chrooted SSH + Debian Etch

Discussion in 'Installation/Configuration' started by LeoLinux, Aug 12, 2007.

  1. thanis

    thanis New Member

  2. falko

    falko Super Moderator

    I get a 404 error when I try to download the script.
     
  3. jxself

    jxself New Member

  4. falko

    falko Super Moderator

  5. daveb

    daveb Member

    falko,
    I have a question about using chroot when using with ispconfig.
    I have followed your tutorial for Debian Etch but still had problems with sftp. I then decided to fix up the chroot script that ispconfig executes to reflect the tutorial and all works. so my question is, is this what I should do to get it to work with ispconfig users?
    here is what I have done.
    Code:
    /root/ispconfig/scripts/shell/create_chroot_env.sh
    Code:
    #!/bin/bash
    
    #
    # Usage: ./create_chroot_env username
    #
    
    # Here specify the apps you want into the enviroment
    APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server /usr/bin/unzip /usr/bin/mysqldump /usr/bin/mysql /usr/bin/zip /bin/tar"
    
    # Sanity check
    
    if [ "$1" = "" ] ; then
            echo "    Usage: ./create_chroot_env username"
            exit
    fi
    
    # Obtain username and HomeDir
    CHROOT_USERNAME=$1
    HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME"  | cut -d':' -f 6`
    cd $HOMEDIR
    
    # Create Directories no one will do it for you
    mkdir -p usr/lib/openssh
    mkdir etc
    mkdir etc/pam.d/
    mkdir bin
    mkdir lib
    mkdir usr/bin
    mkdir dev
    mknod dev/null c 1 3
    mknod dev/zero c 1 5
    chmod 666 dev/null
    chmod 666 dev/zero
    
    # Create short version to /usr/bin/groups
    # On some system it requires /bin/sh, which is generally unnessesary in a chroot cage
    
    echo "#!/bin/bash" > usr/bin/groups
    echo "id -Gn" >> usr/bin/groups
    
    # Add some users to ./etc/paswd
    
    grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > etc/passwd
    grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > etc/group
    
    if [ -x ${HOMEDIR}/ldlist ]; then 
      mv ${HOMEDIR}/ldlist ${HOMEDIR}/ldlist.bak
    fi
    
    if [ -x ${HOMEDIR}/lddlist2 ]; then 
      mv ${HOMEDIR}/lddlist2 ${HOMEDIR}/lddlist2.bak
    fi
    
    for app in $APPS;  do
      # First of all, check that this application exists
      if [ -x $app ]; then
        # Check that the directory exists; create it if not.
        app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
        if ! [ -d .$app_path ]; then
          mkdir -p .$app_path
        fi
    
        # If the files in the chroot are on the same file system as the
        # original files you should be able to use hard links instead of
        # copying the files, too. Symbolic links cannot be used, because the
        # original files are outside the chroot.
        cp -p $app .$app
        # get list of necessary libraries
        ldd $app >> ${HOMEDIR}/ldlist
      fi
    done
    
    # Clear out any old temporary file before we start
    if [ -e ${HOMEDIR}/ldlist2 ]; then
      rm ${HOMEDIR}/ldlist2
    fi
    for libs in `cat ${HOMEDIR}/ldlist`; do
      frst_char="`echo $libs | cut -c1`"
      if [ "$frst_char" = "/" ]; then
        echo "$libs" >> ${HOMEDIR}/ldlist2
      fi
    done
    
    for lib in `cat ${HOMEDIR}/ldlist2`; do
      mkdir -p .`dirname $lib` > /dev/null 2>&1
      # If the files in the chroot are on the same file system as the original
      # files you should be able to use hard links instead of copying the files,
      # too. Symbolic links cannot be used, because the original files are
      # outside the chroot.
      cp $lib .$lib
    done
    
    #
    # Now, cleanup the 2 files we created for the library list
    #
    /bin/rm -f ${HOMEDIR}/ldlist
    /bin/rm -f ${HOMEDIR}/ldlist2
    
    # From some strange reason these 3 libraries are not in the ldd output, but without them
    # some stuff will not work, like usr/bin/groups
    cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ./lib/
    cp /etc/hosts etc/
    cp /etc/resolv.conf etc/
    cp /etc/pam.d/* etc/pam.d/
    cp -r /lib/security lib/
    cp -r /etc/security etc/
    cp /etc/login.defs etc/
    cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
    cp /usr/lib/libkrb5.so.3 usr/lib/
    cp /usr/lib/libk5crypto.so.3 usr/lib/
    cp /lib/libcom_err.so.2 lib/
    cp /usr/lib/libkrb5support.so.0 usr/lib/
    
    # mysql needs the socket in the chrooted environment
    mkdir ${HOMEDIR}/var
    mkdir ${HOMEDIR}/var/run
    mkdir ${HOMEDIR}/var/run/mysqld
    ln /var/run/mysqld/mysqld.sock ${HOMEDIR}/var/run/mysqld/mysqld.sock
    is this correct?
     
