Re: SSH Chroot FreeBSD 10.1 and 10.2
Op zaterdag 22 augustus 2015 heeft Roger Leigh rle...@codelibre.net het volgende geschreven: On 22/08/2015 15:01, Brandon Allbery wrote: On Sat, Aug 22, 2015 at 10:54 AM, Rainer Duffner rai...@ultra-secure.de wrote: I found it’s much easier to have actual chroot’ed ssh users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a some more devices in /dev than the usual chroot (like a chroot’ed PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. Yep; chroots are always a pain to deal with. I have seen utilities to manage them, but only for Linux. For your information, I'm in the process of porting my schroot chroot management tool to FreeBSD. https://github.com/codelibre-net/schroot This was traditionally a Linux (Debian) chroot tool for building source packages, but it's worked on Debian GNU/kFreeBSD for a good while so it already supported nullfs filesystem mounts e.g. of home directories and devices, and now the work to build it on FreeBSD proper is done--I was blocked on toolchain/linker bugs for the last 18 months until 10.2 came out (C++11 nullptr_t was broken) The master branch is current development work, and I got it all building on FreeBSD 10.2-RELEASE just yesterday. It's not yet actually *tested* on FreeBSD other than the unit tests pass. So it might not be production-ready right now, but it should be fairly soon. Now it's building, I'll also look at adding some FreeBSD-specific features to it as well, like ZFS snapshots, jail support, etc. While the compiled binaries should be fine, there may be residual Debianisms/GNU libc-isms in the setup scripts. They are likely trivial to fix though. If anyone wants to give it a try and provide some feedback, or if you have any suggestions or feature requests, please just let me know either by mail or at https://github.com/codelibre-net/schroot/issues Instructions for building on FreeBSD are in the README https://github.com/codelibre-net/schroot/blob/master/README.md Kind regards, Roger ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org Thank you all for your time and contribution. I will look at the suggestions given here in the coming days. Regards Johan ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: SSH Chroot FreeBSD 10.1 and 10.2
On Sat, Aug 22, 2015 at 9:32 AM, Johan Hendriks joh.hendr...@gmail.com wrote: Last login: Sat Aug 22 17:05:52 2015 from 192.168.1.13 Could not chdir to home directory /restricted/testuser1: No such file or directory Cannot read termcap database; using dumb terminal settings. % From here I can do ls and so on if I copy ls, mkdir and other programs from /rescue to /restricted/username/bin , and can not escape my home, this is what I want but the error messages are frustrating. You have the chroot directory both as a chroot directory and a home directory. This means that the *actual* home directory, as seen from outside the chroot, is /restricted/testuser1/restricted/testuser1. (Home directory is *inside* the chroot directory and therefore relative to it.) The termcap message should be self-explanatory; you're missing /etc/termcap inside the chroot. chroot is what it says on the tin: once set, the specified directory is /. Every file accessed from that point on MUST be available from a tree in which the specified chroot directory is /. This includes symlinks --- symlink resolution doesn't get to see outside the specified / any more than anything else running in the chroot does, so you cannot simply symlink to a file outside the chroot. (Hard links are fine, since they are actually by inode number; they just have to be on the same partition.) -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: SSH Chroot FreeBSD 10.1 and 10.2
Am 22.08.2015 um 15:45 schrieb Brandon Allbery allber...@gmail.com: On Sat, Aug 22, 2015 at 9:32 AM, Johan Hendriks joh.hendr...@gmail.com wrote: chroot is what it says on the tin: once set, the specified directory is /. Every file accessed from that point on MUST be available from a tree in which the specified chroot directory is /. This includes symlinks --- symlink resolution doesn't get to see outside the specified / any more than anything else running in the chroot does, so you cannot simply symlink to a file outside the chroot. (Hard links are fine, since they are actually by inode number; they just have to be on the same partition.) I found it’s much easier to have actual chroot’ed ssh users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a some more devices in /dev than the usual chroot (like a chroot’ed PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. I’ve done this once for a customer (chroot’ed ssh accounts) and unless this gets more easier in the future, I’ve made a note to myself to not do that again any time soon. I hadn’t thought of just using /rescue (I would nullfs-mount it into your target-directory, else you’ve got to copy it again every time you run freebsd-update). But in my php-fpm chroots, I also need stuff from packages (ImageMagick, most notably). I end up nullfs-mounting most of the system (except /sbin directories) into the various chroots, but I was always looking for a better approach. It’s all a bit of an hack, with lots of stuff borrowed from ezjail ;-) The big advantage of using nullfs mounts is that I don’t have to think about updating the chroots if I update the packages (except /var/run/ld-elf*). Thinking about this: now that we have pkg - would pkg -c (chroot) also create the SQLite DB inside the chroot? Regards, Rainer ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
SSH Chroot FreeBSD 10.1 and 10.2
Hello all. I want to use the Chrootdirctory feature of openssh on FreeBSD 10.2 And I tried it on 10.1 but gave up... Whatever I do I can not make it work on 10 without error messages, but I got it working on FreeBSD 8 This is what I have in my /etc/ssh/sshd_config file. # Example of overriding settings on a per-user basis Match User testuser1 ChrootDirectory /restricted/%u X11Forwarding no AllowTcpForwarding no I created the dir /restricted and the directory testuser1 the permissions are set to root owned. I created the directory /bin inside /restricted/testuser1 and put the sh file from /rescue there If I log on to the system I get the following ssh testuser1@192.168.1.14 Password for testuser1@node_1: Last login: Sat Aug 22 17:05:52 2015 from 192.168.1.13 Could not chdir to home directory /restricted/testuser1: No such file or directory Cannot read termcap database; using dumb terminal settings. % From here I can do ls and so on if I copy ls, mkdir and other programs from /rescue to /restricted/username/bin , and can not escape my home, this is what I want but the error messages are frustrating. If I change to csh in /etc/passwd it gives me the following sh testuser1@192.168.1.14 Password for testuser1@node_1: Last login: Sat Aug 22 17:16:32 2015 from 192.168.1.13 Could not chdir to home directory /restricted/testuser1: No such file or directory csh: Cannot open /etc/termcap. csh: using dumb terminal settings. % I think I followed all the tutorials on the internet, and now I get to the point it gets really frustrating. :D I think I do something wrong, but I can not find it. Is there someone who got this working on FreeBSD 10, I have it working on my linux machines also without problem. Thank you for your time. regards Johan ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: SSH Chroot FreeBSD 10.1 and 10.2
On Sat, Aug 22, 2015 at 10:54 AM, Rainer Duffner rai...@ultra-secure.de wrote: I found it’s much easier to have actual chroot’ed ssh users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a some more devices in /dev than the usual chroot (like a chroot’ed PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. Yep; chroots are always a pain to deal with. I have seen utilities to manage them, but only for Linux. -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: SSH Chroot FreeBSD 10.1 and 10.2
On 22/08/2015 15:01, Brandon Allbery wrote: On Sat, Aug 22, 2015 at 10:54 AM, Rainer Duffner rai...@ultra-secure.de wrote: I found it’s much easier to have actual chroot’ed ssh users once the users themselves are in an LDAP-directory. Also, for doing anything useful on that shell, it turned out you need a some more devices in /dev than the usual chroot (like a chroot’ed PHP-FPM, that just needs the dev-set of jail(4)). And a couple of symlinks. Yep; chroots are always a pain to deal with. I have seen utilities to manage them, but only for Linux. For your information, I'm in the process of porting my schroot chroot management tool to FreeBSD. https://github.com/codelibre-net/schroot This was traditionally a Linux (Debian) chroot tool for building source packages, but it's worked on Debian GNU/kFreeBSD for a good while so it already supported nullfs filesystem mounts e.g. of home directories and devices, and now the work to build it on FreeBSD proper is done--I was blocked on toolchain/linker bugs for the last 18 months until 10.2 came out (C++11 nullptr_t was broken) The master branch is current development work, and I got it all building on FreeBSD 10.2-RELEASE just yesterday. It's not yet actually *tested* on FreeBSD other than the unit tests pass. So it might not be production-ready right now, but it should be fairly soon. Now it's building, I'll also look at adding some FreeBSD-specific features to it as well, like ZFS snapshots, jail support, etc. While the compiled binaries should be fine, there may be residual Debianisms/GNU libc-isms in the setup scripts. They are likely trivial to fix though. If anyone wants to give it a try and provide some feedback, or if you have any suggestions or feature requests, please just let me know either by mail or at https://github.com/codelibre-net/schroot/issues Instructions for building on FreeBSD are in the README https://github.com/codelibre-net/schroot/blob/master/README.md Kind regards, Roger ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org