After you have said "yes" to the above, your sftp connection will be established,
and you will have the following prompt waiting:
18. sftp>
19. As with FTP, you can use the get and put commands; we will not be interacting
at the commandline with the SFTP server, but you can.
Step 3 – Build a restricted shell for users using RSSH
1. Install RSSH. If you are using Gentoo, you can emerge the rssh package.
2. After installation, you need to add rssh to the list of allowed shells.
3. $ echo /usr/bin/rssh >> /etc/shells
4. You'll need to edit the /etc/rssh.conf file to allow chrooting and sftp:
5. logfacility = LOG_USER
6. allowsftp
7. umask = 022
8. chrootpath="/home"
9. You must build a chroot environment for rssh. You'll have to copy some files to
the /home directory to make it work properly:
10. $ cd /home
11. $ mkdir -p usr/bin
12. $ cp /usr/bin/sftp usr/bin
13. $ cp /usr/bin/rssh usr/bin
14. $ mkdir -p usr/libexec
15. $ cp /usr/libexec/rssh_chroot_helper usr/libexec
16. $ mkdir -p usr/lib/misc
17. $ cp /usr/lib/misc/sftp-server usr/lib/misc
18. You'll need to copy the dependencies of the above files. To do this properly,
you'll need to use the ldd command to list the dependencies needed:
19. $ ldd /usr/bin/sftp
20.
21. libresolv.so.2 => /lib/libresolv.so.2 (0xb7fc5000)
22. libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7
(0xb7ece000)
23. libutil.so.1 => /lib/libutil.so.1 (0xb7eca000)
24. libz.so.1 => /lib/libz.so.1 (0xb7eba000)
25. libnsl.so.1 => /lib/libnsl.so.1 (0xb7ea5000)
26. libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7e78000)
27. libc.so.6 => /lib/libc.so.6 (0xb7d68000)
28. libdl.so.2 => /lib/libdl.so.2 (0xb7d64000)
29. /lib/ld-linux.so.2 (0xb7feb000)
30. You'll need to make directories for the above dependencies and copy the libs
needed for SFTP:
31. $ mkdir lib
32. $ cp /lib/<dependency>
33. $ mkdir -p usr/lib
34. $ cp /usr/lib/<dependency>
39. Once finished, you can add a user or modify a user. You must make sure that
when you add or modify, you set the user's shell to /usr/bin/rssh.
Having non-technical individuals interface with your SFTP server via the commandline
isn't the best way. You will want to utilize a third party tool. There are two main ways
you can work with your SFTP server from the client side:
WinSCP
This is a free Windows-based sftp client. It is a great tool because it works the
same as most FTP clients.
A Web-based interface
Using a Web-based interface is by far the best way to allow interaction with your
SFTP server. The downside to this is that it is not free. If you choose this route, I
would recommend looking at JScape's SFTP applet.
If you choose to implement the client side using a Web-based client, you should consider
having the client interface with a user database for authentication. The reason for this is
that Web-based SFTP clients such as JScape offer the ability to further restrict
individuals to a specified directory. In essence, you could have a table that contains the
username, password, and user's home directory. When the user logs in using the Web
client, the table is queried and the user is logged in based on her record in the database.
This is more work on your part, but it gives the users the feeling of a well-integrated
system.
Conclusion
SFTP and OpenSSH are great solutions for providing a secured file transfer system. The
system takes time to implement, but the return on investment is very apparent... no
eavesdropping or hacked FTP.
Installing and Configuring rssh
You'll need to emerge the restricted rssh shell, and then add it to the list of accepted
shells:
# emerge rssh
# echo /usr/bin/rssh >> /etc/shells
and you'll want to modify the rssh config and make some minor changes to enable
chrooting, scp, and sftp.
File: /etc/rssh.conf
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath="/home"
If you wish to disable scp, or sftp independently, just remove the line or comment it out
with a #.
So now we need to make the necessary folders, and copy the libs needed for scp.
Now run ldd on the other files we copied into our chroot environment.
Copy the libraries associated with those files if there are any we didn't already get from
scp. Note: for me, there were no other dependencies. copying all the dependencies for scp
was enough for me. This should be the case for you as well unless your configuration is
very different.
Or you can run the following copy these dependency files to your chroot for you
Note: You must have the destination directories setup before hand
Finally add the also required ld-linux.so.2 and libcrypt.so.1 libraries to the jail (otherwise
sftp/scp won't work).
Note:If you are using /dev/log don`t forget to mkdir dev in your chroot and edit
/etc/syslog-ng/syslog-ng.conf accordingly.
If SUID is not set, the chroot() call will not work and you will see this in
/var/log/messages :
AMD64 users need to have libraries in /lib64 and /usr/lib64. I made this work by:
Code:
# emerge superadduser
...
# superadduser
Login name for new user []: testuser
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []:
Home directory [ /home/testuser ]
- Warning: '/home/testuser' already exists !
Do you wish to change the home directory path? (Y/n) n
Shell [ /bin/bash ] /usr/bin/rssh
Expiry date (YYYY-MM-DD) []:
Possible problems: a user can create .ssh unless it already exists and add some
LD_PRELOAD stuff to .ssh/environment resulting in arbitrary code execution (within
the chroot). Also tools like courier-maildrop might induce problems, because .mailfilter
may contain shell commands.
To get scp working I have learned you must copy these files too:
cd /home
cp /lib/libnss_compat.so.2 lib
mkdir etc
cp /etc/passwd etc
### Be sure to edit the password after copying!
### Leave only the user needed to login with.
If you get "connection closed" when trying to log on via sftp, try:
mkdir /your/chroot/dir/dev
mknod -m 666 /your/chroot/dir/dev/null c 1 3
cp /lib/libnss_compat.so.2 /your/chroot/dir/lib/
If you are using one chroot per user wrong permissions in rssh.conf can also cause
"connection closed":
user=adam:077:00010:/home/rssh_chroot/adam
This is done by creating separate chroot directories for each user. Let's take our user
Adam as an example.
First, make a parent chroot dir. Nothing will actually chroot to this, it's just a tidy way to
do this. You can use regular home dirs if you want, it really doesn't matter. I do it this
way so I know at a glance that these users are rssh chroot'ed users.
1. mkdir /home/rssh_chroot
1. mkdir -p /home/rssh_chroot/adam
2. chown adam:adam /home/rssh_chroot/adam
3. chmod 770 /home/rssh_chroot/adam
Now, follow the above instructions for creating a chroot WITHIN the adam directory,
replacing "/home" with "/home/rssh_chroot/adam" in the procedures. Add the following
line, edited as you want, to /etc/rssh.conf:
user=adam:077:00010:/home/rssh_chroot/adam
1. cd /home/rssh_chroot
2. chown -R root:root adam/lib
3. chmod –R 755 adam/lib
4. chown -R root:root adam/usr
5. chmod –R 755 adam/usr
6. chown adam:adam /home/rssh_chroot/adam
7. chmod 770 /home/rssh_chroot/adam
You can now repeat this for any other user. Each will have a separate copy of the
necessary libraries, but this is the only way to accomplish this. I would start by copying
the entire adam dir to a new name, and simply chown-ing the dir to the new user:
user=betty:077:00010:/home/rssh_chroot/betty
Rinse. Repeat.
[edit] Additional tips and tricks
There were a few other things I had to do to get this working. I was having a problem that
appears to be common: you get a "connection closed" with no other hint of what's going
wrong and you are positive that your shared libs are set up correctly. Well, I figured it
out!
First, you definitely want to set things up so that you can see the log messages that
rssh_chroot_helper will log while executing in the jail. This was the key to solving the
problem. For syslog-ng, this is easy; look for the source src section in the
/etc/syslog-ng/syslog-ng.conf file and add unix-
string("/chroot/jail/dev/log"); just after the unix-string("/dev/log");
line. Be sure to restart syslog-ng.
