rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.
A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/vivek normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.
Configuring rssh chroot
=> Chroot directory: /users.
Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.
=> Required directories in jail:
- /users/dev – Device file
- /users/etc – Configuration file such as passwd
- /users/lib – Shared libs
- /users/usr – rssh and other binaries
- /users/bin – Copy default shell such as /bin/csh or /bin/bash
=> Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):
- /etc/ld.so.cache
- /etc/ld.so.cache.d/*
- /etc/ld.so.conf
- /etc/nsswitch.conf
- /etc/passwd
- /etc/group
- /etc/hosts
- /etc/resolv.conf
- /usr/bin/scp
- /usr/bin/rssh
- /usr/bin/sftp
- /usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
- /usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
- /bin/sh or /bin/bash (default shell)
Tip: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.
A note about jail file system
Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:
- FreeBSD
- Solaris UNIX
- RHEL / Redhat / Fedora / CentOS Linux
- Debian Linux
Building the Chrooted Jail
Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh
Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .
Open /usres/group and /users/passwd file and remove root and all other accounts.
Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .
OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper
OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .
OR
# cp /bin/bash .
Copy all shared library files
The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output:
linux-gate.so.1 => (0x00456000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
libdl.so.2 => /lib/libdl.so.2 (0x00123000)
libnss3.so => /usr/lib/libnss3.so (0x00569000)
libc.so.6 => /lib/libc.so.6 (0x00b6c000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
/lib/ld-linux.so.2 (0x00525000)
libplc4.so => /usr/lib/libplc4.so (0x008c9000)
libplds4.so => /usr/lib/libplds4.so (0x00133000)
libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot
Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server
OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper
OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh
OR
# l2chroot /bin/bash
Modify syslogd configuration
The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a /users/dev/log"
Save and close the file. Restart syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.
Set chroot path
Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start
Add user to jail
As explained eariler, configure rssh user account. For example, add user vivek in chrooted jail with the following command:
# useradd -m -d /users/vivek -s /usr/bin/rssh vivek
# passwd vivek
Now vivek can login using sftp or copy files using scp:
sftp vivek@my-server.com vivek@my-server.com's password: sftp> ls sftp> pwd Remote working directory: /vivek sftp> cd /tmp Couldn't canonicalise: No such file or directory
User vivek is allowed to login to server to trasfer files, but not allowed to browse entier file system.
61 comment
Nice article Vivek. However some directories are not even required according to the admin restriction
It`s better to use less directories in chroot jail account for security reasons.The following directories are enough for files transmission
/etc
/usr
/lib
Thanks
Very nice article!. I have two questions:
1) Shouldn’t /etc/ld.so.cache.d/* be
/etc/ld.so.conf.d/*?
2) In Debian 4.0 and Ubuntu 7.10, I do not
have the line
SYSLOGD_OPTIONS=”-m 0″
Instead, I have the line
SYSLOGD=””
What should I do?
Very nice article. Plenty of good information.
only 1 “complaint” if you will…
the title “configure chroot jail to lock users to their home directory only” leads me to believe the article will show how to “lock users to home”.
It does not do this. Users are locked to the chroot jail ONLY.
if my chroot jail is: /home/chroot
and my users home directors go under that ie:
/home/chroot/user1
I’m using sftp only – and I do NOT want my users leaving their home directory. In fact – I don’t even want them to be able to ls another users directory.
I have seen NO solution that deals with this…
can this be done?
(note: modifying the rssh.conf file & restarting services every time a new user is added to the system is not an acceptable solution)
TIA
First of all, thank you very much for the interesting and well written article.
Eventually i do have a similar question as Ivan before, only that in my case users can backup their data to their home directories using rsync. Is it possible to positively prevent say user1 from accessing data from user2 ?
Kind regards
Stefan
I like these pages a lot. Clearly written and frequently right. I spent many hours struggling with this but, judging from other forums, this is a fiddly thing to provide definitive steps for.
I kept failing with the chroot configuration (on Centos 5). sftp connections would be dropped with no clear errors logged. The problems proved to be down to required files (libz.so.1, for one) that existed as symlinks in the orginal file system. These had been copied into the chroot by the script as files with the name of the links that linked to them. While I would have thought this would work, deleting these files and recreating the symlink set-up manually did the trick.
Thanks for getting me started!
