Re: ssh jail
On Thursday 02 October 2008 19:38:21 kalin m wrote: > hi all... > > i have openssh 5. i want to jail the users to their home directories so > they can go down but not up. > > i didn't see a directive that does that in the man or in the sshd_config. On RELENG_7 (aka -stable, aka 7.1-PRERELEASE), isn't this what you're looking for? ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the user- name of that user. The ChrootDirectory must contain the necessary files and directo- ries to support the users' session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no additional configuration of the environment is nec- essary if the in-process sftp server is used (see Subsystem for details). The default is not to chroot(2). $ ssh -V OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh jail
thanks.. i'll look at the patches Matthew Seaman wrote: kalin m wrote: hi all... i have openssh 5. i want to jail the users to their home directories so they can go down but not up. i didn't see a directive that does that in the man or in the sshd_config. how do i do that? You need a specially patched version of OpenSSH. You can download the patches from here: http://chrootssh.sourceforge.net/download/ and try patching the system sources. If you're not an experienced developer wise in the ways of patch(1) and diff(1) and make(1) this definitely isn't a good idea especially for something as security sensitive as OpenSSH. Realistically, just install the security/openssh-portable port and make sure to check the 'OPENSSH_CHROOT' box in the config dialog. Note: if you choose to select the 'OVERWRITE_BASE' option, be sure to disable building ssh in the base system by making the appropriate entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that whatever system update mechanism you use won't accidentally blow away your specially patched ssh daemon. If you don't overwrite the base system, then double check that the init scripts are starting up the openssh-portable version. You'll need at least this in /etc/rc.conf: sshd_enable="NO" openssh_enable="YES" Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh jail
kalin m wrote: hi all... i have openssh 5. i want to jail the users to their home directories so they can go down but not up. i didn't see a directive that does that in the man or in the sshd_config. how do i do that? You need a specially patched version of OpenSSH. You can download the patches from here: http://chrootssh.sourceforge.net/download/ and try patching the system sources. If you're not an experienced developer wise in the ways of patch(1) and diff(1) and make(1) this definitely isn't a good idea especially for something as security sensitive as OpenSSH. Realistically, just install the security/openssh-portable port and make sure to check the 'OPENSSH_CHROOT' box in the config dialog. Note: if you choose to select the 'OVERWRITE_BASE' option, be sure to disable building ssh in the base system by making the appropriate entries in /etc/src.conf (see src.conf(5)) or otherwise ensure that whatever system update mechanism you use won't accidentally blow away your specially patched ssh daemon. If you don't overwrite the base system, then double check that the init scripts are starting up the openssh-portable version. You'll need at least this in /etc/rc.conf: sshd_enable="NO" openssh_enable="YES" Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
ssh jail
hi all... i have openssh 5. i want to jail the users to their home directories so they can go down but not up. i didn't see a directive that does that in the man or in the sshd_config. how do i do that? thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SOLVED] X11+ssh+jail
Micah wrote: I'm having problems trying to get X11 to forward from an ezjail created jail environment. Here's what happens: trisha% ssh -X 10.0.0.1 ... test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). I added "X11UseLocalhost no" to sshd_config as suggested on the lists a while back, but it didn't change anything. Host is: trisha# uname -a FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1: Sat Jul 15 15:48:17 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TRISHA i386 Thanks, Micah Okay, it took me half a day to trip over the solution. The other half a day was spent trying to figure out what that solution actually was. It was a combination of two things (out of the dozen that I tried) that weren't set up correctly. The jailed system must be able to resolve it's own name to an IP address. Since my home network does not have DNS, that meant adding "10.0.0.1 test" to /etc/hosts on the jailed environment. Also, "X11UseLocalhost no" must be set in the jailed sshd_config. Unless *both* of those are set properly, I get the error as mentioned above. HTH, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: X11+ssh+jail
Anish Mistry wrote: On Tuesday 01 August 2006 19:44, Micah wrote: I'm having problems trying to get X11 to forward from an ezjail created jail environment. Here's what happens: trisha% ssh -X 10.0.0.1 ... test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). I added "X11UseLocalhost no" to sshd_config as suggested on the lists a while back, but it didn't change anything. Host is: trisha# uname -a FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1: Sat Jul 15 15:48:17 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TRISHA i386 Does using "ssh -Y 10.0.0.1" do anything different? Nope: trisha% ssh -Y 10.0.0.1 Password: test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). test% exit logout Connection to test closed. trisha% ssh -X 10.0.0.1 Password: test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). Thanks, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: X11+ssh+jail
