Re: FW: [Jail-main] Jail-main +apache +sftp and howto (newbie) FIX
Brought to you by:
assman
Menu
▾
▴
Re: FW: [Jail-main] Jail-main +apache +sftp and howto (newbie) FIX
|
From: Michael K. <mk...@vi...> - 2004-02-16 18:13:50
|
Hello again Juan,
Thanks again for the code you wrote, it worked like a charm.
I will add my own configuration details as an update to what you
included
I followed all steps as you outlined them up until the point of copying
the sftp-server and its binaries.
This first time I tried I folowed your directions to the letter, making
changes where required for my platform
but it would not let me in via sftp. Access was denied via ssh login as
well, good thing. I checked over all directions
and copied files ans all existed and were where they were supposed to
be. I had changed the sftp-server configuration line
in the ssh-dummy.c file to match its directory in sshd_config. I had
changed the chrooted user shell to the compiled ssh-dummy executable.
Essentially I had mirrored your setup, but as I stated earlier, sftp
would not let me in.
At that point I blew away the chrooted directory and started over.
Folowing your directions again, but instead of using strace to locate
the required lib files, I just installed
ssh to the chroot environment with
addjailsw /chroot -P ssh
I then completed the rest of the setup directions and it all works
great.
I have sftp access to the chroot environment, but no interactive ssh
login and no scp. Perfect
Thanks again for all your help. I will be sure to keep my eyes on the
mailing list to see
if I can assist anyone in the same situation
cheers
md_kelly
>>> "Michael Kelly" <md_...@te...> 15/02/2004 8:07:39 am >>>
-----Original Message-----
From: jai...@li...
[mailto:jai...@li...] On Behalf Of Juan M.
Casillas
Sent: February 14, 2004 3:15 PM
To: jai...@li...
Subject: RE: [Jail-main] Jail-main +apache +sftp and howto (newbie)
FIX
Hi Michael !
I poke arround with your problem and I have a fix for you.
Sftp allways passes to the shell the following commands:
-c path/to/sftp-server
The solution was create a dummy shell that intercepts that,
And only calls the sftp-server, so if the user tries to do
A interactive login, he isn't allowed to do it.
At the end of the script you will find the .c source.
Just compile it, and install it in /bin, and use it
As the shell for the user.
My environment:
My chrooted user dir is /home/testd
My chrooted user is /home/testd
I create the chrooted from scratch with:
[create the user and modify /etc/passwd]
# mkjailenv /home/testd
[ output removed ]
# addjailsw /home/testd
[ output removed ]
# addjailsw /home/testd -P bash
[ output removed ]
# addjailuser /home/testd /home/testd /bin/bash testd
[ output removed ]
After test that I can logging into the chrooted environment, I
Compile the ssh-dummy.c and copy it
# gcc -Wall -o ssh-dummy ssh-dummy.c
# cp ssh-dummy /home/testd/bin
Now, I edit the chrooted passwd and put ssh-dummy as the shell
For the user testd. Now it can do sftp but not ssh.
# vi /home/testd/etc/passwd
Now, copy the sftp-server binary and it libs
# (strace /usr/lib/sftp-server 2>&1) |grep open
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libutil.so.1", O_RDONLY) = 3
open("/usr/lib/libz.so.1", O_RDONLY) = 3
open("/lib/libnsl.so.1", O_RDONLY) = 3
open("/usr/lib/i686/cmov/libcrypto.so.0.9.7", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
Copy all of the libraries into place:
(note that some sighly differences can arise here,
Fit the files to your system's dependencies)
# cp /lib/libutil.so.1 /home/testd/lib
# cp /usr/lib/libz.so.1 /home/testd/usr/lib
# cp /lib/libnsl.so.1 /home/testd/lib
# mkdir -p /home/testd//usr/lib/i686/cmov/
# cp /usr/lib/i686/cmov/libcrypto.so.0.9.7
/home/testd//usr/lib/i686/cmov/
# cp /lib/libc.so.6 /home/testd/
# cp /lib/libdl.so.2 /home/testd/
Try it with ssh:
$ ssh testd@testbed
testd@testbed's password:
Linux testbed 2.4.19 #1 Wed Sep 18 13:02:44 CEST 2002 i686 GNU/Linux
[...]
Interactive SSH is Not Allowed
Connection to testbed closed.
Try it with sftp:
$ sftp testd@testbed
Connecting to testbed...
testd@testbed's password:
sftp> ls
.
..
.bash_history
sftp>
It works :)
Hope it works for you
Kind Regards,
Juan M. Casillas
http://www.jmcresearch.com
Ssh-dummy.c
------------8<----------------------------------------------------------
---------
//
////////////////////////////////////////////////////////////////////////
//
// ssh-dummy.c
// invokes the sftp-server only disallowing ssh interactive access
//
// Juan M. Casillas <jua...@jm...>
//
// configure SFTP_SERVER_PATH to point to the same
// place that the 'Subsystem' entry in the sshd_config
// (usually at /etc/ssh)
//
// Compile, and use as default shell for the user.
// remember, if you use it inside jail, to add it
// inside the /etc/shells (chrooted and non chrooted)
// and install it inside the chrooted environment
//
// Compile it with: gcc -Wall -o ssh-dummy ssh-dummy.c
//
//
////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define SFTP_ARGUMENT "-c"
#define SFTP_SERVER_PATH "/usr/lib/sftp-server"
int main(int argc, char *argv[], char *env[]) {
int r;
if (argc > 2 &&
strcmp(argv[1],SFTP_ARGUMENT) == 0 &&
strcmp(argv[2],SFTP_SERVER_PATH) == 0) {
r = execle(SFTP_SERVER_PATH, SFTP_SERVER_PATH, (char *)0,
env);
// not reached
printf("Problems spawning %s (err: %d)
!\n",SFTP_SERVER_PATH,r);
return(0);
}
printf("Interactive SSH is Not Allowed\n");
return(1);
}
------------8<----------------------------------------------------------
---------
>Hello again Juan,
>
>-----Original Message-----
>From: jai...@li...
