rssh: Per User Configuration Options For Chroot Jail

by on December 22, 2007 · 6 comments· LAST UPDATED January 12, 2008

in , ,

rssh is a restricted shell for providing limited access to a host via ssh. It also allows system wide configuration and per user configuration. From the man page:
The user configuration directive allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keyword’s argument consists of a group of fields separated by a colon (:), as shown below. The fields are, in order:

  • username : The username of the user for whom the entry provides options
  • umask : The umask for this user, in octal, just as it would be specified to the shell access bits. Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.
  • path : The directory to which this user should be chrooted (this is not a command, it is a directory name).

rssh examples of configuring per-user options

Open /etc/rssh.conf file:
# vi /etc/rssh.conf
All user tom to bypass our chroot jail:
user=tom:077:00010
Provide jerry cvs access with no chroot:
user=jerry:011:00100
Provide spike rsync access with no chroot:
user=spike:011:10000
Provide tyke access with chroot jail located at /users
user="tyke:011:00001:/users" # whole user string can be quoted
if your chroot_path contains spaces, it must be quoted. Provide nibbles scp access with chroot directory:
user=nibbles:011:00001:"/usr/local/tv/shows/tom and jerry"

Recommended readings:

=> rssh home page
=> Redhat specific chroot jail script (outdated)
=> Refer man pages: rssh.conf, rssh, ssh, sshd, sftp, scp, rsync, sshd_config

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 6 comments… read them below or add one }

1 Richard June 17, 2008 at 2:16 am

First thank you Vivek! This serie has been very helpfull to me.

At the end, I was not able to have the most important thing working on my box. I found a solution for that and hope that others can help this as well.

Still I am struggling with some options which not seem to work on my side. I’ll try to explain further on. First let me try to explain what I have done.

My box runs CentOS 5.1 and all of this series settings I have carried out and it’s working like a charm. But as soon as I am filling in the home directory for a user, it blocks this user who is not able to login anymore.

In rssh.conf I have now (all comments and not active options left out):
#BEGIN
#—–
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath = /users
#—
#END

With this, my user(s) can login with SFTP and can browse all the files but they reside in /users which they see as the root (/). So that’s fine!

Ok, next I set it up for a _per_user_ specification.
My rssh.conf has now only the following:
#BEGIN
#—–
logfacility = LOG_USER
umask = 022
chrootpath=/users
user=sftptry:011:00011
#—
#END

With the above, my user sftptry has full access over the complete system, so even outside /users. The ‘chrootpath’ option on or off has no effect.

The only thing now, which is also a safe choice, is that the sftp system is closed for everybody except ‘sftptry’.

But I like to set it up so my users will only see their own root, and nothing more! So I change my user row to the following:
user=sftptry:011:00011:/users/sftptry

Now this user, who was able to login before, is not able to login anymore. No matter what other settings I try (chrootpath on or off, allowXX on or off) it has no effect.

So here’s my solution for the fact that all users with sftp access can view all files in /users:
chmod 711 /users/bin
chmod 711 /users/dev (and /users/etc|lib|usr)

This way they _see_ the map, but are not able to open it while it can be executed by the system _and_ the user (which is important).

So, at the end, I have it working close enough the way I want it. But I hope somebody can tell me why it is not working here with the ‘home/map’ option.

Reply

2 Chris G. Sellers December 15, 2008 at 9:46 pm

Do your users come from a directory (e.g. LDAP or NIS ?)

Reply

3 wuhaa February 10, 2009 at 4:04 pm

Hi,

I want to setup a server (centos5) for ssh tunneling only where users can’t see other users and are limited to a chroot directory (/users). Is there a way to allow tunneling with this setup or is it already enabled by default?

Thanks,
Varinder

Reply

4 Chito Punk October 27, 2009 at 1:59 pm

I’m facing same problem as Richard, users can view the whole jail, restricted access to other user folders.. but at least they know the folder tree… which I don’t want them to know that..

Regards

Reply

5 iMakeInternet February 4, 2010 at 8:39 pm

After finishing this walkthrough you really disappointed myself and numerous others above. Your title is incorrect and the resulting setup is incomplete / doesn’t work anything like you mentioned above.

Rewrite.

Reply

6 Hoang Minh Hoa April 23, 2010 at 9:21 am

When I follow this guide. When I config chroot (for all user) . The user can not log in to sftp or ssh ( User WinSCP application).
I try to did it by 3 ways. But all way is the same. The user can not log in to sftp or ssh ( User WinSCP application).
Please show me how to solve it ?.
My email svtech00@gmail.com

Thanks so much

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , ,

Previous post:

Next post: