Chrooted SSH/SFTP On Fedora 7 - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by o.meyer (Contact Author) (Forums) on Mon, 2007-10-22 16:16. ::

2. Second Method (By Script)

A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 - maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you'll see a notice while executing the script), but it works fine without them.

 

2.1 The Script

Before we proceed, we have to install a needed package:

yum install sudo

Afterwards we download the script and change the rights:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh

 

2.2 Use The Script

You can create a chrooted user via:

make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

If the user is already existing, he will be updated - if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional - if you don't specify them, the default values /bin/chroot-shell and /home/jail will be used.

To update the files and libraries in the chroot jail, run:

make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

%path_to_chrootshell% and %path_to_chroot% are optional again - depending on how you created the user.

 

2.3 ProFTPd

If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.

As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.

To change this, we have to customize the proftpd.conf:

vi /etc/proftpd/proftpd.conf

add the following line:

RequireValidShell	off

Afterwards restart ProFTPd:

/etc/init.d/proftpd restart

Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don't want - the best solution would be to drop the usage of FTP and simply use SFTP.

 

3 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sun, 2010-01-24 23:11.

Oustanding little Howto - just a point of interest; You mention the default values for the script are; 
/bin/chroot-shell
/home/jail

- However, in your example you change it to;
/bin/chroot-shell
/home/chroot