chrooted SSH + Debian Etch

[thanis]

Hi all, it seems like someone did all the hard work and created the perfect setup script for a chroot jail
http://www.fuschlberger.net/programs...p-chroot-jail/

Just used it on Debian Sarge, Etch & Centos ... works like a charm !

[falko]

I get a 404 error when I try to download the script.

[jxself]

Quote:

Originally Posted by falko

I get a 404 error

Seems that it's been fixed, as http://www.fuschlberger.net/programs...chroot_jail.sh worked for me. The script did work, although I get a complaint of

Code:

No directory, logging in with HOME=/

when logging in, although the user is chrooted into the correct area.

[falko]

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch

[daveb]

falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.

Code:

/root/ispconfig/scripts/shell/create_chroot_env.sh

Code:

#!/bin/bash

#
# Usage: ./create_chroot_env username
#

# Here specify the apps you want into the enviroment
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar"

# Sanity check

if [ "$1" = "" ] ; then
        echo "    Usage: ./create_chroot_env username"
        exit
fi

# Obtain username and HomeDir
CHROOT_USERNAME=$1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
cd $HOMEDIR

# Create Directories no one will do it for you
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null
chmod 666 dev/zero

# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage

echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups

# Add some users to ./etc/paswd

grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group

if [ -x ${HOMEDIR}/ldlist ]; then 
  mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
fi

if [ -x ${HOMEDIR}/lddlist2 ]; then 
  mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
fi

for app in $APPS;  do
  # First of all, check that this application exists
  if [ -x $app ]; then
    # Check that the directory exists; create it if not.
    app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
    if ! [ -d .$app_path ]; then
      mkdir -p .$app_path
    fi

    # If the files in the chroot are on the same file system as the
    # original files you should be able to use hard links instead of
    # copying the files, too. Symbolic links cannot be used, because the
    # original files are outside the chroot.
    cp -p $app .$app
    # get list of necessary libraries
    ldd $app >> ${HOMEDIR}/ldlist
  fi
done

# Clear out any old temporary file before we start
if [ -e ${HOMEDIR}/ldlist2 ]; then
  rm ${HOMEDIR}/ldlist2
fi
for libs in `cat ${HOMEDIR}/ldlist`; do
  frst_char="`echo $libs | cut -c1`"
  if [ "$frst_char" = "/" ]; then
    echo "$libs" >> ${HOMEDIR}/ldlist2
  fi
done

for lib in `cat ${HOMEDIR}/ldlist2`; do
  mkdir -p .`dirname $lib` > /dev/null 2>&1
  # If the files in the chroot are on the same file system as the original
  # files you should be able to use hard links instead of copying the files,
  # too. Symbolic links cannot be used, because the original files are
  # outside the chroot.
  cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f ${HOMEDIR}/ldlist
/bin/rm -f ${HOMEDIR}/ldlist2

# From some strange reason these 3 libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/

# mysql needs the socket in the chrooted environment
mkdir ${HOMEDIR}/var
mkdir ${HOMEDIR}/var/run
mkdir ${HOMEDIR}/var/run/mysqld
ln /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock

is this correct?

[falko]

Looks good. Have you tried it?

[daveb]

yes I tried it and seems to work good so far, if I have any problems this is the first place I shall report

[Jcorrea920]

6th September 2007 17:54
daveb said:

Quote:

falko,
I have a question about using chroot when using with ispconfig.
I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
here is what I have done.

Code:

/root/ispconfig/scripts/shell/create_chroot_env.sh

...

Daveb thanks for all your work modifying the ISPConfig file. But how exactly do I deviate from the How To Tutorial to make this function with ISPConfig?

Do I still do this?:

Quote:

2.1 Install The Chrooted OpenSSH
First we install some prerequisites:

Code:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh build-essential bzip2

Then we download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

Code:

wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install

The reason I ask is because on the Perfect Setup Tutorials I have already installed ssh and openssh-server packages. Do I remove them or run these commands on top of this install?

When creating the chrooted environment can I use the existing one located in /var/www ? Or do I have to create another one?

Will I be modifying this file like Falko suggests in the tutorial?

Code:

vi /usr/local/sbin/create_chroot_env

Or will your file allow ISPConfig do all the work when granting users shell access on the Control Panel?

I have also read somewhere that there is a config file in ISPConfig that activates chrooted ssh. Do I have to activate that or is it done by default? Will I have to activate this after every upgrade? Sorry for all the questions I am quite the noob. Thank you in advance...

JCorrea920

ISPConfig 2.2.12
Ubuntu 6.06

ISPConfig 2.2.13
Fedora Core 6

[daveb]

Well Jcorrea920 I followed the section "2.1 Install The Chrooted OpenSSH" of the How To Tutorial. Then I modified the script that is within ISPConfig as my earlier post describes. You must also make sure that you change if you havnt already.

Code:

/home/admispconfig/ispconfig/lib/config.inc.php
$go_info["server"]["ssh_chroot"] = 0;
to
$go_info["server"]["ssh_chroot"] = 1;

I then restarted ssh and the ispconfig_server. Logged in to control panel then granted the web shell rights and then granted the user of the web shell rights also.

I also saved a copy of the script in a safe place in case its rewrote during next ISPconfig Upgrade for replacement.

What I did doesn't chroot any system user just the users within ISPConfig granted shell access.

[bplgonzo]

Quote:

Originally Posted by falko

I've published my chroot-SSH tutorial for Debian Etch: http://www.howtoforge.com/chroot_ssh_sftp_debian_etch

Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

(my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)