Re: SSH Jail

Ehud Karni Thu, 31 Jul 2003 10:31:13 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 31 Jul 2003 13:39:31 +0300 (IDT), Chaim Keren Tzion <[EMAIL PROTECTED]> wrote:
> 
> I am intending that sftp will be used for the file transfer. The problem
> is that once I create the account that will use sftp it automatically has
> the ability to log in with ssh and wander around the system. I would like
> to limit the users ability to travel ouside of the home directoy and to
> execute commands. I have tried to define the user with /dev/false as it's
> shell but then I can't log in.


I read the answers to this question and I thing that they are in the
wrong direction (changing the shell) or are too complicated (chroot
the sshd - which need patch and compilation). Both of these solutions
can be quite easily bypassed by port forwarding.

You can force your user to use only one command by changing the
~<user>/.ssh/authorized_keys/2 key line (please read the sshd man page).

I tested the following line:
command="exec /usr/sbin/chroot /ulnx/ehud sftp-server",no-pty,permitopen="dummy:9" 
<original public key line>
which means:
  1. Run the "/usr/sbin/chroot /ulnx/ehud sftp-server" command,
     ignoring the user actual command.
  2. Don't allocate a pty.
  3. The only port forwarding allowed is to "dummy" host (which does
     not exist on my system)

I had several problems:
1. The chroot did not run for the user until I changed it permissions
   to +s (chmod +s /usr/sbin/chroot by root). When run in this way
   the specified command is run under the user id.

2. I had the usual chroot problems with dynamically linked programs.
   I had to create lib, lib/i686, usr and usr/lib and copy the
   necessary libraries (do ldd /usr/libexec/openssh/sftp-server to
   check what libraries are needed).

Ehud.


- -- 
 Ehud Karni           Tel: +972-3-7966-561  /"\
 Mivtach - Simon      Fax: +972-3-7966-667  \ /  ASCII Ribbon Campaign
 Insurance agencies   (USA) voice mail and   X   Against   HTML   Mail
 http://www.mvs.co.il  FAX:  1-815-5509341  / \
 mailto:[EMAIL PROTECTED]                  Better  Safe  Than  Sorry
-----BEGIN PGP SIGNATURE-----
Comment: use http://www.keyserver.net/ to get my key (and others)

iD8DBQE/KU9SLFvTvpjqOY0RAtMdAJ4ynT1N63lzWp1XGUn7y4pq/yhtXACeK2PP
NTEbs7E9YEn4+TBmI1boXqY=
=r4oF
-----END PGP SIGNATURE-----

=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Re: SSH Jail

Reply via email to