Openssh-chroot

From ArchWiki

Jump to: navigation, search


i18n
English
Français

Update Aug, 21, 2009:

It seems as though the package openssh-chroot is now non existant.


Contents

Introduction

OpenSSH-chroot is based on the standard OpenSSH-package and adds the feature of creating a chrootjail. This feature has been requested by a lot of people and most large Linux distributions already have this as an addon. This is why we have decided to add this to Arch Linux as well. OpenSSH-chroot works just like the ordinary OpenSSH. package; with just some extra functionality added to it.

Note, this is for SSH (remote users) only. Also, even though it's easy to install for all users we only recommend it to intermediate or advanced users due to it's underlying complex nature.

Once the installation/configuration-process are complete you can add as much users as wanted/needed to the chroot-enviroment with ease.

Note, some apps do not like to be in a chrootjail because of the way they have been coded/implemented, but we have done the tedious job for you by adding 'screen' and 'irssi' as apps into the chroot-enviroment. We will continue to update this package with more hard-to-implement-apps as time allows us.

Warning, this is not a 100% secure setup. Very experienced hackers might (very slim chance) break out of even this SSH-based chrootjail. To get a bulletproof setup we recommend compiling the kernel with the grsecurity-patch.

Installation

This package is available in the community repository. To install it, run

# pacman -S openssh-chroot

Note: openssh-chroot will conflict with the ordinary openssh. So, remove openssh with pacman -Rd openssh before installing openssh-chroot. This is quite alright.

Edit '/usr/sbin/chroot_create' to add or remove apps which will be available in the chrootjail.

Then run the script to create the actual enviroment:

# /usr/sbin/chroot_create [<chroot-rootdir>]

If the optional chroot-rootdir isn't stated at the commandline the script will use the default hardcoded '/chroot' instead.

Configuration

Add the following line to /etc/fstab:

none /<chroot-rootdir>/dev/pts devpts defaults 0 0

Now you have to restart your ssh-daemon:

# /etc/rc.d/sshd restart

Adding new chrooted users

  • The automagical way:
chroot_adduser <username> <chroot-rootdir>
  • OR you can do it the manual way:
# /usr/sbin/groupadd <username>
                        
# /usr/sbin/useradd -d /<chroot-rootdir>/./home/<username> -g <username> -m -s /bin/bash <username>
  • NOTE! The dot in the row above is what jails the user.
  • Now we need to add 1 line in both /<chroot-rootdir>/etc/passwd & group
$ cat /etc/passwd
  • Now copy the whole line with <username> from the output.
 echo '<paste here>' >> /<chroot-rootdir>/etc/passwd
  • For example zaxx:x:1001:1001::/home/chroot/./home/zaxx:/bin/bash. Unfortunatly you have to remove a part of the path to the user after this. Edit /<chroot-rootdir>/etc/passwd and remove chars until the line looks like this: zaxx:x:1001:1001::/home/zaxx:/bin/bash
  • Now we need to copy the line with <username> in /etc/group.
$ cat /etc/group
 echo '<paste here>' >> /<chroot-rootdir>/etc/group
  • Now it's time to set a password for the newly created user.
 /usr/bin/passwd <username>
  • We also want to modify <username>'s homedir slightly.
 /bin/chmod 700 /<chroot-rootdir>/./home/<username>
 /bin/chown -R <username>:<username> /<chroot-rootdir>/./home/<username>

Testing your chrootjail

# chroot /<chroot-rootdir>/ /bin/bash

If the above doesn't work you have done something seriously wrong with the install-process. How? We have no idea. Remove ( rm -rf <chroot-rootdir> && userdel -r <username> ) the chrootjail and do it all over.

$ ssh <username>@localhost

If that works you have a fully working chrootjail. Congrats!

Note! If the first test is successful, but the ssh-test isn't it's a strong possibility your /etc/hosts.allow is misconfigured. Add the following to that file and try the ssh-test once again:

 ALL: localhost
 sshd: ALL
Personal tools