  6. falko

    falko Super Moderator

    Looks good. Have you tried it?
     
  7. daveb

    daveb Member

    yes I tried it and seems to work good so far, if I have any problems this is the first place I shall report :)
     
  8. Jcorrea920

    Jcorrea920 New Member

    Thanks for the tip!

    6th September 2007 17:54
    daveb said:
    Daveb thanks for all your work modifying the ISPConfig file. But how exactly do I deviate from the How To Tutorial to make this function with ISPConfig?

    Do I still do this?:

    The reason I ask is because on the Perfect Setup Tutorials I have already installed ssh and openssh-server packages. Do I remove them or run these commands on top of this install?

    When creating the chrooted environment can I use the existing one located in /var/www ? Or do I have to create another one?

    Will I be modifying this file like Falko suggests in the tutorial?

    Code:
    vi /usr/local/sbin/create_chroot_env
    Or will your file allow ISPConfig do all the work when granting users shell access on the Control Panel?

    I have also read somewhere that there is a config file in ISPConfig that activates chrooted ssh. Do I have to activate that or is it done by default? Will I have to activate this after every upgrade? Sorry for all the questions I am quite the noob. Thank you in advance...

    JCorrea920

    ISPConfig 2.2.12
    Ubuntu 6.06

    ISPConfig 2.2.13
    Fedora Core 6
     
  9. daveb

    daveb Member

    Well Jcorrea920 I followed the section "2.1 Install The Chrooted OpenSSH" of the How To Tutorial. Then I modified the script that is within ISPConfig as my earlier post describes. You must also make sure that you change if you havnt already.
    Code:
    /home/admispconfig/ispconfig/lib/config.inc.php
    $go_info["server"]["ssh_chroot"] = 0;
    to
    $go_info["server"]["ssh_chroot"] = 1;
    I then restarted ssh and the ispconfig_server. Logged in to control panel then granted the web shell rights and then granted the user of the web shell rights also.

    I also saved a copy of the script in a safe place in case its rewrote during next ISPconfig Upgrade for replacement.

    What I did doesn't chroot any system user just the users within ISPConfig granted shell access.
     
  10. bplgonzo

    bplgonzo New Member

    Falco, I tried this tutorial and first steps and download and .config went well, but when I get to MAKE and MAKE INSTALL I get this message:

    make: *** Keine Targets angegeben und keine »make«-Steuerdatei gefunden. Schluss.

    (my server is in Germany with preinstalled Debian which I upgraded to Etch, so most of my error messages are on german, but I don't understand them)
     
  11. bplgonzo

    bplgonzo New Member


    sorry, not updated APT-GET was a problem. Now it is all OK.
     
  12. bplgonzo

    bplgonzo New Member

    But Falco, why Shell Access for user from ISPConfig does not jail that user?
    I created 'web24_admin' and gave him Shell Access from ISPConfig, but he can get out from his 'web24' directory and go all the way up to root.

    I followed your "Chrooted SSH/SFTP Tutorial (Debian Etch)", but how do I apply it to existing ISPConfig users? And will it jail them into their website root folders?
     
  13. LeoLinux

    LeoLinux New Member

    Root and every other user worked fine for me to break out.
    You might want to double check if the command su even is accessable, or sth. like that ... did you double check your script given by Falkos How2?


    Regards,

    Leander


    P.S. Btw. if you read that Falko ... I still don't understand why you didn't include that into the ISPconfig installation script ... ? A quick check if it's Debian Linux, or Ubuntu ... and quick messagedialog if you want it or not ... (because I think most of your ISPconfig testers are running ether Ubuntu or Debian)
     
  14. falko

    falko Super Moderator

    I've added it to our bugtracker.
     
  15. immux

    immux New Member

    falko, i run your script from ubuntu. and i got these error message.
    Code:
    Adding User kmel to jail
    Copying necessary library-files to jail (may take some time)
    mv: missing destination file operand after `.bak'
    Try `mv --help' for more information.
    mv: missing destination file operand after `.bak'
    Try `mv --help' for more information.
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    /usr/local/sbin/make_chroot_jail.sh: 428: cannot create : Directory nonexistent
    what should i do with this?
     
  16. falko

    falko Super Moderator

    Which method did you use? What's your Ubuntu version?
     
  17. immux

    immux New Member

    i try following the instruction at
    and after run the command
    Code:
    make_chroot_jail.sh falko /bin/bash /home
    the error message displayed. i use ubuntu 9.10
    sorry for my bad english
     
  18. falko

    falko Super Moderator

    I found a modified script for Ubuntu 8.04 here (the original script is for Debian): http://www.7bf.de/?p=27
    Please try that one.
     

Share This Page