RE: [Jail-main] Jail-main +apache +sftp and howto (newbie) FIX
Brought to you by:
assman
Menu
▾
▴
RE: [Jail-main] Jail-main +apache +sftp and howto (newbie) FIX
|
From: Michael K. <md_...@te...> - 2004-02-15 00:27:50
|
Hello again Juan,
Thank you very much for all the time you have pt into this for me. Your
solution looks like exactly what I wanted to do. I will implement it on
Monday when I am back at work and I will let you know how it turns out.
Thanks again
md_kelly
-----Original Message-----
From: jai...@li...
[mailto:jai...@li...] On Behalf Of Juan M. =
Casillas
Sent: February 14, 2004 3:15 PM
To: jai...@li...
Subject: RE: [Jail-main] Jail-main +apache +sftp and howto (newbie) FIX
Hi Michael !
I poke arround with your problem and I have a fix for you.
Sftp allways passes to the shell the following commands:
-c path/to/sftp-server
The solution was create a dummy shell that intercepts that,
And only calls the sftp-server, so if the user tries to do
A interactive login, he isn't allowed to do it.
At the end of the script you will find the .c source.
Just compile it, and install it in /bin, and use it
As the shell for the user.
My environment:
My chrooted user dir is /home/testd
My chrooted user is /home/testd
I create the chrooted from scratch with:
[create the user and modify /etc/passwd]
# mkjailenv /home/testd
[ output removed ]
# addjailsw /home/testd
[ output removed ]
# addjailsw /home/testd -P bash
[ output removed ]
# addjailuser /home/testd /home/testd /bin/bash testd
[ output removed ]
After test that I can logging into the chrooted environment, I
Compile the ssh-dummy.c and copy it
=20
# gcc -Wall -o ssh-dummy ssh-dummy.c
# cp ssh-dummy /home/testd/bin
Now, I edit the chrooted passwd and put ssh-dummy as the shell
For the user testd. Now it can do sftp but not ssh.
# vi /home/testd/etc/passwd
Now, copy the sftp-server binary and it libs
# (strace /usr/lib/sftp-server 2>&1) |grep open
open("/etc/ld.so.preload", O_RDONLY) =3D -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) =3D 3
open("/lib/libutil.so.1", O_RDONLY) =3D 3
open("/usr/lib/libz.so.1", O_RDONLY) =3D 3
open("/lib/libnsl.so.1", O_RDONLY) =3D 3
open("/usr/lib/i686/cmov/libcrypto.so.0.9.7", O_RDONLY) =3D 3
open("/lib/libc.so.6", O_RDONLY) =3D 3
open("/lib/libdl.so.2", O_RDONLY) =3D 3
Copy all of the libraries into place:
(note that some sighly differences can arise here,
Fit the files to your system's dependencies)
# cp /lib/libutil.so.1 /home/testd/lib
# cp /usr/lib/libz.so.1 /home/testd/usr/lib
# cp /lib/libnsl.so.1 /home/testd/lib
# mkdir -p /home/testd//usr/lib/i686/cmov/
# cp /usr/lib/i686/cmov/libcrypto.so.0.9.7
/home/testd//usr/lib/i686/cmov/
# cp /lib/libc.so.6 /home/testd/
# cp /lib/libdl.so.2 /home/testd/
Try it with ssh:
$ ssh testd@testbed
testd@testbed's password:=20
Linux testbed 2.4.19 #1 Wed Sep 18 13:02:44 CEST 2002 i686 GNU/Linux
[...]
Interactive SSH is Not Allowed
Connection to testbed closed.
Try it with sftp:
$ sftp testd@testbed
Connecting to testbed...
testd@testbed's password:=20
sftp> ls
.
..
.bash_history
sftp>=20
It works :)
Hope it works for you
Kind Regards,
Juan M. Casillas
http://www.jmcresearch.com
Ssh-dummy.c
------------8<----------------------------------------------------------
---------
//
////////////////////////////////////////////////////////////////////////
//
// ssh-dummy.c
// invokes the sftp-server only disallowing ssh interactive access
//
// Juan M. Casillas <jua...@jm...>
//
// configure SFTP_SERVER_PATH to point to the same
// place that the 'Subsystem' entry in the sshd_config
// (usually at /etc/ssh)
//
// Compile, and use as default shell for the user.
// remember, if you use it inside jail, to add it=20
// inside the /etc/shells (chrooted and non chrooted)
// and install it inside the chrooted environment
//
// Compile it with: gcc -Wall -o ssh-dummy ssh-dummy.c
//
//
////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define SFTP_ARGUMENT "-c"
#define SFTP_SERVER_PATH "/usr/lib/sftp-server"
int main(int argc, char *argv[], char *env[]) {
int r;
if (argc > 2 &&
strcmp(argv[1],SFTP_ARGUMENT) =3D=3D 0 &&
strcmp(argv[2],SFTP_SERVER_PATH) =3D=3D 0) {
r =3D execle(SFTP_SERVER_PATH, SFTP_SERVER_PATH, (char *)0, =
env);
// not reached
printf("Problems spawning %s (err: %d) !\n",SFTP_SERVER_PATH,r);
return(0);
}
printf("Interactive SSH is Not Allowed\n");
return(1);
}
------------8<----------------------------------------------------------
---------
>Hello again Juan,
>
>-----Original Message-----
>From: jai...@li...