Hello Folks,
I’d really like to get the chroot jail set up (we have a need for people to deposit data without
being able to ssh in). I’m running into two problems, and while I’ve been a solaris admin for a long time, I’m still a beginner with Linux, so I’m probably missing som ething obvious.
my /etc/rssh.conf states: chrootpath = /altroot, and in this partition, I’ve manually copied a number of files from an earlier scponly install and the contents of this web page. One thing I note is that there’s many missing libraries on my system as compared to what ldd thinks sftp needs.. However, sftp works.
But when I create a user with rssh as the shell, the following occurs:
and the obvous error message is:
My question is, why is rssh invoking /opt/local/ssh/libexec/sftp-server, esspecially as this file doesn’t exist!
Any help will be appreciated, thanks.
Paul Mitchell
Addendum to the above:
Of course, /opt/local/ssh/libexec/sftp-server did exist, and it was pointed to in t he /etc/ssh/sshd_config file. I’ve changed that to: /altroot/opt/local/ssh/libexec/sftp-server
and copied the executable there.
I also updated the .etc.rssh.conf file to allowscp and sftp, as follows:
# Leave these all commented out to make the default action for rssh to lock
# users out completely…
allowscp
allowsftp
My entry in this file is:
chrootpath = /altroot
user=”pmitchel:502:00011:/altroot”
which should translate to allows sco, sftp, start from altroot.
Still, I’m getting:
Feb 3 14:23:46 ELNDZ01F sshd[3591]: Accepted password for pmitchel from 152.X.X.X port 33128 ssh2
Feb 3 14:23:46 ELNDZ01F sshd[3596]: subsystem request for sftp
Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting log facility to LOG_USER
Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing scp to all users
Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing sftp to all users
Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting umask to 022
Feb 3 14:23:46 ELNDZ01F rssh[3597]: chrooting all users to /altroot
Feb 3 14:23:46 ELNDZ01F rssh[3597]: user pmitchel attempted to execute forbidden commands
Feb 3 14:23:46 ELNDZ01F rssh[3597]: command: /altroot/opt/local/ssh/libexec/sftp-server
why?
Hi Vivek,
Thanks for your guide, I got it working on debian, but first I need to do some extra steps:
1. There is no /etc/ld.so.cache.d in debian, so, don’t worry about copying it.
2. Instead of copying your /etc/passwd and /etc/group files to your chroot folder, just do this:
touch /passwd
touch /group
For jailing you don’t really need to have users and groups inside that files.
3. The syslog configuration from debian is under /etc/default/syslogd. Instead of a “SYSLOGD_OPTIONS” variable, you have to change “SYSLOGD” instead.
4. Somewhere on the cybercity howto is written: “Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.”; unfortunatelly, if you set noexec to the filesystem, then the user won’t be allowed to run sftp-server, thus the connection will fail. So, set only nosuid.
5. suid the original chroot_rssh_chroot_helper command, otherwise, you won’t be able to login in the machine:
chmod u+s /usr/lib/rssh/rssh_chroot_helper
Note: A solution for avoding this is explained here:
Howto create chrooted Openssh SFTP without shell access through rssh:
http://ubuntuforums.org/showthread.php?t=128206&page=9
I may try it later
6. In order to avoid users to browse other people’s stuff, just add this to common-session from the /etc/pam.d folder:
session required pam_mkhomedir.so debug skel=/etc/skel umask=0077
So, only the owner will be able to browse the files on a user folder.
Opps, sorry, on step 2. I meant:
touch /users/etc/passwd
touch /users/etc/group
That’s a lot of bullshit just to restrict a user to a specific directory. Holy shit.
Feel the exact same why *sigh* but client gets what client wants.
I could use some help. I already have a user named publicfiles and a home directory with a crap load of files in it for school. How do i lock it down so when people use winscp, they cant go anywhere in my server BUT the publicfiles folder? Please help. I dont want to add any new users or whatever. Just want to edit the current publicfiles user.
Thanx
I followed all the instructions very carefully, and I almost have this working. It seems to work for scp, but when I use SFTP, the session is closed immediately after the log in. The log messages show that the passwd was accepted, but I see this message: “May 5 21:42:38 localhost rssh_chroot_helper[25142]: execv() failed, /usr/libexec/openssh/sftp-server: No such file or directory†The file “/usr/libexec/openssh/sftp-server†does exist, so it canb only be talking about the execv command, which I have found does not exist on my system. What do I do? Did anyone experience this?
I just found some information in the CHROOT document file, which seems to be exactly what is happening to me. I had not looked at this document previously so let me check it out and see if I can fix this problem I am having.
hey i been trying to do this chroot thingy for myserver but it gives me some error.
users cant seem to connect at all. the connection is also terminated by the server.i followed each n every step of wat is written here. everything copied perfectly i doubled check as well.
but yest this chroot doesnt work. can i know why is tat .. i use debian based server . Ubuntu server 9.04
ok the explaination did solve some of the problem.
now i face the same problem henry is facing the execv command. plus my file location is /usr/lib/rssh/rssh_chroot_helper & /usr/lib/openssh/sftp_server
what should i do next ?
For all having the execv problem:
It happens on amd64 systems.
Add the following lines to mkchroot.sh:
#####################################################################
#
# set up /dev/log
#
mkdir -p "$jail_dir/dev"
######### user added code ##############
# cp some more files
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
# make /dev/null
mknod -m 666 "$jail_dir/dev/null" c 1 3
########## end user added code ############
echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"
I found the solution here
I’m using CentOS 5.3 and when trying to sftp with chroot was getting a No User Found error after successful authentication and chroot… I scoured the web and found this solution:
Add the following files (note you’ll need to find these files on your system and you will need to change “chroot” in the example to your chroot directory):
/chroot/lib64/libnss_files.so.2
/chroot/lib64/ld-linux-x86-64.so.2
/chroot/lib64/libc.so.6
AND you also must add each user to the /chroot/etc/passwd file, just copy it from the real /etc/passwd
I can confirm that this is working.
I’ve had problem with RHEL5 64-bit and just adding:
/chroot/lib64/libnss_files.so.2
did job for me.
Already have copied files:
/chroot/lib64/ld-linux-x86-64.so.2
/chroot/lib64/libc.so.6
All libs is located under /lib64/ dir.
I’ve had problem with with connection closed right after successfully authentication of user.
Here list of files which should be contained in chrooted structure (some binaries can be excluded – depends on requirements):
/chroot/bin:
sh
/chroot/dev:
log null
/chroot/etc:
group hosts ld.so.cache ld.so.conf ld.so.conf.d nsswitch.conf passwd resolv.conf
/chroot/etc/ld.so.conf.d: (I think that we don’t really need this dir)
mysql-x86_64.conf
/chroot/lib: (this is soft link – “ln -s lib64 lib”)
ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1
/chroot/lib64:
ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1
/chroot/libexec:
openssh
/chroot/libexec/openssh:
/chroot/usr:
bin lib lib64 libexec
/chroot/usr/bin:
rssh scp sftp sftp-server
/chroot/usr/lib64:
lib libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 libkrb5support.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libz.so.1
/chroot/usr/libexec:
openssh rssh_chroot_helper
/chroot/usr/libexec/openssh:
sftp-server
I too can confirm that this is working.
I followed all the instructions, but I cannot lock user in his directory ?
Am I missing something ?
Vivek,
I’m trying this on CentOS release 4.8 (Final). The user can’t login if chrootpath and user is defined.
if I comment out (disable) the chrootpath and user entry, it will allow login but the user is free to roam around. How can I lock the user down to their own directory?
Any help very much appreciated.
My rssh.conf is as follows (in this state it does not allow user to login):
==================== begin: rssh.conf =================
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath=/users
user = ftptester:011:11000:/users/ftptester # whole user string can be quoted
==================== end rssh.conf ==============
The error in /var/log/messages is
===========================================================
Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session opened for user ftptester by (uid=0)
Dec 4 10:13:34 summitftp-new rssh[13481]: setting log facility to LOG_USER
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing scp to all users
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing sftp to all users
Dec 4 10:13:34 summitftp-new rssh[13481]: setting umask to 022
Dec 4 10:13:34 summitftp-new rssh[13481]: line 53: configuring user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: setting ftptester’s umask to 011
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rdist to user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rsync to user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: chrooting ftptester to /users/ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: user ftptester attempted to execute forbidden commands
Dec 4 10:13:34 summitftp-new rssh[13481]: command: /usr/libexec/openssh/sftp-server
Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session closed for user ftptester
==================
What am I missing?
Thanks
Hi,
I also get the same error .
Is it possible to post all of this in a cleaner article ?
I’m using Centos 5.5
I have tried this and worked very well on CentOS 5.2. However on CentOS 5.4, it does not work. As soon as I type the password at the sftp prompt, I get the message “Connection closed”.
I have disabled SELinux. When it did not work, I have done “yum install openssh” and built RSSH from source – that did not help either. Please suggest some help. I added the log file entries below:
Thank you,
Naren
/var/log/messages:
Dec 31 06:56:06 sftpserver1 rssh[10317]: setting log facility to LOG_USERDec 31 06:56:06 sftpserver1 rssh[10317]: allowing scp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: new session for sftpuserA, UID=500
Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing sftp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: user's home dir is /sftproot/sftpuserA
Dec 31 06:56:06 sftpserver1 rssh[10317]: setting umask to 022
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: chrooted to /sftproot
Dec 31 06:56:06 sftpserver1 rssh[10317]: chrooting all users to /sftproot
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: changing working directory to /sftpuserA (inside jail)
Dec 31 06:56:06 sftpserver1 rssh[10317]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"
/var/log/secure:
Dec 31 06:56:05 sftpserver1 sshd[10314]: Accepted password for sftpuserA from 10.8.0.6 port 62566 ssh2Dec 31 06:56:05 sftpserver1 sshd[10314]: pam_unix(sshd:session): session opened for user sftpuserA by (uid=0)
Dec 31 06:56:06 sftpserver1 sshd[10316]: subsystem request for sftp
Dec 31 06:56:06 sftpserver1 sshd[10314]: pam_unix(sshd:session): session closed for user sftpuserA
Naren,
I had the same problem. I tried something from one of the above comments and it worked. Just copy the /lib/libnss_files.so.2 file into your chroot jail. For example, if your chroot jail is “/chroot” then
cp /lib/libnss_files.so.2 /chroot/lib
Also remember to copy the entry from /etc/passwd for your user into the chroot jail. For example, if your jailed username is “jaileduser” then
grep jaileduser /etc/passwd >> /chroot/etc/passwd
Brad
Thanks for the tip! It helped me too 😉
I feel like I’m almost there, but somehow I cannot connect. I don’t see any error in my logfiles. I’m running Debian Lenny. This is what my syslog says:
Apr 29 11:17:27 jukebox rssh[4960]: setting log facility to LOG_USER
Apr 29 11:17:27 jukebox rssh[4960]: allowing scp to all users
Apr 29 11:17:27 jukebox rssh[4960]: allowing sftp to all users
Apr 29 11:17:27 jukebox rssh[4960]: setting umask to 022
Apr 29 11:17:27 jukebox rssh[4960]: chrooting all users to /users
Apr 29 11:17:27 jukebox rssh[4960]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
So everything looks okay, but my client still gives me an error.
Error: Fatal: unable to initialise SFTP on server: could not connect
Error: Could not connect to server
Me too getting the same error. Can someone give me the fix.
It worked for me after copying /etc/passwd to /users/etc/passwd. 🙂 🙂
Hi vivek,
I want to offer some users sftp only with a jail. How do I do it ? The above stuff you wrote does more than what I need.
l2chroot script get error message with dirname and cp command.
Hi,
if your system uses rsyslogd and not syslogd you need to specify the parameter $AddUnixListenSocket /users/dev/log for example in a separate config under /etc/rsyslog.d/ .
I keep mine in a file called: /etc/rsyslog.d/999-chroot-rsyslogd.conf
This will create the needed log-device for rsyslogd in the chroot.
Uhm, yeah forgot to add: You need to restart rsyslogd after creating the file 🙂
/etc/init.d/rsyslogd restart will do 🙂
For those who stops at:
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
The home directory at /chroot/etc/passwd must be relative to system chrooted, and the original file must have the full path if you want sshd find user’s authorized keys and so on.
Eg:
# /etc/passwd
user_sftp:x:505:500::/chroot/home/user_sftp:/usr/bin/rssh
# /chroot/etc/passwd
user_sftp:x:505:500::/home/user_sftp:/usr/bin/rssh
DM
I have tried everything in RHEL5 64, bit to get this working. I have copied all the binnaries and libs to the same folder structure as vukasin. I have even used the default location in the guide. I dont see any message to do with rssh in my /var/log/messages log.
Can someone point me to some helpful troubleshooting tips? Or how to work out why users are able to go up levels and see all the folder structures I have created?
I have RHEL5 64, did everything needed and still stuck at
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-serverâ€
I have the user in the passwd file with relative home directory as Danilo proposed.