A few additional things I noticed after getting the basic configuration working:
• Your jailed /etc/passwd can be mostly fake; apparently the only thing that sftp-
server really cares about are the usernames, uids, and gids. I used /dev/null as the
homedir and /bin/false as the shell even though I didn't have /bin/false in the jail.
Didn't seem to matter.
• Your jailed /etc/group is mostly fake too. Again, it only cares about group names
and gids. Specifically group membership is taken from the system's /etc/group not
/chroot/jail/etc/group
• You only need a very minimal set of executables in your jail. I narrowed it down
to /chroot/jail/usr/bin/sftp and /chroot/jail/usr/lib/misc/sftp-server. Specifically
you don't need rssh or rssh_chroot_helper in the jail. Note that I'm only allowing
sftp so if you allow other rssh programs (e.g. scp) you'll have to put them up there
too.
• You do need a /chroot/jail/dev/null as described above. You don't need to
create /chroot/jail/dev/log as syslog-ng will create it correctly.
• The minimal set of shared libs I needed to copy were:
o lib/ld-linux.so.2
o lib/libc.so.6
o lib/libcrypt.so.1
o lib/libdl.so.2
o lib/libncurses.so.5
o lib/libnsl.so.1
o lib/libnss_compat.so.2
o lib/libresolv.so.2
o lib/libutil.so.1
o lib/libz.so.1
o usr/lib/libcrypto.so.0.9.8
o usr/lib/libssl.so.0.9,8
I used a similar method to the above for a long time, but got tired of having to update
libraries within the chroot'd jail every time I updated OpenSSL, OpenSSH and a variety
of other bits and pieces. Also, the users themselves had a habit of breaking things, as they
had access to the library directories, which only confused them!
In the end, I cobbled a better solution together from a variety of papers out there on the
'net, and came up with a chroot'd SFTP solution (no SCP, unfortunately) that requires no
messing about with libraries and so forth.
Note: my system runs Solaris, but I've had feedback from others that have successfully
followed the instructions on a variety of Linux-based systems. The page has recently
been updated to include detailed instructions for OpenBSD, and I have had reports of
successful builds on SuSE (with minor tweaks), RedHat and, of course, Gentoo!
[edit] Building a simplified chroot jail with static builds of rssh and
openssh.
The hardest (time consuming) part about the setup discussed above is chasing dynamic
libraries around with ldd and getting them into the chroot jail. This especially messy if
you have a separate jail for each user. To get around this we compile rssh and sftp-server
as static binaries. Download openssh and rssh. Configure them as:
mkdir -p /chroot/user/usr/libexec/openssh
ln sftp-server /chroot/user/usr/libexec/openssh/
ln rssh_chroot_helper /chroot/user/usr/libexec/
chmod 4755 /chroot/user/usr/libexec/rssh_chroot_helper
I recommend that you use your distro version of openssh and rssh for everything except
the files which need to be in the jail. There is no need to 'make install' as we don't wish to
install openssh or rssh over our existing distro copies. Just copy the ones out of the static-
build tree and use 'em in the chroot jail!
Since sftp-server calls getpwnam(), glibc still dynamic links in the libnss code for doing
password file lookups. For this reason, you will still need all the libraries referenced by
libnss_files.so.X, in addition to libnss_files.so.X itself:
These files you will need to copy to your /chroot/user/lib(64) directory or sftp-server will
complain in a hard-to-troubleshoot way:
We also added "-a /chroot/user/dev/log" to syslogd's command line so that jailed users
can still log to syslog. Your syslog may be configured differently here.
Below are all of the files in our jail, most of which can be hard-linked. etc/passwd must
contain at least the line(s) of the user(s) logging into jail.
Apparently the newest OpenSSH CVS already contains support for chrooting SFTP users
(ChroootDirectory directive):
http://undeadly.org/cgi?action=article&sid=20080220110039
There is only support for SFTP though (no SCP). This appeared in OpenSSH 4.9 and
higher