>[mailto:jai...@li...] On Behalf Of
>Juan M. Casillas
>Sent: February 14, 2004 12:21 AM
>To: 'Michael Kelly'
>Cc: jai...@li...
>Subject: RE: [Jail-main] Jail-main +apache +sftp and howto (newbie)
>
>
>>Hello Juan,
>
> Hello Michael
>
>>I have gone ahead and installed Jail-man and so far it is
>>working great. Still have some tweaking to get figured out but
>>other than that it seems to be what I was looking for.
>>
>>Only thing I am looking into now is how much software I need
>>to install to the chroot directory in order to get sftp
>>working. Obviously I will need to do ssh and the sftp-server,
>>but I am unsure of any other requirements.
>
>
> You shouldn't install too much software. From your previous
> mail, i deduce that you want your users (from the outside)
> can put the files inside the chrooted environment (the
> secured machine). Note that jail only chroots
filesystems,
> not net daemons, and scp & ssh are.
>
>That is exactly what I want, users to be able to upload and
>download files
>from and to their machine. I do not want them to be able to
>use my machine
>to perform any other tasks. I do understand that ssh and scp
>are daemons and
>cannot be chrooted. My main concern, other than restricting
>what they could
>do is restricting where they can look.
>
> Scp & ssh will works without install any software, because
> the are outside the chrooted environment (another thing
> is that you want that your chrooted users can do scp &
> ssh to another machines, but you don't want that, right?)
>
>No I do not want that (As above)
>
>I will explain a little more. I am setting up a web server for
>our company
>to host its office websites on. It is an international company
>so most of
>these websites will be updated remotely and I wanted to provide sftp
>capability for them to do that. The people who are connecting
>are "trusted"
>users (company employees) but I would rather air on the side
>of caution than
>allow them free access to the machine.
>
>>I'm sure through configuration of the sshd_conf I can restrict
>>user access to an sftp client only.
>
> I was poking with this file yesterday and I don't see anything
> but please, if you can tweak it to do that, send me the
> configuration options back :)
>
>I remember reading in a post on another forum that you could
>set the users
>shell as the sftp-server daemon. I have yet to try this. I
>also remember
>reading a post that you could use sshd_conf directives to
>limit a user to
>scp or sftpd logins only. I have not tried this yet either,
>but when I do,
>soon, I will let you know how it turns out
>
>>Thanks in advance for any advice regarding other necessary
>>software need in the chroot directory.
>
> I usually install inside the chrooted environment just the
> minimum:
>
> cd, ls, vi ... The default commands installed by
> jailaddsw plus bash.
>
>I will try it with that minimal software set.
>
>Thanks again for your help
>md_kelly
>
>
>Kind Regards,
>Juan M. Casillas
>http://www.jmcresearch.com
>
>>
>>>>> "Juan M. Casillas" <as...@er...> 02/13/04 1:00 PM >>>
>>>Hello all,
>>
>> Hello
>>
>>>
>>>Just happened to stumble across Jail-main in my search for
>>>chroot options for sftp access to my webserver.
>>>Here is what I am doing and what I want to do.
>>>
>>>I am running a webserver, Apache 2.0.48, and am going to be
>>>hosting a variety of different websites via Virtual Name
>>>hosting. What I want to do is be able to give client
>>>read/write access to only their website directories top-level,
>>>and all folders below, to allow them to update their pages
>>>remotely. I do not want them to be able to access any other
>>>part of the filesystem or be able to execute any commands
>>>other than those necessary for the operation of sftp.
>>
>>>I am very new to secure logins and the idea of chrotting an
>>>ssh session, however, after much reading I am thinking that
>>>Jail-main may be the solution I am looking for.
>>
>>>My biggest question is about installation. Is it possible for
>>>me to only give them access to the sftp server. They will not
>>>be logging in as users of the system in anyway, only to upload
>>>and download to their directories
>>
>> I poke arround with sftp and ssh and sftp requires a valid
>> login shell in order to work, so you can't allow sftp without
>> ssh session. But in the other side, I get ftp working without
>> ssh account, that maybe fits inside your needs.
>>
>>>I apologize if this question is off-topic or anything else. I
>>>have just had too many experiences of installing the wrong software
>>
>> it is not offtopic!
>> Your questions are always welcome
>>
>>>Thank you
>>>md_kelly
>>
>>Kind Regards,
>>Juan M. Casillas
>>http://www.jmcresearch.com
>>
>>
>>
>
>
>
>-------------------------------------------------------
>SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>Build and deploy apps & Web services for Linux with
>a free DVD software kit from IBM. Click Now!
>http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
>_______________________________________________
>Jail-main mailing list
>Jai...@li...
>https://lists.sourceforge.net/lists/listinfo/jail-main
>
>
>
>
>-------------------------------------------------------
>SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>Build and deploy apps & Web services for Linux with
>a free DVD software kit from IBM. Click Now!
>http://ads.osdn.com/?ad_id56&alloc_id438&op=ick
>_______________________________________________
>Jail-main mailing list
>Jai...@li...
>https://lists.sourceforge.net/lists/listinfo/jail-main
>
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=ick
_______________________________________________
Jail-main mailing list
Jai...@li...
https://lists.sourceforge.net/lists/listinfo/jail-main
|
