SSH Chroot in ISPConfig Centos-4.6

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

$go_info["server"]["ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

  1. Install latest zlib:

    chrootSSH will complain when we try to compile if the latest version of zlib is not installed.

    wget http://www.zlib.net/zlib-1.2.3.tar.gz
    tar xvfz zlib-1.2.3.tar.gz
    cd zlib-1.2.3
    make clean
    ./configure --shared
    make
    make install

  2. Install chrootSSH:

    wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
    tar jxvf openssh-4.5p1-chroot.tar.bz2r />vi openssh-4.5p1-chroot/contrib/redhat/openssh.spec

    Change %define no_x11_askpass 0 to a 1, as well as %define no_gnome_askpass 0 to 1.

    Clean up some of the extra directories:

    rm -rf openssh-4.5p1-chroot/contrib/aix/
    rm -rf openssh-4.5p1-chroot/contrib/hpux/
    rm -rf openssh-4.5p1-chroot/contrib/caldera/
    rm -rf openssh-4.5p1-chroot/contrib/suse/
    rm -rf openssh-4.5p1-chroot/contrib/cygwin/
    rm -rf openssh-4.5p1-chroot/contrib/solaris/

    Install openssl-devel and pam-devel packages. Then rename the folder, and compile it with rpmbuild.

    yum -y install openssl-devel pam-devel
    mv openssh-4.5p1-chroot openssh-4.5p1
    tar czvf openssh-4.5p1.tar.gz openssh-4.5p1
    rpmbuild -tb --clean openssh-4.5p1.tar.gz
    rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-4.5p1-1.i386.rpm
    rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-server-4.5p1-1.i386.rpm />rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-clients-4.5p1-1.i386.rpm

  3. Edit /etc/yum.conf and add “exclude=openssh*” so that it will not try and update openssh.
  4. Create The Chroot Environment:

    NOTE: This step is not necessary on ISPConfig, as it is now built in into the control panel. Simply edit the config file located at "/home/admispconfig/ispconfig/lib/config.inc.php" and enable ssh chroot option:

    $go_info["server"]["ssh_chroot"] = 1;

    The chroot environment can be created via running the script that comes with ispconfig:

    /root/ispconfig/scripts/shell/create_chroot_env.sh <username>

    If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

    The script is as below:

    #!/bin/bash

    #
    # Usage: ./create_chroot_env username
    #

    # Here specify the apps you want into the environment
    APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-server /usr/bin/mysqldump /usr/bin/mysql /usr/bin/unzip /usr/bin/zip /bin/tar /bin/gzip /bin/gunzip /usr/bin/wget /usr/bin/svn"

    # Sanity check

    if [ "$1" = "" ] ; then
        &nbsp;   echo "    Usage: ./create_chroot_env username"
        &nbsp;   exit
    fi

    # Obtain username and HomeDir
    CHROOT_USERNAME=$1
    HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"&nbsp; | cut -d':' -f 6`
    cd $HOMEDIR

    # Create Directories no one will do it for you
    mkdir -p usr/lib/openssh
    mkdir etc
    mkdir etc/pam.d/
    mkdir bin
    mkdir lib
    mkdir usr/bin
    mkdir dev
    mknod dev/null c 1 3
    mknod dev/zero c 1 5
    chmod 666 dev/null
    chmod 666 dev/zero
    # Create short version to /usr/bin/groups
    # On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

    echo "#!/bin/bash" > usr/bin/groups
    echo "id -Gn" >> usr/bin/groups

    # Add some users to ./etc/paswd

    grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
    grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

    if [ -x ${HOMEDIR}/ldlist ]; then
      mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
    fi

    if [ -x ${HOMEDIR}/lddlist2 ]; then
      mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
    fi

    for app in $APPS;  do
      # First of all, check that this application exists
      if [ -x $app ]; then
        # Check that the directory exists; create it if not.
        app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#9;`
        if ! [ -d .$app_path ]; then
        &nbsp; mkdir -p .$app_path
        fi

        # If the files in the chroot are on the same file system as the
        # original files you should be able to use hard links instead of
        # copying the files, too. Symbolic links cannot be used, because the
        # original files are outside the chroot.
        cp -p $app .$app
        # get list of necessary libraries
        ldd $app >> ${HOMEDIR}/ldlist
      fi
    done

    # Clear out any old temporary file before we start
    if [ -e ${HOMEDIR}/ldlist2 ]; then
      rm ${HOMEDIR}/ldlist2
    fi
    for libs in `cat ${HOMEDIR}/ldlist`; do
      frst_char="`echo $libs | cut -c1`"
      if [ "$frst_char" = "/" ]; then
        echo "$libs" >> ${HOMEDIR}/ldlist2
      fi
    done

    for lib in `cat ${HOMEDIR}/ldlist2`; do
      mkdir -p .`dirname $lib` > /dev/null 2>&1
      # If the files in the chroot are on the same file system as the original
      # files you should be able to use hard links instead of copying the files,
      # too. Symbolic links cannot be used, because the original files are
      # outside the chroot.
      cp $lib .$lib
    done

    #
    # Now, cleanup the 2 files we created for the library list
    #
    /bin/rm -f ${HOMEDIR}/ldlist
    /bin/rm -f ${HOMEDIR}/ldlist2

    # From some strange reason these 3 libraries are not in the ldd output, but without them
    # some stuff will not work, like usr/bin/groups
    cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
    cp /etc/hosts etc/
    cp /etc/resolv.conf etc/
    cp /etc/pam.d/* etc/pam.d/
    cp -r /lib/security lib/
    cp -r /etc/security etc/
    cp /etc/login.defs etc/
    cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
    cp /usr/lib/libkrb5.so.3 usr/lib/
    cp /usr/lib/libk5crypto.so.3 usr/lib/
    cp /lib/libcom_err.so.2 lib/
    cp /usr/lib/libkrb5support.so.0 usr/lib/

    # mysql needs the socket in the chrooted environment
    mkdir -p ${HOMEDIR}/var/lib/mysql
    ln /var/lib/mysql/mysql.sock ${HOMEDIR}/var/lib/mysql/mysql.sock

  5. Create chrooted user:

    The chrootSSH looks up the user who is trying to login in /etc/passwd. If the user's home directory in "/etc/passwd" has a . in it, then the user will be chrooted.

    webx_user:x:10000:10000:Name:/var/www/webx/./:/bin/bash

    The process of creating such users is automated via the ISPConfig control panel when enabling ssh option for users.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
chroot ssh works but not sftp

Hi,

I am using centos 5.2 and have ispconfig installed. I have also installed chroot for ssh/sftp but sftp is not working. Would any one know why?? I get the following error
File transfer server could not be started or it exited unexpectedly. Exit value 0 was returned. Most likely the sftp-server is not in the path of the user on the server-side.

The user was created through ISPCONFIG.

Thanks
joe

sftp-server

Check and make sure that "/usr/libexec/openssh/sftp-server" has been copied over and can be found in the chroot environment.

chroot sftp and ispconfig

I copied the sftp-server to /usr/lib/openssh/ under the ispconfig chroot env. still not working. What am I missing?? any permission or some other setup. Please help

Thanks

chroot sftp

You would have to run:

ldd /usr/libexec/openssh/sftp-server

and copy over the missing libraries as well.

Instead, did you try putting "/usr/libexec/openssh/sftp-server" in the "create_chroot_env.sh" file in the APPS variable?

You will need to recreate the user after editing the "create_chroot_env.sh" file, or just run the file manually via:

/root/ispconfig/scripts/shell/create_chroot_env.sh <username>

Did you follow through with the exact instructions as laid out above?

chroot sftp

Hi,

Thank you for replying...Here is what is happenning

I followed your steps above to install chroot ssh/sftp I did get failed dependencies error on rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-4.5p1-1.i386.rpm and then I saw your comment on install all at once and I tried the following command rpm -Uvh openssh*.rpm still got the same dependencies error. I like to fix this issue by reinstalling but I do not know how to. I got all installed by ignoring the dependencies.

Now from your last post I did make change to the ispconfig .sh script and added this path for sftp-server "/usr/libexec/openssh/sftp-server" and created user through ispconfig. I am able to ssh and sftp but when I SSH and then try to sftp using command line I get the following error "PRNG is not seeded Couldn't read packet: Connection reset by peer" Also when I use SFTP untility to move files to the server I do get some permission set error during the move. Any ideas what is going on. What I did wrong and how I can fix it.

Thank you for your help
Joe

path and directory of chrooted env using ispconfig

what path and directory of chrooted env should it be in?

Thanks you

Thanks!!

Thanks again for this great guide and super fast help!!, installing them all at once did the trick :)

edit: oops this should have been a reply :P

Hello, thanks for this

Hello, thanks for this guide, but I am not sure why I get this failed dependencies error :

[root@server zlib-1.2.3]# rpm -Uvh /usr/src/redhat/RPMS/x86_64/openssh-4.5p1-1.x86_64.rpm
error: Failed dependencies:
    &nbsp;   openssh = 4.3p2-26.el5 is needed by (installed) openssh-clients-4.3p2-26.el5.x86_64
    &nbsp;   openssh = 4.3p2-26.el5 is needed by (installed) openssh-server-4.3p2-26.el5.x86_64

I am kinda new to this, zlib-1.2.3 is located in /tmp/ , is that correct?

Install all rpms at once to avoid dependency errors

You can try to install all the rpms at once if it is giving you failed dependencies:

rpm -Uvh openssh*.rpm

Below are notes from the zlib Makefile:

# To install /usr/local/lib/libz.* and /usr/local/include/zlib.h, type:
#    make install
# To install in $HOME instead of /usr/local, use:
#    make install prefix=$HOME

Comment