Chrooted SSH/SFTP On Fedora 7 - Page 2
2. Second Method (By Script)
A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 - maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you'll see a notice while executing the script), but it works fine without them.
2.1 The Script
Before we proceed, we have to install a needed package:
yum install sudo
Afterwards we download the script and change the rights:
cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh
2.2 Use The Script
You can create a chrooted user via:
make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]
e.g.:
make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot
If the user is already existing, he will be updated - if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional - if you don't specify them, the default values /bin/chroot-shell and /home/jail will be used.
To update the files and libraries in the chroot jail, run:
make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]
e.g.:
make_chroot_jail.sh update /bin/chroot-shell /home/chroot
%path_to_chrootshell% and %path_to_chroot% are optional again - depending on how you created the user.
2.3 ProFTPd
If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.
As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.
To change this, we have to customize the proftpd.conf:
vi /etc/proftpd/proftpd.conf
add the following line:
RequireValidShell off
Afterwards restart ProFTPd:
/etc/init.d/proftpd restart
Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don't want - the best solution would be to drop the usage of FTP and simply use SFTP.
3 Links
- Chroot Patch For SSH: http://chrootssh.sourceforge.net/index.php
- OpenSSH: http://www.openssh.org
- make_chroot_jail.sh: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail
- Fedora: http://fedoraproject.org/