Chrooted SSH/SFTP On Fedora 7 - Page 2

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by o.meyer (Contact Author) (Forums) on Mon, 2007-10-22 16:16. ::

2. Second Method (By Script)

A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 - maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you'll see a notice while executing the script), but it works fine without them.

 

2.1 The Script

Before we proceed, we have to install a needed package:

yum install sudo

Afterwards we download the script and change the rights:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh

 

2.2 Use The Script

You can create a chrooted user via:

make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

If the user is already existing, he will be updated - if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional - if you don't specify them, the default values /bin/chroot-shell and /home/jail will be used.

To update the files and libraries in the chroot jail, run:

make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

%path_to_chrootshell% and %path_to_chroot% are optional again - depending on how you created the user.

 

2.3 ProFTPd

If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.

As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.

To change this, we have to customize the proftpd.conf:

vi /etc/proftpd/proftpd.conf

add the following line:

RequireValidShell	off

Afterwards restart ProFTPd:

/etc/init.d/proftpd restart

Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don't want - the best solution would be to drop the usage of FTP and simply use SFTP.

 

3 Links

up

Copyright © 2007 Oliver Meyer
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
CHROOT script update
Submitted by Anonymous (not registered) on Sun, 2010-01-24 23:11.

Oustanding little Howto - just a point of interest; You mention the default values for the script are; 
/bin/chroot-shell
/home/jail

- However, in your example you change it to;
/bin/chroot-shell
/home/chroot


reply | view as pdf view as pdf
Sponsored Links: Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Seize the lead. Sprint Mobile Integration.
www.seamlessenterprise.com

One Number. One Voicemail.
Make it easier for clients to reach you. Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Sprint Mobile Integration.
www.seamlessenterprise.com

AT&T Synaptic Compute as a Service. Boost your power on demand.

Trial: IBM Cognos Express Reporting, Analysis & Planning

Learn benefits of Simpana software.
View the Gartner Video