Re: [CentOS] scp setup jailed chroot on Centos7

[Adrian Jenzer]

That's correct, forgot to mention it. We ended up using SFTP (or at least 
offering it to external).


-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of 
rai...@ultra-secure.de
Sent: Dienstag, 24. Oktober 2017 15:24
To: CentOS mailing list
Subject: Re: [CentOS] scp setup jailed chroot on Centos7

Am 2017-10-24 12:19, schrieb Adrian Jenzer:

> Hi Rainer
> I would if I could but external offers only FTP and SCP...
> 
> Regards Adrian


AFAIK, for scp you need a proper shell.

I've done that exactly once (chrooted ssh) and it was such a pain that I 
vowed to never do it again.

The problem is that inside the chroot, you need:

  - nameresolution
  - a minimal passwd/shadow/group file (or ldap)
  - maybe for scp, you can get away with a rather minimal device-tree - 
but for actual SSH access, I needed a fairly complete device tree inside 
the chroot (ttys ...).
  - that was with FreeBSD 10, I never tried it with anything else (due to 
its history with jails, creating functional, limited chroot-environments 
is somewhat in its genes, so to speak)

Somebody sent me the link to these scripts:

https://github.com/codelibre-net/schroot

Maybe you can use those scripts - I've never tried them.


Also, there's scp-only:
https://github.com/scponly/scponly/wiki

Haven't used that in years, either.
Concern over that one seemed to be that it's "another" shell and nobody 
had apparently done a thorough audit of it.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] scp setup jailed chroot on Centos7

[rainer]

Am 2017-10-24 12:19, schrieb Adrian Jenzer:


Hi Rainer
I would if I could but external offers only FTP and SCP...

Regards Adrian



AFAIK, for scp you need a proper shell.

I've done that exactly once (chrooted ssh) and it was such a pain that I 
vowed to never do it again.


The problem is that inside the chroot, you need:

 - nameresolution
 - a minimal passwd/shadow/group file (or ldap)
 - maybe for scp, you can get away with a rather minimal device-tree - 
but for actual SSH access, I needed a fairly complete device tree inside 
the chroot (ttys ...).
 - that was with FreeBSD 10, I never tried it with anything else (due to 
its history with jails, creating functional, limited chroot-environments 
is somewhat in its genes, so to speak)


Somebody sent me the link to these scripts:

https://github.com/codelibre-net/schroot

Maybe you can use those scripts - I've never tried them.


Also, there's scp-only:
https://github.com/scponly/scponly/wiki

Haven't used that in years, either.
Concern over that one seemed to be that it's "another" shell and nobody 
had apparently done a thorough audit of it.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] scp setup jailed chroot on Centos7

[Adrian Jenzer]

-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of tbucha...@vinu.edu
Sent: Samstag, 21. Oktober 2017 02:14
To: CentOS mailing list
Subject: Re: [CentOS] scp setup jailed chroot on Centos7

-"CentOS" <centos-boun...@centos.org> wrote: -To: CentOS mailing list 
<centos@centos.org>
From: Rainer Duffner 
Sent by: "CentOS" 
Date: 10/20/2017 08:00PM
Subject: Re: [CentOS] scp setup jailed chroot on Centos7

> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>:
> 
> Dear all
> 
> I'm looking for instructions on how to setup a jailed chroot directory for 
> user which needs to upload via scp to the server.
> Especially I miss clear instructions about what needs to be in the jailed 
> directory available, like binaries, libraries, etc...
> Without jail I get it to work, but I want to prevent user downloading for 
> example /etc folder from the server.
> 
> Does anybody have a link or list valid for Centos7
> 



Cant you use SFTP?

AFAIK, sftp automatically chroots a user with no valid shell (provided the home 
directory is owned by root and not writeable by the user and you use Subsystem 
internal-sftp).



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


https://github.com/mysecureshell/mysecureshell
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Thanks for this. Didn't know about it. And setup is pretty straight forward. 
The repo for Centos6 works with 7 too.

[mysecureshell]
name=MySecureShell
baseurl=http://mysecureshell.free.fr/repository/index.php/centos/6.4/
enabled=1
gpgcheck=0


regards Adrian

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] scp setup jailed chroot on Centos7

[Adrian Jenzer]

-Original Message-
From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Rainer Duffner
Sent: Samstag, 21. Oktober 2017 00:41
To: CentOS mailing list
Subject: Re: [CentOS] scp setup jailed chroot on Centos7


> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>:
> 
> Dear all
> 
> I'm looking for instructions on how to setup a jailed chroot directory for 
> user which needs to upload via scp to the server.
> Especially I miss clear instructions about what needs to be in the jailed 
> directory available, like binaries, libraries, etc...
> Without jail I get it to work, but I want to prevent user downloading for 
> example /etc folder from the server.
> 
> Does anybody have a link or list valid for Centos7
> 



Can’t you use SFTP?

AFAIK, sftp automatically chroots a user with no valid shell (provided the home 
directory is owned by root and not writeable by the user and you use Subsystem 
internal-sftp).



Hi Rainer
I would if I could but external offers only FTP and SCP...

Regards Adrian
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] scp setup jailed chroot on Centos7

[tbuchanan]

-"CentOS" <centos-boun...@centos.org> wrote: -To: CentOS mailing list 
<centos@centos.org>
From: Rainer Duffner 
Sent by: "CentOS" 
Date: 10/20/2017 08:00PM
Subject: Re: [CentOS] scp setup jailed chroot on Centos7

> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jen...@herzogdemeuron.com>:
> 
> Dear all
> 
> I'm looking for instructions on how to setup a jailed chroot directory for 
> user which needs to upload via scp to the server.
> Especially I miss clear instructions about what needs to be in the jailed 
> directory available, like binaries, libraries, etc...
> Without jail I get it to work, but I want to prevent user downloading for 
> example /etc folder from the server.
> 
> Does anybody have a link or list valid for Centos7
> 



Cant you use SFTP?

AFAIK, sftp automatically chroots a user with no valid shell (provided the home 
directory is owned by root and not writeable by the user and you use Subsystem 
internal-sftp).



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


https://github.com/mysecureshell/mysecureshell
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] scp setup jailed chroot on Centos7

[Rainer Duffner]

> Am 20.10.2017 um 15:58 schrieb Adrian Jenzer :
> 
> Dear all
> 
> I'm looking for instructions on how to setup a jailed chroot directory for 
> user which needs to upload via scp to the server.
> Especially I miss clear instructions about what needs to be in the jailed 
> directory available, like binaries, libraries, etc...
> Without jail I get it to work, but I want to prevent user downloading for 
> example /etc folder from the server.
> 
> Does anybody have a link or list valid for Centos7
> 



Can’t you use SFTP?

AFAIK, sftp automatically chroots a user with no valid shell (provided the home 
directory is owned by root and not writeable by the user and you use Subsystem 
internal-sftp).



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos