Openssh-chroot
From ArchWiki
i18n |
---|
English |
Français |
Update Aug, 21, 2009:
It seems as though the package openssh-chroot is now non existant.
Contents |
Introduction
OpenSSH-chroot is based on the standard OpenSSH-package and adds the feature of creating a chrootjail. This feature has been requested by a lot of people and most large Linux distributions already have this as an addon. This is why we have decided to add this to Arch Linux as well. OpenSSH-chroot works just like the ordinary OpenSSH. package; with just some extra functionality added to it.
Note, this is for SSH (remote users) only. Also, even though it's easy to install for all users we only recommend it to intermediate or advanced users due to it's underlying complex nature.
Once the installation/configuration-process are complete you can add as much users as wanted/needed to the chroot-enviroment with ease.
Note, some apps do not like to be in a chrootjail because of the way they have been coded/implemented, but we have done the tedious job for you by adding 'screen' and 'irssi' as apps into the chroot-enviroment. We will continue to update this package with more hard-to-implement-apps as time allows us.
Warning, this is not a 100% secure setup. Very experienced hackers might (very slim chance) break out of even this SSH-based chrootjail. To get a bulletproof setup we recommend compiling the kernel with the grsecurity-patch.
Installation
This package is available in the community repository. To install it, run
# pacman -S openssh-chroot
Note: openssh-chroot will conflict with the ordinary openssh. So, remove openssh with pacman -Rd openssh
before installing openssh-chroot. This is quite alright.
Edit '/usr/sbin/chroot_create'
to add or remove apps which will be available in the chrootjail.
Then run the script to create the actual enviroment:
# /usr/sbin/chroot_create [<chroot-rootdir>]
If the optional chroot-rootdir isn't stated at the commandline the script will use the default hardcoded '/chroot' instead.
Configuration
Add the following line to /etc/fstab:
none /<chroot-rootdir>/dev/pts devpts defaults 0 0
Now you have to restart your ssh-daemon:
# /etc/rc.d/sshd restart
Adding new chrooted users
- The automagical way:
chroot_adduser <username> <chroot-rootdir>
- OR you can do it the manual way:
# /usr/sbin/groupadd <username> # /usr/sbin/useradd -d /<chroot-rootdir>/./home/<username> -g <username> -m -s /bin/bash <username>
- NOTE! The dot in the row above is what jails the user.
- Now we need to add 1 line in both /<chroot-rootdir>/etc/passwd & group
$ cat /etc/passwd
- Now copy the whole line with <username> from the output.
echo '<paste here>' >> /<chroot-rootdir>/etc/passwd
- For example
zaxx:x:1001:1001::/home/chroot/./home/zaxx:/bin/bash
. Unfortunatly you have to remove a part of the path to the user after this. Edit/<chroot-rootdir>/etc/passwd
and remove chars until the line looks like this:zaxx:x:1001:1001::/home/zaxx:/bin/bash
- Now we need to copy the line with <username> in /etc/group.
$ cat /etc/group
echo '<paste here>' >> /<chroot-rootdir>/etc/group
- Now it's time to set a password for the newly created user.
/usr/bin/passwd <username>
- We also want to modify <username>'s homedir slightly.
/bin/chmod 700 /<chroot-rootdir>/./home/<username>
/bin/chown -R <username>:<username> /<chroot-rootdir>/./home/<username>
Testing your chrootjail
# chroot /<chroot-rootdir>/ /bin/bash
If the above doesn't work you have done something seriously wrong with the install-process. How? We have no idea. Remove ( rm -rf <chroot-rootdir> && userdel -r <username>
) the chrootjail and do it all over.
$ ssh <username>@localhost
If that works you have a fully working chrootjail. Congrats!
Note! If the first test is successful, but the ssh-test isn't it's a strong possibility your /etc/hosts.allow
is misconfigured. Add the following to that file and try the ssh-test once again:
ALL: localhost sshd: ALL