[suggest] OpenSSH 4.8p1 or above.

Discussion:

Victor

2010-03-05 05:24:24 UTC

I'd like to see rpmforge look to update OpenSSH to 4.8p1 or later.
Reason is this version (from what I can determine) has the built-in ability
to Jail users to their home directory if you enabled SSH (IE: SFTP).

But in the versions available in centos / rpm / epel they are all at 4.3
something.

Thanks in advance!

--
Victor ('Daworm')
* Melbourne Wireless Node: KDJ & KDT
* Natural Selection 2 Wiki Sysop (http://www.unknownworlds.com/ns2/wiki/)
* AoCWiki Sysop (http://aoc.wikia.com/)
* Twitter: @dawormie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.repoforge.org/pipermail/users/attachments/20100305/3ce3a2f2/attachment.html

Michael Mansour

2010-03-05 05:32:26 UTC

Permalink

Hi,

Post by Victor
I'd like to see rpmforge look to update OpenSSH to 4.8p1 or later.
Reason is this version (from what I can determine) has the built-in ability
to Jail users to their home directory if you enabled SSH (IE: SFTP).
But in the versions available in centos / rpm / epel they are all at
4.3 something.

The last openssh version I have:

openssh-4.3p2-36.el5_4.2.i386

Supports it (from the man page):

ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories that
are not writable by any other user or group.

The path may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal \u2019%\u2019, %h is replaced by the home
directory
of the user being authenticated, and %u is replaced by the user-
name of that user.

The ChrootDirectory must contain the necessary files and directo-
ries to support the users\u2019 session. For an interactive session
this requires at least a shell, typically sh(1), and basic /dev
nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices. For file transfer sessions using
\u201csftp\u201d, no additional configuration of the environment
is neces-
sary if the in-process sftp server is used (see
\u201cinternal-sftp\u201d
will force the use of an in-process sftp server that requires no
support files when used with ChrootDirectory. Subsystem for
details).

The default is not to chroot(2).

Regards,

Michael.

Post by Victor
Thanks in advance!
--
Victor ('Daworm')
* Melbourne Wireless Node: KDJ & KDT
* Natural Selection 2 Wiki Sysop
(http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop

------- End of Original Message -------

Victor

2010-03-05 06:38:09 UTC

Permalink

Well, could you (or someone else) point me in the direction of a clear and
well defined guide for centos 5.4 and setting up jailing of chroot users
that won't allow them to path outside of their jailed directories at all?

I know of rssh part of things to restrict commands etc. But I need the
chroot side of things too. So far in those that DO have chroot running,
they've had to build later versions of openssh and I'd rather have a
packaged install from rpm/epel or centos.

Post by Victor
Hi,

Post by Victor
I'd like to see rpmforge look to update OpenSSH to 4.8p1 or later.
Reason is this version (from what I can determine) has the built-in

ability

Post by Victor
to Jail users to their home directory if you enabled SSH (IE: SFTP).
But in the versions available in centos / rpm / epel they are all at
4.3 something.

openssh-4.3p2-36.el5_4.2.i386
ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories that
are not writable by any other user or group.
The path may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal \u2019%\u2019, %h is replaced by the home
directory
of the user being authenticated, and %u is replaced by the user-
name of that user.
The ChrootDirectory must contain the necessary files and directo-
ries to support the users\u2019 session. For an interactive session
this requires at least a shell, typically sh(1), and basic /dev
nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices. For file transfer sessions using
\u201csftp\u201d, no additional configuration of the environment
is neces-
sary if the in-process sftp server is used (see
\u201cinternal-sftp\u201d
will force the use of an in-process sftp server that requires no
support files when used with ChrootDirectory. Subsystem for
details).
The default is not to chroot(2).
Regards,
Michael.

Post by Victor
Thanks in advance!
--
Victor ('Daworm')
* Melbourne Wireless Node: KDJ & KDT
* Natural Selection 2 Wiki Sysop
(http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop

------- End of Original Message -------

Michael Mansour

2010-03-05 08:20:53 UTC

Permalink

Hi Victor,

Post by Victor
Well, could you (or someone else) point me in the direction of a
clear and well defined guide for centos 5.4 and setting up jailing
of chroot users that won't allow them to path outside of their
jailed directories at all?

I know how to do it but it's been some years since I had to. In the past I've
done it on RHEL4 and HP-UX 10/11.

Post by Victor
From memory (and someone can correct me if I'm wrong here), the general

process is:

1. decide on scp or sftp

2. depending on 1, use "ldd" to find the shared libraries required for the
binary. Newer openssh versions don't need this step for chroot sftp, only for
chroot scp.

3. enabled the "chrootdirectory" option in sshd_config and set your directory
to chroot

4. assign a subdirectory of that directory as the users home directory (forgot
whether that's something like /chroot/./home/ or similar)

Post by Victor
I know of rssh part of things to restrict commands etc. But I need
the chroot side of things too. So far in those that DO have chroot
running, they've had to build later versions of openssh and I'd
rather have a packaged install from rpm/epel or centos.

I actually don't like the way the developers do the chroot, since they
required that you have a new home directory structure.

When I need this, I personally chroot people using this tool:

# rpm -qi lshell
Name : lshell Relocations: /usr
Version : 0.9.8 Vendor: Ignace Mouzannar
(ghantoos) <mouzannar at gmail.com>
Release : 1 Build Date: Tue 01 Dec 2009
09:50:54 AM EST
Install Date: Mon 14 Dec 2009 12:16:55 PM EST Build Host: g-centos5
Group : System Environment/Shells Source RPM: lshell-0.9.8-1.src.rpm
Size : 127720 License: GPL
Signature : (none)
URL : http://lshell.ghantoos.org
Summary : Limited Shell
Description :
lshell is a shell coded in Python that lets you restrict a user's environment
to limited sets of commands, choose to enable/disable any command over SSH
(e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing
restrictions, and more.

It allows me to set the commands, their home_path (which is the chroot),
whether they can use scp, sftp, etc.

I've used it for years and it works fine and doesn't require any special
chroot directories trees or libraries like openssh does.

Regards,

Michael.