rssh support chrooting option. If you
want to chroot users, use chrootpath option. It is used to set the
directory where the root of the chroot jail will be located. This is
a security feature.
A chroot on Linux or Unix OS is an
operation that changes the root directory. It affects only the
current process and its children. If your default home directory is
/home/rajat normal user can access files in /etc, /sbin or /bin
directory. This allows an attacker to install programs / backdoor via
your web server in /tmp. chroot allows to restrict file system access
and locks down user to their own directory.
Configuring rssh chroot
=> Chroot directory: /users.
Tip: If possible mount /users
filesystem with the noexec/nosuid option to improve security.
=> Required directories in jail:
/users/dev - Device file
/users/etc - Configuration file such as
passwd
/users/lib - Shared libs
/users/usr - rssh and other binaries
/users/bin - Copy default shell such as
/bin/csh or /bin/bash
=> Required files in jail at /users
directory (default for RHEL / CentOS / Debian Linux):
/etc/ld.so.cache
/etc/ld.so.cache.d/*
/etc/ld.so.conf
/etc/nsswitch.conf
/etc/passwd
/etc/group
/etc/hosts
/etc/resolv.conf
/usr/bin/scp
/usr/bin/rssh
/usr/bin/sftp
/usr/libexec/openssh/sftp-server OR
/usr/lib/openssh/sftp-server
/usr/libexec/rssh_chroot_helper OR
/usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
/bin/sh or /bin/bash (default shell)
Tip: Limit the binaries which live in
the jail to the absolute minimum required to improve security.
Usually /bin/bash and /bin/sh is not required but some system may
give out error.
A note about jail file system
Note: The files need to be placed in
the jail directory (such as /users) in directories that mimic their
placement in the root (/) file system. So you need to copy all
required files. For example, /usr/bin/rssh is located on / file
system. If your jail is located at /users, then copy /usr/bin/rssh to
/users/usr/bin/rssh. Following instuctions are tested on:
FreeBSD
Solaris UNIX
RHEL / Redhat / Fedora / CentOS Linux
Debian Linux
Building the Chrooted Jail
Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh
Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration
files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .
Open /usres/group and /users/passwd
file and remove root and all other accounts.
Copy required binary files, as
described above to your jail directory /users/bin and other
locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .
OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper
OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .
OR
# cp /bin/bash .
Copy all shared library files
The library files that any of these
binary files need can be found by using the ldd / strace command. For
example, running ldd against /usr/bin/sftp provides the following
output:
ldd /usr/bin/sftp
Output:
linux-gate.so.1 =>
(0x00456000)
libresolv.so.2 =>
/lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 =>
/lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 =>
/lib/libutil.so.1 (0x008ba000)
libz.so.1 =>
/usr/lib/libz.so.1 (0x00110000)
libnsl.so.1 =>
/lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 =>
/lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 =>
/usr/lib/libgssapi_krb5.so.2 (0x00656000)
libkrb5.so.3 =>
/usr/lib/libkrb5.so.3 (0x00271000)
libk5crypto.so.3 =>
/usr/lib/libk5crypto.so.3 (0x00304000)
libcom_err.so.2 =>
/lib/libcom_err.so.2 (0x00777000)
libdl.so.2 =>
/lib/libdl.so.2 (0x00123000)
libnss3.so =>
/usr/lib/libnss3.so (0x00569000)
libc.so.6 => /lib/libc.so.6
(0x00b6c000)
libkrb5support.so.0 =>
/usr/lib/libkrb5support.so.0 (0x00127000)
libkeyutils.so.1 =>
/lib/libkeyutils.so.1 (0x00130000)
/lib/ld-linux.so.2 (0x00525000)
libplc4.so =>
/usr/lib/libplc4.so (0x008c9000)
libplds4.so =>
/usr/lib/libplds4.so (0x00133000)
libnspr4.so =>
/usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 =>
/lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 =>
/lib/libselinux.so.1 (0x00341000)
libsepol.so.1 =>
/lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to
/lib and other appropriate location. However, I recommend using my
automated script called l2chroot:
# cd /sbin
# wget -O l2chroot
http://www.yeswedeal.biz/files/l2chroot.txt
# chmod +x l2chroot
Open l2chroot and set BASE variable to
point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot
/usr/libexec/openssh/sftp-server
OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot
/usr/libexec/rssh_chroot_helper
OR
# l2chroot
/usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh
OR
# l2chroot /bin/bash
Modify syslogd configuration
The syslog library function works by
writing messages into a FIFO file such as /dev/log. You need to pass
-a /path/to/chroot/dev/log option. Using this argument you can
specify additional sockets from that syslogd has to listen to. This
is needed if you’re going to let some daemon run within a chroot()
environment. You can use up to 19 additional sockets. If your
environment needs even more, you have to increase the symbol MAXFUNIX
within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a
/users/dev/log"
Save and close the file. Restart
syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux
apply changes to /etc/default/syslogd file.
Set chroot path
Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not
running start it:
# /etc/init.d/sshd start
Add user to jail
Now
rssh is installed. Next logical step is configure user to use rssh.
All you have to do is set a user account shell to /usr/bin/rssh. The
following examples adds user bidi to system with /usr/bin/rssh.
Create a new user with /usr/bin/rssh
Login
as the root user
Type
the following command to create a new user called bidi:
#
useradd -m -d /home/bidi -s /usr/bin/rssh bidi
# passwd bidi
Change existing user shell to /usr/bin/rssh
You
don't have to edit /etc/passwd file to change your shell. You need to
use chsh
command.
It changes the user login shell. This determines the name of the
users initial login command. A normal user may only change the login
shell for his/her own account, the super user i.e. root user may
change the login shell for any account. Following is syntax of chsh
command:chsh
-s {shell-name} {user-name}
Where,
- -s {shell-name} : Specify your login shell name. You can obtained list of avialble shell from /etc/shells file.
- User-name: It is optional, useful if you are a root user.
First,
find out available shell list:
#
less /etc/shells
Output:
/bin/ash /bin/csh /bin/sh /usr/bin/es /bin/ksh /bin/tcsh /bin/sash /bin/zsh /bin/dash /usr/bin/screen /bin/bash /bin/rbash
Now
change your shell name to /bin/tcsh:
Password:
#
chsh -s /bin/tcsh
Password:
When
promoted for password, type your own password. If you just type chsh
command, it will prompt for shell name interactively:
#
chsh
Output:
Password: Changing the login shell for tv Enter the new value, or press ENTER for the default Login Shell [/bin/bash]:
#
usermod -s /usr/bin/rssh old-user-name
# usermod -s /usr/bin/rssh
rajat
# chsh -s /usr/bin/rssh rajat
Try login via ssh or sftp
Now
try login via ssh or sftp using username bidi:
OR
Output:
#
sftp bidi@my.backup.server.com
OR
#
ssh bidi@my.backup.server.com
Output:
bidi@my.backup.server.com's password: TYPE-THE-PASSWORD Linux my.backup.server.com 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2010 i686 Last login: Thu Nov 10 16:35:04 2010 from localhost This account is restricted by rssh. This user is locked out. If you believe this is in error, please contact your system administrator. Connection to my.backup.server.com closed.
By
default rssh configuration locks down everything including any sort
of access.
Grant access to sftp and scp for all users
The
default action for rssh to lock down everything. To grant access to
scp or sftp open /etc/rssh.conf file:
Append or uncomment following two lines
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
OR
Output:
#
vi /etc/rssh.conf
Append or uncomment following two lines
allowscp
allowsftp
Save and close the file. rssh reads configuration file on fly (there is no rssh service exists). Now user should able to run scp and sftp commands, but no shell access is granted:
#
scp /path/to/file bidi@my.backup.server.com:/.
OR
#
sftp bidi@my.backup.server.com:/.
Output:
Connecting to lmy.backup.server.com... bidi@my.backup.server.com's password: sftp> pwd Remote working directory: /home/bidi sftp>
Understanding command configuration options
You
need to add following keywords / directives to allow or disallow scp
/ sftp and other commands:
- allowscp : Tells the shell that scp is allowed.
- allowsftp : Tells the shell that sftp is allowed.
- allowcvs : Tells the shell that cvs is allowed.
- allowrdist : Tells the shell that rdist is allowed.
- allowrsync : Tells the shell that rsync is allowed.
Tip: Create
a group for rssh users, and limit executable access to the binaries
to users in that group to improve security. Please use standard file
permissions carefully and appropriately.
# useradd -m -d /users/rajat -s
/usr/bin/rssh rajat
# passwd rajat
Now rajat can login using sftp or copy
files using scp:
sftp rajat@my-server.com
rajat@my-server.com's password:
sftp> ls
sftp> pwd
Remote working directory: /rajat
sftp> cd /tmp
Couldn't canonicalise: No such file or
directory
User rajat is allowed to login to
server to trasfer files, but not allowed to browse entier file
system.
1 comment:
Super.............
Post a Comment