View Single Post
  #11  
Old 24th December 2005, 12:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,744 Times in 2,577 Posts
Default

I installed a chrooted SSH yesterday on Debian Sarge, it will go into a small howto in the next days, but basically this is how I did it:

Let's say your chroot will be in /home/chroot, and you have a user admin (whom we want ot give chrooted SSH access) in /etc/password like that:

Code:
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash
Change that line to
Code:
admin:x:1000:1000:admin,,,:/home/chroot/./home/admin:/bin/bash
The dot in /home/chroot/./home/admin is important so that OpenSSH knows that this user should be chrooted.

Now we install a new OpenSSH with chroot capabilities:

Code:
cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install
cd ..

apt-get install libpam0g-dev
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
Afterwards, we create the chroot environment:

Code:
mkdir /home/chroot/
mkdir -p /home/chroot/home/admin
chown admin:admin /home/chroot/home/admin

cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
Then run the following commands on your shell:
Code:
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraryes
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done
Finally do this:
Code:
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
touch etc/passwd
grep /etc/passwd -e "^root" -e "^admin" > etc/passwd
grep /etc/group -e "^root" -e "^admin" > etc/group
#grep admin /etc/passwd >> /home/chroot/etc/passwd
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
/etc/init.d/ssh restart
Now you can login as admin, and admin should be chrooted.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Sponsored Links