>[mailto:jai...@li...] On Behalf Of=20
>Juan M. Casillas
>Sent: February 14, 2004 12:21 AM
>To: 'Michael Kelly'
>Cc: jai...@li...
>Subject: RE: [Jail-main] Jail-main +apache +sftp and howto (newbie)
>
>
>>Hello Juan,
>
> Hello Michael
>
>>I have gone ahead and installed Jail-man and so far it is
>>working great. Still have some tweaking to get figured out but=20
>>other than that it seems to be what I was looking for.
>>
>>Only thing I am looking into now is how much software I need
>>to install to the chroot directory in order to get sftp=20
>>working. Obviously I will need to do ssh and the sftp-server,=20
>>but I am unsure of any other requirements.
>
>
> You shouldn't install too much software. From your previous
> mail, i deduce that you want your users (from the outside)
> can put the files inside the chrooted environment (the
> secured machine). Note that jail only chroots filesystems,=09
> not net daemons, and scp & ssh are.
>
>That is exactly what I want, users to be able to upload and=20
>download files
>from and to their machine. I do not want them to be able to=20
>use my machine
>to perform any other tasks. I do understand that ssh and scp=20
>are daemons and
>cannot be chrooted. My main concern, other than restricting=20
>what they could
>do is restricting where they can look.
>
> Scp & ssh will works without install any software, because
> the are outside the chrooted environment (another thing
> is that you want that your chrooted users can do scp &
> ssh to another machines, but you don't want that, right?)
>
>No I do not want that (As above)
>
>I will explain a little more. I am setting up a web server for=20
>our company
>to host its office websites on. It is an international company=20
>so most of
>these websites will be updated remotely and I wanted to provide sftp
>capability for them to do that. The people who are connecting=20
>are "trusted"
>users (company employees) but I would rather air on the side=20
>of caution than
>allow them free access to the machine.
>
>>I'm sure through configuration of the sshd_conf I can restrict=20
>>user access to an sftp client only.
>
> I was poking with this file yesterday and I don't see anything
> but please, if you can tweak it to do that, send me the=20
> configuration options back :)
>
>I remember reading in a post on another forum that you could=20
>set the users
>shell as the sftp-server daemon. I have yet to try this. I=20
>also remember
>reading a post that you could use sshd_conf directives to=20
>limit a user to
>scp or sftpd logins only. I have not tried this yet either,=20
>but when I do,
>soon, I will let you know how it turns out
>
>>Thanks in advance for any advice regarding other necessary=20
>>software need in the chroot directory.=20
>
> I usually install inside the chrooted environment just the
> minimum:
> =09
> cd, ls, vi ... The default commands installed by
> jailaddsw plus bash.
>
>I will try it with that minimal software set.
>
>Thanks again for your help
>md_kelly
>
>
>Kind Regards,
>Juan M. Casillas
>http://www.jmcresearch.com
>
>>
>>>>> "Juan M. Casillas" <as...@er...> 02/13/04 1:00 PM >>>
>>>Hello all,
>>
>> Hello
>>
>>>
>>>Just happened to stumble across Jail-main in my search for
>>>chroot options for sftp access to my webserver.
>>>Here is what I am doing and what I want to do.
>>>
>>>I am running a webserver, Apache 2.0.48, and am going to be
>>>hosting a variety of different websites via Virtual Name=20
>>>hosting. What I want to do is be able to give client=20
>>>read/write access to only their website directories top-level,=20
>>>and all folders below, to allow them to update their pages=20
>>>remotely. I do not want them to be able to access any other=20
>>>part of the filesystem or be able to execute any commands=20
>>>other than those necessary for the operation of sftp.
>>
>>>I am very new to secure logins and the idea of chrotting an
>>>ssh session, however, after much reading I am thinking that=20
>>>Jail-main may be the solution I am looking for.
>>
>>>My biggest question is about installation. Is it possible for
>>>me to only give them access to the sftp server. They will not=20
>>>be logging in as users of the system in anyway, only to upload=20
>>>and download to their directories
>>
>> I poke arround with sftp and ssh and sftp requires a valid
>> login shell in order to work, so you can't allow sftp without
>> ssh session. But in the other side, I get ftp working without
>> ssh account, that maybe fits inside your needs.
>>
>>>I apologize if this question is off-topic or anything else. I
>>>have just had too many experiences of installing the wrong software
>>
>> it is not offtopic!
>> Your questions are always welcome=20
>>
>>>Thank you
>>>md_kelly
>>
>>Kind Regards,
>>Juan M. Casillas
>>http://www.jmcresearch.com
>>
>>
>>
>
>
>
>-------------------------------------------------------
>SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>Build and deploy apps & Web services for Linux with
>a free DVD software kit from IBM. Click Now!
>http://ads.osdn.com/?ad_id=3D1356&alloc_id=3D3438&op=3Dclick
>_______________________________________________
>Jail-main mailing list
>Jai...@li...
>https://lists.sourceforge.net/lists/listinfo/jail-main
>
>
>
>
>-------------------------------------------------------
>SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>Build and deploy apps & Web services for Linux with
>a free DVD software kit from IBM. Click Now!
>http://ads.osdn.com/?ad_id=1356&alloc_id438&op=3Dick
>_______________________________________________
>Jail-main mailing list
>Jai...@li...
>https://lists.sourceforge.net/lists/listinfo/jail-main
>
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id438&op=3Dick
_______________________________________________
Jail-main mailing list
Jai...@li...
https://lists.sourceforge.net/lists/listinfo/jail-main
|
