Chrooted SSH/SFTP On Fedora 7 - Page 2

2. Second Method (By Script)

A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 - maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you'll see a notice while executing the script), but it works fine without them.

 

2.1 The Script

Before we proceed, we have to install a needed package:

yum install sudo

Afterwards we download the script and change the rights:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh

 

2.2 Use The Script

You can create a chrooted user via:

make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

If the user is already existing, he will be updated - if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional - if you don't specify them, the default values /bin/chroot-shell and /home/jail will be used.

To update the files and libraries in the chroot jail, run:

make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

%path_to_chrootshell% and %path_to_chroot% are optional again - depending on how you created the user.

 

2.3 ProFTPd

If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.

As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.

To change this, we have to customize the proftpd.conf:

vi /etc/proftpd/proftpd.conf

add the following line:

RequireValidShell	off

Afterwards restart ProFTPd:

/etc/init.d/proftpd restart

Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don't want - the best solution would be to drop the usage of FTP and simply use SFTP.

 

Share this page:

1 Comment(s)