Re: OpenSSHd
On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote: I'm trying to set up a box such that normal users are chroot'd to their home directories, and can only use sftp. Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? A chroot jail where the new root isn't owned by the root user is effectively impossible to secure. Set the home directories to /home/user/files and chroot to /home/user, or somesuch. Joachim -- TFMotD: autoconf (4/Alpha) - diagnostics from the autoconfiguration code http://www.joachimschipper.nl/
Re: OpenSSHd
Thus said Pete Vickers on Mon, 13 Sep 2010 10:59:56 +0200: Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? Maybe start by reading the man page sshd_config(5) instead of relying on google? :-) It seems to suggest, as you indicate, that the chroot directory must be root owned. But what I believe is more important is that you missed the following: ChrootDirectory Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory. This would seem to indicate to me that you need a structure like: /chroot/home/pete And then you would set: ChrootDirectory /chroot You might want to read the rest of the section for ChrootDirectory. It's also possible that I have misinterpreted the man page. Andy
Re: OpenSSHd
On 13. sep. 2010, at 13.17, Joachim Schipper wrote: On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote: I'm trying to set up a box such that normal users are chroot'd to their home directories, and can only use sftp. Any clues what I'm doing wrong ? Google seems to hint that the chroot directory might have to be owned by root, but that seems strange, since users couldn't then write files in their own home ? A chroot jail where the new root isn't owned by the root user is effectively impossible to secure. Set the home directories to /home/user/files and chroot to /home/user, or somesuch. Hmm. Messy. But even if I set like this: r...@container ~ tail /etc/ssh/sshd_config # all non-wheel users should be chrooted to home and sftp only # Match Group !wheel ForceCommand internal-sftp ChrootDirectory /home AllowTcpForwarding no X11Forwarding no r...@container ~ ls -la /home total 28 drwxr-xr-x 7 rootwheel 512 Sep 10 12:46 . drwxr-xr-x 14 rootwheel 512 Jul 25 13:43 .. drwxr-xr-x 3 fredfred512 Sep 10 12:05 fred ... normal users can still ssh in, and are not chroot'd. What am I doing wrong ? /Pete
Re: OpenSSHd
Thus said Pete Vickers on Mon, 13 Sep 2010 16:32:08 +0200: r...@container ~ tail /etc/ssh/sshd_config # all non-wheel users should be chrooted to home and sftp only # Match Group !wheel ForceCommand internal-sftp ChrootDirectory /home AllowTcpForwarding no X11Forwarding no The first problem is your Match command. The documentation seems to indicate that the negation character `!' is only to be used in a pattern-list which is defined as ``a comma-separated list of patterns.'' I suspect that your Match pattern is not working correctly. Try Match User pete and see if it succeeds as you expect. Probably what you should do is create a special chroot group and add all the users that you want to impose this upon to that group. The second problem is that your ChrootDirectory is not structured properly. When authentication happens, it will chroot there and then it will attempt to change directory to the users home directory, however, you haven't indicated whether or not you created one: /home/home/pete Without this structure, when the chroot happens, the user will be chroot'ed to /home and then will have to do his own cd to pete and all user directories will be found in /. Andy
Re: OpenSSHd
Thus said Pete Vickers on Mon, 13 Sep 2010 16:32:08 +0200: Match Group !wheel Forget my last suggestion. :-) Just make a pattern-list and use: Match Group *,!wheel Andy
Re: OpenSSHd
ahh. that works perfectly, thanks ! /Pete On 13. sep. 2010, at 18.25, Andy Bradford wrote: Thus said Pete Vickers on Mon, 13 Sep 2010 16:32:08 +0200: Match Group !wheel Forget my last suggestion. :-) Just make a pattern-list and use: Match Group *,!wheel Andy
