Hi,

has any body an idea how to chroot SSH in Debian Etch 4.0?
I know this howto here: http://howtoforge.com/chrooted_ssh_howto_debian
but it's sadly only for Debian Sarge ... and the Scripts won't work for Etch ;-/



Thanks


Leander

Hi, were you able to install all necessary packages with apt-get (newer ssl is openssl-0.9.8 I believe). And if so, did you get any error output when running the script ?

Except for Falko's "incredimail" script, all the rest are basic linux/shell commands.

Kind regards,
Thanis

????? Waht are you talking about ??? Do you mean if I got openssl-0.9.8 ready for a jailed user?

I am even not able to jail anybody, beause the script of Falko is only for Sarge users.


But, I fund something ....

http://howtoforge.com/forums/attachment.php?attachmentid=402&d=1175003548

BUT I don't realy understand how to use it .... I don't know if I still have to install software how Falkos howto describes that ... like 1 Install The Newest Zlib Version, or 2 Install The Chrooted SSH and so on ...

It would be helpful if somebody can give me some ideas how to go on.

Thank you very much!


Leander

:-)

I haven't tried this on Etch, but I'll try to write a tutorial about it. :)

The tutorial is fine actually, it only needs a VERY small bit of tweaking for it to work on Debian Etch:

1.Don't do the zlib install !
2.apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.8 libssl-dev ssh zlib1g zlib1g-dev zlibc build-essential
3. then just follow the tutorial (the script is not actually important). But what falko forgot to mention, is that you need to copy the "script" contents to a file (e.g.: /home/chroot/chroot.sh) and then run that script:
chmod +x /home/chroot/chroot.sh
/home/chroot/chroot.sh
Then follow the rest of the tutorial.

Like I said, its just a question of updating your apt packages to etch level !

GRtz,
Thanis

Hi,

thank you for your helpful response - but I seem to stupid for it ;-)

just step for step:


1. Don't install the zlib

2. Install The Chrooted SSH ? What about that? Should I do this step?

3. Create The Chroot Environment ? What about that? Should I do this step exactly how it's described in the Howto?

What about the part with the script? Should I skip executing his script?

What about the steps written under the script part ... like cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
Should I go one from there until step 4 ?


And _what_ script are you talking about ... the script I linked up in this thread or the one from Falko's howto?

Sorry for those stupid questions .. - I just want to make sure before I kill my installation again ;-)


Regards,

Leander

Well ... all answers are positive to your questions.
Yes, install the chrooted SSH (download from sourceforge).
Yes, execute the script (use the one you mentioned, it's better than in the tutorial :) )
Yes, copy the files.
Yes, keep following the tutorial untill the end.
No, never use root as your chrooted user :p

Grtz,
Thanis

hmm thanks .... but the script which I mentioned didn't work ;-( nearly every command endet in a mess .. ... and those mysql pathes aren't there ...

and I'm still not sure if I should do step 3 Create The Chroot Environment

mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

before I execute any of those both scripts or not?!


Thank you very much

;-)

Leander

Hi,

has no body an idea, or any good howto?

How far is Falko with his new howto for Etch? ;-)


Leander

How far is Falko with his new howto for Etch? ;-)

I haven't started yet - so many other things to do... But it's on my list. :)

I don't want to push you Falko ;-) but when do you guess you're able to publish a howto? I'm kind of lost without that ;-/

Thank you very much


Leander

Hello
I have just followed the guide on a Debian Etch AMD64, and the only problem I had, was that an error about /bin/bash not could be found.
A quick search on google gave me the result, that a lib-file was missing.
`ldd /bin/bash`
shows whats files the program need. And the guide didn't say anything about
/lib64/ld-linux-x86-64.so.2
After adding this to the chroot, Its work without problems.

Hi,

Thanks for your response. Can you tell me where you found this tutorial, or do you have a link?


Leander

I use the same tutorial as you.

I only have som problems with sftp, where the connection are closed after password supplied. But ssh til the chroot works fine.

Hi again ...

ok ... , I did it .. and it seems to work ... the users are jailed ... BUT .. if I type as root
ssh -l user 10.1.10.1

the following error appears:

/etc/ssh/ssh_config line 45: Unsupported option "GSSAPIAuthentication"
/etc/ssh/ssh_config line 46: Unsupported option "GSSAPIDelegateCredentials"


but the connection goes on ... it seems as I could ignore it ... but why shows that up?? should I hav compiled those options with the ssh chroot patch before?? Or should I easily just comment those Lines out ;-) ?


Leander

Thanks for all of the tips on this folks - I have also just managed to get to the stage that LeoLinux is at.

I can't figure out how to get sFTP working tho - know it's not a "real" protocol, I have tried copying over a few things but an getting the message..

sftp testuser@127.0.0.1
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer.

Can anyone tell me what I need to do?

Thanks in advance..

Thanks for all of the tips on this folks - I have also just managed to get to the stage that LeoLinux is at.

I can't figure out how to get sFTP working tho - know it's not a "real" protocol, I have tried copying over a few things but an getting the message..

sftp testuser@127.0.0.1
Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer.

Can anyone tell me what I need to do?

Thanks in advance..
Any errors in your logs?

Thanks for reply Falko,

I don't seem to have a log file for SSH - I don't have a file \var\log\secure - should this have been setup automatically or is it something that I should have done? I'm a noob at this stuff, please excuse my ignorance.

I can log in fine with a user that is not jailed, so at a guess I need to add somehting else to the chroot environment, just not too sure.

Take a look at /var/log/auth.log.

Thanks Falko again for the response. The auth log wasn't showing me anything, it was showing all the authentications as accepted. I actually managed to find this out today, If anyone is interested this is what I had to do.

Replace this line in the sshd_config file:

Subsystem sftp /usr/lib/openssh/sftp-server

With this line:

Subsystem sftp /usr/lib/sftp-server

that got rid of the subsystem error. And I got connected okay.

Thanks to one and all!

8c2

Hi all, it seems like someone did all the hard work and created the perfect setup script for a chroot jail :)
http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

Just used it on Debian Sarge, Etch & Centos ... works like a charm !

I get a 404 error when I try to download the script.

I get a 404 error
Seems that it's been fixed, as http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh worked for me. The script did work, although I get a complaint of No directory, logging in with HOME=/ when logging in, although the user is chrooted into the correct area.

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch :)

falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.
/root/ispconfig/scripts/shell/create_chroot_env.sh
#!/bin/bash

#
# Usage: ./create_chroot_env username
#

# Here specify the apps you want into the enviroment
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar"

# Sanity check

if [ "$1" = "" ] ; then
echo " Usage: ./create_chroot_env username"
exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME" | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# Add some users to ./etc/paswd

grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

if [ -x ${HOMEDIR}/ldlist ]; then
mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi

if [ -x ${HOMEDIR}/lddlist2 ]; then
mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi

for app in $APPS; do
# First of all, check that this application exists
if [ -x $app ]; then
# Check that the directory exists; create it if not.
app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
if ! [ -d .$app_path ]; then
mkdir -p .$app_path
fi

# If the files in the chroot are on the same file system as the
# original files you should be able to use hard links instead of
# copying the files, too. Symbolic links cannot be used, because the
# original files are outside the chroot.
cp -p $app .$app
# get list of necessary libraries
ldd $app >> ${HOMEDIR}/ldlist
fi
done

# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
frst_char="`echo $libs | cut -c1`"
if [ "$frst_char" = "/" ]; then
echo "$libs" >> ${HOMEDIR}/ldlist2
fi
done

for lib in `cat ${HOMEDIR}/ldlist2`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
# If the files in the chroot are on the same file system as the original
# files you should be able to use hard links instead of copying the files,
# too. Symbolic links cannot be used, because the original files are
# outside the chroot.
cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2

# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/

# mysql needs the socket in the chrooted environment
mkdir ${HOMEDIR}/var
mkdir ${HOMEDIR}/var/run
mkdir ${HOMEDIR}/var/run/mysqld
ln /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock
is this correct?

Looks good. Have you tried it?

yes I tried it and seems to work good so far, if I have any problems this is the first place I shall report :)

6th September 2007 17:54
daveb said:
falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.

/root/ispconfig/scripts/shell/create_chroot_env.sh

...

Daveb thanks for all your work modifying the ISPConfig file. But how exactly do I deviate from the How To Tutorial to make this function with ISPConfig?

Do I still do this?:


2.1 Install The Chrooted OpenSSH
First we install some prerequisites:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh build-essential bzip2

Then we download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install


The reason I ask is because on the Perfect Setup Tutorials I have already installed ssh and openssh-server packages. Do I remove them or run these commands on top of this install?

When creating the chrooted environment can I use the existing one located in /var/www ? Or do I have to create another one?

Will I be modifying this file like Falko suggests in the tutorial?

vi /usr/local/sbin/create_chroot_env

Or will your file allow ISPConfig do all the work when granting users shell access on the Control Panel?

I have also read somewhere that there is a config file in ISPConfig that activates chrooted ssh. Do I have to activate that or is it done by default? Will I have to activate this after every upgrade? Sorry for all the questions I am quite the noob. Thank you in advance...

JCorrea920

ISPConfig 2.2.12
Ubuntu 6.06

ISPConfig 2.2.13
Fedora Core 6

Well Jcorrea920 I followed the section "2.1 Install The Chrooted OpenSSH" of the How To Tutorial. Then I modified the script that is within ISPConfig as my earlier post describes. You must also make sure that you change if you havnt already.
/home/admispconfig/ispconfig/lib/config.inc.php
$go_info["server"]["ssh_chroot"] = 0;
to
$go_info["server"]["ssh_chroot"] = 1;
I then restarted ssh and the ispconfig_server. Logged in to control panel then granted the web shell rights and then granted the user of the web shell rights also.

I also saved a copy of the script in a safe place in case its rewrote during next ISPconfig Upgrade for replacement.

What I did doesn't chroot any system user just the users within ISPConfig granted shell access.

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch :)

Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

(my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)

Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

(my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)


sorry, not updated APT-GET was a problem. Now it is all OK.

But Falco, why Shell Access for user from ISPConfig does not jail that user?
I created 'web24_admin' and gave him Shell Access from ISPConfig, but he can get out from his 'web24' directory and go all the way up to root.

I followed your "Chrooted SSH/SFTP Tutorial (Debian Etch)", but how do I apply it to existing ISPConfig users? And will it jail them into their website root folders?

Root and every other user worked fine for me to break out.
You might want to double check if the command su even is accessable, or sth. like that ... did you double check your script given by Falkos How2?


Regards,

Leander


P.S. Btw. if you read that Falko ... I still don't understand why you didn't include that into the ISPconfig installation script ... ? A quick check if it's Debian Linux, or Ubuntu ... and quick messagedialog if you want it or not ... (because I think most of your ISPconfig testers are running ether Ubuntu or Debian)

P.S. Btw. if you read that Falko ... I still don't understand why you didn't include that into the ISPconfig installation script ... ? A quick check if it's Debian Linux, or Ubuntu ... and quick messagedialog if you want it or not ... (because I think most of your ISPconfig testers are running ether Ubuntu or Debian)

I've added it to our bugtracker.