Chrooted SSH/SFTP On Fedora 7 - Page 2

2. Second Method (By Script)

A script, called make_chroot_jail.sh, that automates setting up SSH/SFTP chroot jails is available at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/. It works proper on Fedora 7 - maybe ld-ldb.so.3 and/or libxcrypt.so.1 can not be found on your system (you'll see a notice while executing the script), but it works fine without them.

 

2.1 The Script

Before we proceed, we have to install a needed package:

yum install sudo

Afterwards we download the script and change the rights:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 make_chroot_jail.sh

 

2.2 Use The Script

You can create a chrooted user via:

make_chroot_jail.sh %username% [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

If the user is already existing, he will be updated - if not, he will be created. %path_to_chrootshell% and %path_to_chroot% are optional - if you don't specify them, the default values /bin/chroot-shell and /home/jail will be used.

To update the files and libraries in the chroot jail, run:

make_chroot_jail.sh update [%path_to_chrootshell% [%path_to_chroot%]]

e.g.:

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

%path_to_chrootshell% and %path_to_chroot% are optional again - depending on how you created the user.

 

2.3 ProFTPd

If you use ProFTPd, you should take a look at http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/.

As mentioned there, you should not add bin/chroot-shell to /etc/shells because that would allow chrooted users to break out of their jail. This is a problem for ProFTPd, because with the standard configuration, only users with a shell listed in /etc/shells are able to use ProFTPd. So chrooted users that use /bin/chrooted-shell will not be able to use ProFTPd.

To change this, we have to customize the proftpd.conf:

vi /etc/proftpd/proftpd.conf

add the following line:

RequireValidShell	off

Afterwards restart ProFTPd:

/etc/init.d/proftpd restart

Now all users, regardless of which shell they are using, are able to use ProFTPd. This might be something you don't want - the best solution would be to drop the usage of FTP and simply use SFTP.

 

3 Links

Share this page:

6 Comment(s)

Add comment

Comments

From: at: 2007-12-22 11:31:30

I tried dot to dot on fedora 8. but still user is able to browse everything.

 

[geek@amd sbin]$ sftp testuser@amd.slackme.org
Connecting to amd.slackme.org...
testuser@amd.slackme.org's password:
sftp> pwd
Remote working directory: /home/chroot/home/testuser
sftp> cd /
sftp> ls -l
drwxr-xr-x    2 root     root         4096 Dec 21 23:07 bin
drwxr-xr-x    3 root     root         4096 Dec 22 02:40 boot
drwxr-xr-x    6 geek     geek         4096 Dec 22 02:47 data
drwxr-xr-x   13 root     root         4360 Dec 22 16:21 dev
drwxr-xr-x  104 root     root        12288 Dec 22 16:58 etc
drwxr-xr-x    4 root     root         4096 Dec 22 16:19 home
drwxr-xr-x   15 root     root         4096 Dec 21 23:07 lib
drwx------    2 root     root        16384 Dec 22 02:30 lost+found
drwxr-xr-x    5 root     root         4096 Dec 22 16:07 media
drwxr-xr-x    2 root     root            0 Dec 22 15:03 misc
drwxr-xr-x    2 root     root         4096 Aug 13 20:17 mnt
drwxr-xr-x    2 root     root            0 Dec 22 15:03 net
drwxr-xr-x    2 root     root         4096 Aug 13 20:17 opt
dr-xr-xr-x  160 root     root            0 Dec 22 20:33 proc
drwxr-x---   30 root     root         4096 Dec 22 16:07 root
drwxr-xr-x    2 root     root        12288 Dec 21 23:07 sbin
drwxr-xr-x    2 root     root         4096 Dec 22 02:31 selinux
drwxr-xr-x    3 root     root         4096 Dec 22 02:41 srv
drwxr-xr-x   12 root     root            0 Dec 22 20:33 sys
drwxrwxrwt   12 root     root         4096 Dec 22 16:41 tmp
drwxr-xr-x   13 root     root         4096 Dec 22 02:34 usr
drwxr-xr-x   22 root     root         4096 Dec 22 02:43 var
sftp>
 

From: newgee at: 2009-02-16 07:55:47

I added the script and all this and now it is giving me "access denied" everywhere I go.. why is this?

From: Feras.B at: 2009-06-14 06:58:06

Think need to updated ..

fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

/Feras

From: Lukas at: 2010-06-17 16:24:51

Thanks for this really helpful tutorial! It's a bit old but also works under newer versions of Fedora.

From: Kurt at: 2011-11-01 16:43:47

http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2

Doesn't exist anymore.

From: Anonymous at: 2010-01-24 22:11:16

Oustanding little Howto - just a point of interest; You mention the default values for the script are; 
/bin/chroot-shell
/home/jail

- However, in your example you change it to;
/bin/chroot-shell
/home/chroot