Re: [CentOS] scp setup jailed chroot on Centos7
That's correct, forgot to mention it. We ended up using SFTP (or at least offering it to external). -Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of rai...@ultra-secure.de Sent: Dienstag, 24. Oktober 2017 15:24 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 Am 2017-10-24 12:19, schrieb Adrian Jenzer: > Hi Rainer > I would if I could but external offers only FTP and SCP... > > Regards Adrian AFAIK, for scp you need a proper shell. I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again. The problem is that inside the chroot, you need: - nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak) Somebody sent me the link to these scripts: https://github.com/codelibre-net/schroot Maybe you can use those scripts - I've never tried them. Also, there's scp-only: https://github.com/scponly/scponly/wiki Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] scp setup jailed chroot on Centos7
Am 2017-10-24 12:19, schrieb Adrian Jenzer: Hi Rainer I would if I could but external offers only FTP and SCP... Regards Adrian AFAIK, for scp you need a proper shell. I've done that exactly once (chrooted ssh) and it was such a pain that I vowed to never do it again. The problem is that inside the chroot, you need: - nameresolution - a minimal passwd/shadow/group file (or ldap) - maybe for scp, you can get away with a rather minimal device-tree - but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys ...). - that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak) Somebody sent me the link to these scripts: https://github.com/codelibre-net/schroot Maybe you can use those scripts - I've never tried them. Also, there's scp-only: https://github.com/scponly/scponly/wiki Haven't used that in years, either. Concern over that one seemed to be that it's "another" shell and nobody had apparently done a thorough audit of it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] scp setup jailed chroot on Centos7
-Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of tbucha...@vinu.edu Sent: Samstag, 21. Oktober 2017 02:14 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 -"CentOS" <centos-boun...@centos.org> wrote: -To: CentOS mailing list <centos@centos.org> From: Rainer Duffner Sent by: "CentOS" Date: 10/20/2017 08:00PM Subject: Re: [CentOS] scp setup jailed chroot on Centos7 > Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a jailed chroot directory for > user which needs to upload via scp to the server. > Especially I miss clear instructions about what needs to be in the jailed > directory available, like binaries, libraries, etc... > Without jail I get it to work, but I want to prevent user downloading for > example /etc folder from the server. > > Does anybody have a link or list valid for Centos7 > Cant you use SFTP? AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos https://github.com/mysecureshell/mysecureshell ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Thanks for this. Didn't know about it. And setup is pretty straight forward. The repo for Centos6 works with 7 too. [mysecureshell] name=MySecureShell baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/ enabled=1 gpgcheck=0 regards Adrian ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] scp setup jailed chroot on Centos7
-Original Message- From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Rainer Duffner Sent: Samstag, 21. Oktober 2017 00:41 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 > Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a jailed chroot directory for > user which needs to upload via scp to the server. > Especially I miss clear instructions about what needs to be in the jailed > directory available, like binaries, libraries, etc... > Without jail I get it to work, but I want to prevent user downloading for > example /etc folder from the server. > > Does anybody have a link or list valid for Centos7 > Can’t you use SFTP? AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp). Hi Rainer I would if I could but external offers only FTP and SCP... Regards Adrian ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] scp setup jailed chroot on Centos7
-"CentOS" <centos-boun...@centos.org> wrote: -To: CentOS mailing list <centos@centos.org> From: Rainer Duffner Sent by: "CentOS" Date: 10/20/2017 08:00PM Subject: Re: [CentOS] scp setup jailed chroot on Centos7 > Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a jailed chroot directory for > user which needs to upload via scp to the server. > Especially I miss clear instructions about what needs to be in the jailed > directory available, like binaries, libraries, etc... > Without jail I get it to work, but I want to prevent user downloading for > example /etc folder from the server. > > Does anybody have a link or list valid for Centos7 > Cant you use SFTP? AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos https://github.com/mysecureshell/mysecureshell ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] scp setup jailed chroot on Centos7
> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer: > > Dear all > > I'm looking for instructions on how to setup a jailed chroot directory for > user which needs to upload via scp to the server. > Especially I miss clear instructions about what needs to be in the jailed > directory available, like binaries, libraries, etc... > Without jail I get it to work, but I want to prevent user downloading for > example /etc folder from the server. > > Does anybody have a link or list valid for Centos7 > Can’t you use SFTP? AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos