Hi Victor, > Well, could you (or someone else) point me in the direction of a > clear and well defined guide for centos 5.4 and setting up jailing > of chroot users that won't allow them to path outside of their > jailed directories at all?
I know how to do it but it's been some years since I had to. In the past I've done it on RHEL4 and HP-UX 10/11. >From memory (and someone can correct me if I'm wrong here), the general process is: 1. decide on scp or sftp 2. depending on 1, use "ldd" to find the shared libraries required for the binary. Newer openssh versions don't need this step for chroot sftp, only for chroot scp. 3. enabled the "chrootdirectory" option in sshd_config and set your directory to chroot 4. assign a subdirectory of that directory as the users home directory (forgot whether that's something like /chroot/./home/ or similar) > I know of rssh part of things to restrict commands etc. But I need > the chroot side of things too. So far in those that DO have chroot > running, they've had to build later versions of openssh and I'd > rather have a packaged install from rpm/epel or centos. I actually don't like the way the developers do the chroot, since they required that you have a new home directory structure. When I need this, I personally chroot people using this tool: # rpm -qi lshell Name : lshell Relocations: /usr Version : 0.9.8 Vendor: Ignace Mouzannar (ghantoos) <[email protected]> Release : 1 Build Date: Tue 01 Dec 2009 09:50:54 AM EST Install Date: Mon 14 Dec 2009 12:16:55 PM EST Build Host: g-centos5 Group : System Environment/Shells Source RPM: lshell-0.9.8-1.src.rpm Size : 127720 License: GPL Signature : (none) URL : http://lshell.ghantoos.org Summary : Limited Shell Description : lshell is a shell coded in Python that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restrictions, and more. It allows me to set the commands, their home_path (which is the chroot), whether they can use scp, sftp, etc. I've used it for years and it works fine and doesn't require any special chroot directories trees or libraries like openssh does. Regards, Michael. > On Fri, Mar 5, 2010 at 4:32 PM, Michael Mansour <[email protected]> wrote: > > > Hi, > > > > > I'd like to see rpmforge look to update OpenSSH to 4.8p1 or later. > > > Reason is this version (from what I can determine) has the built-in > > ability > > > to Jail users to their home directory if you enabled SSH (IE: SFTP). > > > > > > But in the versions available in centos / rpm / epel they are all at > > > 4.3 something. > > > > The last openssh version I have: > > > > openssh-4.3p2-36.el5_4.2.i386 > > > > Supports it (from the man page): > > > > ChrootDirectory > > Specifies a path to chroot(2) to after authentication. This > > path, and all its components, must be root-owned directories > > that > > are not writable by any other user or group. > > > > The path may contain the following tokens that are expanded at > > runtime once the connecting user has been authenticated: %% is > > replaced by a literal \u2019%\u2019, %h is replaced by the home > > directory > > of the user being authenticated, and %u is replaced by the > > user- > > name of that user. > > > > The ChrootDirectory must contain the necessary files and > > directo- > > ries to support the users\u2019 session. For an interactive > > session > > this requires at least a shell, typically sh(1), and basic /dev > > nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), > > arandom(4) and tty(4) devices. For file transfer sessions > > using > > \u201csftp\u201d, no additional configuration of the > > environment > > is neces- > > sary if the in-process sftp server is used (see > > \u201cinternal-sftp\u201d > > will force the use of an in-process sftp server that requires > > no > > support files when used with ChrootDirectory. Subsystem for > > details). > > > > The default is not to chroot(2). > > > > Regards, > > > > Michael. > > > > > Thanks in advance! > > > > > > -- > > > Victor ('Daworm') > > > * Melbourne Wireless Node: KDJ & KDT > > > * Natural Selection 2 Wiki Sysop > > > (http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop > > > (http://aoc.wikia.com/) * Twitter: @dawormie > > ------- End of Original Message ------- > > > > > > -- > Victor ('Daworm') > * Melbourne Wireless Node: KDJ & KDT > * Natural Selection 2 Wiki Sysop > (http://www.unknownworlds.com/ns2/wiki/) * AoCWiki Sysop > (http://aoc.wikia.com/) * Twitter: @dawormie ------- End of Original Message ------- _______________________________________________ suggest mailing list [email protected] http://lists.rpmforge.net/mailman/listinfo/suggest
