Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .
It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/
$go_info["server"][& quot;ssh_chroot"] = 1;
If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell
-
Install latest zlib:
chrootSSH will complain when we try to compile if the latest version of zlib is not installed.
wget http://www.zlib.net/zlib-1.2.3 .tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure --shared
make
make install
wget http://chrootssh.sourceforge.n et/download/openssh-4.5p1-chro ot.tar.bz2
tar jxvf openssh-4.5p1-chroot.tar.bz2r />vi openssh-4.5p1-chroot/contrib/r edhat/openssh.spec
Change %define no_x11_askpass 0 to a 1, as well as %define no_gnome_askpass 0 to 1.
Clean up some of the extra directories:
rm -rf openssh-4.5p1-chroot/contrib/a ix/
rm -rf openssh-4.5p1-chroot/contrib/h pux/
rm -rf openssh-4.5p1-chroot/contrib/c aldera/
rm -rf openssh-4.5p1-chroot/contrib/s use/
rm -rf openssh-4.5p1-chroot/contrib/c ygwin/
rm -rf openssh-4.5p1-chroot/contrib/s olaris/
Install openssl-devel and pam-devel packages. Then rename the folder, and compile it with rpmbuild.
yum -y install openssl-devel pam-devel
mv openssh-4.5p1-chroot openssh-4.5p1
tar czvf openssh-4.5p1.tar.gz openssh-4.5p1
rpmbuild -tb --clean openssh-4.5p1.tar.gz
rpm -Uvh /usr/src/redhat/RPMS/i386/open ssh-4.5p1-1.i386.rpm
rpm -Uvh /usr/src/redhat/RPMS/i386/open ssh-server-4.5p1-1.i386.rpm
/>rpm -Uvh /usr/src/redhat/RPMS/i386/open ssh-clients-4.5p1-1.i386.rpm
Create The Chroot Environment:
NOTE: This step is not necessary on ISPConfig, as it is now built in into the control panel. Simply edit the config file located at "/home/admispconfig/ispconfig/
$go_info["server"][& quot;ssh_chroot"] = 1;
The chroot environment can be created via running the script that comes with ispconfig:
/root/ispconfig/scripts/shell/ create_chroot_env.sh <username>
If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell
The script is as below:
#!/bin/bash
#
# Usage: ./create_chroot_env username
#
# Here specify the apps you want into the environment
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-serv er /usr/bin/mysqldump /usr/bin/mysql /usr/bin/unzip /usr/bin/zip /bin/tar /bin/gzip /bin/gunzip /usr/bin/wget /usr/bin/svn"
# Sanity check
if [ "$1" = "" ] ; then
&nbs p; echo " Usage: ./create_chroot_env username"
&nbs p; exit
fi
# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"& nbsp; | cut -d':' -f 6`
cd $HOMEDIR
# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero
# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
# Add some users to ./etc/paswd
grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group
if [ -x ${HOMEDIR}/ldlist ]; then
mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi
if [ -x ${HOMEDIR}/lddlist2 ]; then
mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi
for app in $APPS; do
# First of all, check that this application exists
if [ -x $app ]; then
# Check that the directory exists; create it if not.
app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1# 9;`
if ! [ -d .$app_path ]; then
&nbs p; mkdir -p .$app_path
fi
# If the files in the chroot are on the same file system as the
# original files you should be able to use hard links instead of
# copying the files, too. Symbolic links cannot be used, because the
# original files are outside the chroot.
cp -p $app .$app
# get list of necessary libraries
ldd $app >> ${HOMEDIR}/ldlist
fi
done
# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
frst_char="`echo $libs | cut -c1`"
if [ "$frst_char" = "/" ]; then
echo "$libs" >> ${HOMEDIR}/ldlist2
fi
done
for lib in `cat ${HOMEDIR}/ldlist2`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
# If the files in the chroot are on the same file system as the original
# files you should be able to use hard links instead of copying the files,
# too. Symbolic links cannot be used, because the original files are
# outside the chroot.
cp $lib .$lib
done
#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2
# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/
# mysql needs the socket in the chrooted environment
mkdir -p ${HOMEDIR}/var/lib/mysql
ln /var/lib/mysql/mysql.sock ${HOMEDIR}/var/lib/mysql/mysql .sock
The chrootSSH looks up the user who is trying to login in /etc/passwd. If the user's home directory in "/etc/passwd" has a . in it, then the user will be chrooted.
webx_user:x:10000:10000:Name:/ var/www/webx/./:/bin/bash
The process of creating such users is automated via the ISPConfig control panel when enabling ssh option for users.
- sandip's blog
- Login or register to post comments
Comments
Hi,
I am using centos 5.2 and have ispconfig installed. I have also installed chroot for ssh/sftp but sftp is not working. Would any one know why?? I get the following error
File transfer server could not be started or it exited unexpectedly. Exit value 0 was returned. Most likely the sftp-server is not in the path of the user on the server-side.
The user was created through ISPCONFIG.
Thanks
joe
Check and make sure that "/usr/libexec/openssh/sftp-ser ver" has been copied over and can be found in the chroot environment.
I copied the sftp-server to /usr/lib/openssh/ under the ispconfig chroot env. still not working. What am I missing?? any permission or some other setup. Please help
Thanks
You would have to run:
ldd /usr/libexec/openssh/sftp-serv er
and copy over the missing libraries as well.
Instead, did you try putting "/usr/libexec/openssh/sftp-ser ver" in the "create_chroot_env.sh" file in the APPS variable?
You will need to recreate the user after editing the "create_chroot_env.sh" file, or just run the file manually via:
/root/ispconfig/scripts/shell/ create_chroot_env.sh <username>
Did you follow through with the exact instructions as laid out above?
Hi,
Thank you for replying...Here is what is happenning
I followed your steps above to install chroot ssh/sftp I did get failed dependencies error on rpm -Uvh /usr/src/redhat/RPMS/i386/open ssh-4.5p1-1.i386.rpm and then I saw your comment on install all at once and I tried the following command rpm -Uvh openssh*.rpm still got the same dependencies error. I like to fix this issue by reinstalling but I do not know how to. I got all installed by ignoring the dependencies.
Now from your last post I did make change to the ispconfig .sh script and added this path for sftp-server "/usr/libexec/openssh/sftp-ser ver" and created user through ispconfig. I am able to ssh and sftp but when I SSH and then try to sftp using command line I get the following error "PRNG is not seeded Couldn't read packet: Connection reset by peer" Also when I use SFTP untility to move files to the server I do get some permission set error during the move. Any ideas what is going on. What I did wrong and how I can fix it.
Thank you for your help
Joe
what path and directory of chrooted env should it be in?
Thanks you
Thanks again for this great guide and super fast help!!, installing them all at once did the trick :)
edit: oops this should have been a reply :P
Hello, thanks for this guide, but I am not sure why I get this failed dependencies error :
[root@server zlib-1.2.3]# rpm -Uvh /usr/src/redhat/RPMS/x86_64/op enssh-4.5p1-1.x86_64.rpm p; openssh = 4.3p2-26.el5 is needed by (installed) openssh-clients-4.3p2-26.el5.x 86_64 p; openssh = 4.3p2-26.el5 is needed by (installed) openssh-server-4.3p2-26.el5.x8 6_64
error: Failed dependencies:
&nbs
&nbs
I am kinda new to this, zlib-1.2.3 is located in /tmp/ , is that correct?
You can try to install all the rpms at once if it is giving you failed dependencies:
rpm -Uvh openssh*.rpm
Below are notes from the zlib Makefile:
# To install /usr/local/lib/libz.* and /usr/local/include/zlib.h, type:
# make install
# To install in $HOME instead of /usr/local, use:
# make install prefix=$HOME