FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 06-07-2008, 03:49 AM
"Filipe Brandenburger"
 
Default Chroot'ed SSH

Hi,

Is anyone chrooting users that connect through SSH?

I looked for it on Google and I basically saw several methods:
- OpenSSH 5 supports ChrootDirectory (FC9 apparently has RPMs that
probably could be rebuilt under CentOS 5)
- There seem to be several patches for OpenSSH 4.x to do the chroot,
the most popular seems to be http://chrootssh.sf.net/
- There appears to be a pam_chroot
- There are solutions based on setting the user's shell to a
script/binary that does the chroot

By quickly looking at yum list, it doesn't seem like neither RHEL nor
CentOS directly support any of those, at least I didn't find any RPMs
for any of those.

If anyone is doing it, I would like to know what were your experiences
and if you would recommend doing it or not.

I'm specially interested in anything that doesn't involve replacing
the OpenSSH that comes with CentOS, after all, that's what CentOS is
all about, if you start replacing the pieces, what's the point...

Thanks a lot!
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-07-2008, 04:18 AM
Eric Wood
 
Default Chroot'ed SSH

Filipe Brandenburger wrote:

Hi,

Is anyone chrooting users that connect through SSH?



Just the other week sshd 4.9 enabled chroot for the first time I think.
Fairly new stuff. You'll have to roll your own rpm for CentOS as it
will be unlikely that they roll it - probably not even for 5.2 either.


* Added chroot(2) support for sshd(8), controlled by a new option
"ChrootDirectory". Please refer to sshd_config(5) for details, and
please use this feature carefully. (bz#177 bz#1352)

pam_chroot might get deprecated.


-eric
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-07-2008, 04:24 AM
"Filipe Brandenburger"
 
Default Chroot'ed SSH

On Sat, Jun 7, 2008 at 12:18 AM, Eric Wood <eric@interplas.com> wrote:
> Just the other week sshd 4.9 enabled chroot for the first time I think.
> Fairly new stuff. You'll have to roll your own rpm for CentOS as it will
> be unlikely that they roll it - probably not even for 5.2 either.

Yeah, I was considering rebuilding FC9 RPM of OpenSSH 5.0 which would
include the feature. However, I would rather avoid using an SSH server
other than the one provided by CentOS, since the whole point of
RHEL/CentOS is to have a certified platform, if you start replacing
packages you might break that.

> pam_chroot might get deprecated.

I was digging into the issue and I realised pam_chroot is actually
installed in CentOS 5 by default:

$ rpm -ql pam.x86_64 | grep chroot
/etc/security/chroot.conf
/lib64/security/pam_chroot.so
/usr/share/doc/pam-0.99.6.2/txts/README.pam_chroot

I googled around but I didn't find any howto's on how to enable it and
set it up. Is anyone using it successfully? Does it integrate
seamlessly with OpenSSH? How should I set it up?

Thanks!
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-09-2008, 01:00 PM
Alain Terriault
 
Default Chroot'ed SSH

easy way to get sshd ver.5 installed on centos5
http://fs12.vsb.cz/hrb33/el5/hrb-ssh/stable/SRPMS/
rpmbuild --rebuild openssh-5.0p1-1.el5.hrb.src.rpm
worked for me .. but honestly, has excited has I was, I do not find
chroot to be that useful .. if I remember correctly, the chroot
directory has to be owned by root and was not possible with my setup.


alternative
"scponly" from from the EPEL Repositories
(http://download.fedora.redhat.com/pub/epel/5/x86_64/)

will give your users secure file transfers access without a terminal

my favorite
"rssh" rssh is a restricted shell for use with OpenSSH, allowing only
scp and/or sftp. For example, if you have a server which you only want
to allow users to copy files off of via scp, without providing shell
access, you can use rssh to do that.


hope this help
alain

Filipe Brandenburger wrote:

Hi,

Is anyone chrooting users that connect through SSH?

I looked for it on Google and I basically saw several methods:
- OpenSSH 5 supports ChrootDirectory (FC9 apparently has RPMs that
probably could be rebuilt under CentOS 5)
- There seem to be several patches for OpenSSH 4.x to do the chroot,
the most popular seems to be http://chrootssh.sf.net/
- There appears to be a pam_chroot
- There are solutions based on setting the user's shell to a
script/binary that does the chroot

By quickly looking at yum list, it doesn't seem like neither RHEL nor
CentOS directly support any of those, at least I didn't find any RPMs
for any of those.

If anyone is doing it, I would like to know what were your experiences
and if you would recommend doing it or not.

I'm specially interested in anything that doesn't involve replacing
the OpenSSH that comes with CentOS, after all, that's what CentOS is
all about, if you start replacing the pieces, what's the point...

Thanks a lot!
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org