Chad Leigh -- Shire.Net LLC wrote: On Aug 1, 2006, at 9:23 PM, Micah wrote: Nope I didn't su, I just ssh'd in as a regular user and immediately tried xclock. I also tried ssh'ing in as root to see if it's a perms problem, but root gets the same error. Maybe I've got a configuration error somewhere? ezjail mounts much of the file system ro, maybe that's causing a problem? Again, I am not an expert, but make sure you have an .Xauthority file in the login dir root of the account you are logging in to and that it has a creation or modification date at the same time you logged in (to make sure that you really are getting it set). Chad Thanks for the idea, here's a test run: test% ll .Xauthority -rw--- 1 bsdmjl bsdmjl 112B Aug 1 20:51 .Xauthority test% rm .Xauthority test% exit logout Connection to 10.0.0.1 closed. trisha% ssh -X 10.0.0.1 Password: Last login: Tue Aug 1 20:51:33 2006 from 10.0.0.1 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-RELEASE-p3 (TRISHA) #1: Sat Jul 15 15:48:17 PDT 2006 Welcome to FreeBSD! /usr/X11R6/bin/xauth: creating new authority file /home/bsdmjl/.Xauthority test% ll .Xauthority -rw--- 1 bsdmjl bsdmjl 112B Aug 1 20:51 .Xauthority test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). I'll keep looking Thanks, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: X11+ssh+jail
On Tuesday 01 August 2006 19:44, Micah wrote: > I'm having problems trying to get X11 to forward from an ezjail > created jail environment. Here's what happens: > > trisha% ssh -X 10.0.0.1 > ... > test% xclock > X11 connection rejected because of wrong authentication. > X connection to test:10.0 broken (explicit kill or server > shutdown). > > I added "X11UseLocalhost no" to sshd_config as suggested on the > lists a while back, but it didn't change anything. > > Host is: > trisha# uname -a > FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 > #1: Sat Jul 15 15:48:17 PDT 2006 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TRISHA i386 Does using "ssh -Y 10.0.0.1" do anything different? -- Anish Mistry [EMAIL PROTECTED] AM Productions http://am-productions.biz/ pgpYBDRfkTTBj.pgp Description: PGP signature
Re: X11+ssh+jail
On Aug 1, 2006, at 9:23 PM, Micah wrote: Nope I didn't su, I just ssh'd in as a regular user and immediately tried xclock. I also tried ssh'ing in as root to see if it's a perms problem, but root gets the same error. Maybe I've got a configuration error somewhere? ezjail mounts much of the file system ro, maybe that's causing a problem? Again, I am not an expert, but make sure you have an .Xauthority file in the login dir root of the account you are logging in to and that it has a creation or modification date at the same time you logged in (to make sure that you really are getting it set). Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: X11+ssh+jail
Chad Leigh -- Shire.Net LLC wrote: On Aug 1, 2006, at 5:44 PM, Micah wrote: I'm having problems trying to get X11 to forward from an ezjail created jail environment. Here's what happens: trisha% ssh -X 10.0.0.1 ... test% xclock X11 connection rejected because of wrong authentication. Are you doing an su or something before you run the X program? I have not had problems launching X programs in side a jail over ssh but I did get that same error when I did an su first since I was no longer my username. I copied the .Xauthority over from my user into ~root and it worked. (In case anyone asks, I was testing a system management app that needs to run as root to access some stuff and I was just testing it for someone. I don't normally run X things at all or as root ) Chad X connection to test:10.0 broken (explicit kill or server shutdown). I added "X11UseLocalhost no" to sshd_config as suggested on the lists a while back, but it didn't change anything. Host is: trisha# uname -a FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1: Sat Jul 15 15:48:17 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TRISHA i386 Thanks, Micah --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net Nope I didn't su, I just ssh'd in as a regular user and immediately tried xclock. I also tried ssh'ing in as root to see if it's a perms problem, but root gets the same error. Maybe I've got a configuration error somewhere? ezjail mounts much of the file system ro, maybe that's causing a problem? Thanks, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: X11+ssh+jail
On Aug 1, 2006, at 5:44 PM, Micah wrote: I'm having problems trying to get X11 to forward from an ezjail created jail environment. Here's what happens: trisha% ssh -X 10.0.0.1 ... test% xclock X11 connection rejected because of wrong authentication. Are you doing an su or something before you run the X program? I have not had problems launching X programs in side a jail over ssh but I did get that same error when I did an su first since I was no longer my username. I copied the .Xauthority over from my user into ~root and it worked. (In case anyone asks, I was testing a system management app that needs to run as root to access some stuff and I was just testing it for someone. I don't normally run X things at all or as root ) Chad X connection to test:10.0 broken (explicit kill or server shutdown). I added "X11UseLocalhost no" to sshd_config as suggested on the lists a while back, but it didn't change anything. Host is: trisha# uname -a FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1: Sat Jul 15 15:48:17 PDT 2006 [EMAIL PROTECTED]:/usr/obj/ usr/src/sys/TRISHA i386 Thanks, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
X11+ssh+jail
I'm having problems trying to get X11 to forward from an ezjail created jail environment. Here's what happens: trisha% ssh -X 10.0.0.1 ... test% xclock X11 connection rejected because of wrong authentication. X connection to test:10.0 broken (explicit kill or server shutdown). I added "X11UseLocalhost no" to sshd_config as suggested on the lists a while back, but it didn't change anything. Host is: trisha# uname -a FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1: Sat Jul 15 15:48:17 PDT 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TRISHA i386 Thanks, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh jail
Hi ! On Tue, Oct 22, 2002 at 09:20:05PM -0400, Christopher J. Umina wrote: > Is there a way to jail user's sessions (telnet/ssh/ssh2) to their home > directories, but still allow them to use programs installed in the normal > PATH directories? no, not this way. The way I do it sometimes is to have one complete seperate FreeBSD Installation (make installworld DESTDIR=/, look at jail(8)) wich I mount into the users homedir via an NFS loopback-mount... bye, -Juergen- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
ssh jail
Hi people.. Is there a way to jail user's sessions (telnet/ssh/ssh2) to their home directories, but still allow them to use programs installed in the normal PATH directories? Thanks, Christopher J. Umina To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