I can run chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server†as root, no error message (after copied chroot/lib64/libnss_files.so.2).
Anybody has any other idea?
Naturally if I remove chrooting from rssh then sftp works fine with this user.
I figured it out, it works now. Actually I didn’t figure out what I did wrong but redid everything from zero and then it worked.
Altough I believe there are a few typos in the original instructions and also I needed to copy:
“cp /lib64/libnss_files.so.2 /var/www/lib64/â€
Phuh, it took me 10 hours to figure out all issues,
1> To get the rssh system to appear in my log. I followed – Paul Mitchell comment and added the following line to the sshd.conf. “Subsystem sftp /usr/libexec/openssh/sftp-server”
After which the following shows up in my /var/log/messages
{code}
Apr 8 09:15:34 test-ftp rssh[11728]: setting log facility to LOG_USER
Apr 8 09:15:34 test-ftp rssh[11728]: allowing scp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: allowing sftp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: setting umask to 022
Apr 8 09:15:34 test-ftp rssh[11728]: chrooting all users to /users
Apr 8 09:15:34 test-ftp rssh[11728]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
Apr 8 09:15:34 test-ftp kernel: type=1104 audit(1302250534.943:2545183): user pid=11723 uid=0 auid=526 msg=’PAM: setcred acct=”testing” : exe=”/usr/sbin/sshd” (hostname=XX.XX.XX.XX, addr=XX.XX.XX.XX, terminal=ssh res=success)’
{code}
2> followed – Danilo Mota advise and made my passwd paths in the file relative to the enviroment.
I am still getting the errors above.
3> I copied the nesary files sugested in several comments down. content of my /users folder shown below.
{code}
drwx—— 2 root root 4096 Apr 7 16:56 bin
drwxr-x— 2 root root 4096 Apr 8 09:36 dev
drwx—— 3 root root 4096 Apr 7 16:43 etc
lrwxrwxrwx 1 root root 5 Apr 7 16:40 lib -> lib64
drwxr-xr-x 2 root root 4096 Apr 7 17:02 lib64
drwxr-xr-x 3 root root 4096 Apr 7 13:35 libexec
drwxr-xr-x 2 testing testing 4096 Apr 7 20:57 testing
drwxr-xr-x 5 root root 4096 Apr 7 14:05 usr
./bin:
total 1576
-rwx—— 1 root root 801512 Apr 7 16:56 bash
-rwx—— 1 root root 801512 Apr 7 16:56 sh
./dev:
total 0
srwxr-x— 1 root root 0 Apr 8 09:36 log
crwxr-x— 1 root root 1, 3 Apr 7 13:35 null
./etc:
total 76
-rwx—— 1 root root 36 Apr 8 09:49 group
-rwx—— 1 root root 100 Apr 7 13:37 hosts
-rwx—— 1 root root 47495 Apr 7 15:40 ld.so.cache
-rwx—— 1 root root 280 Apr 7 15:39 ld.so.conf
drwx—— 2 root root 4096 Apr 7 16:43 ld.so.conf.d
-rwx—— 1 root root 1696 Apr 7 15:40 nsswitch.conf
-rwx—— 1 root root 74 Apr 8 09:56 passwd
-rwx—— 1 root root 74 Apr 7 13:37 resolv.conf
./etc/ld.so.conf.d:
total 4
-rwx—— 1 root root 17 Oct 23 03:23 mysql-x86_64.conf
./lib64:
total 6852
-rwxr-xr-x 1 root root 139416 Apr 7 14:04 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Apr 7 16:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366272 Apr 7 20:55 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Apr 7 20:55 libcrypt.so.1
-rwxr-xr-x 1 root root 1718120 Apr 7 20:55 libc.so.6
-rwxr-xr-x 1 root root 23360 Apr 7 20:55 libdl.so.2
-rwxr-xr-x 1 root root 190976 Apr 7 16:57 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 17:01 libk5crypto.so.3
-rwxr-xr-x 1 root root 9728 Apr 7 16:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 613896 Apr 7 16:58 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 17:01 libkrb5support.so.0
-rwxr-xr-x 1 root root 114352 Apr 7 20:55 libnsl.so.1
-rwxr-xr-x 1 root root 233112 Apr 7 16:59 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 17:01 libnss3.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:24 libnss_files-2.5.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:53 libnss_files.so
-rwxr-xr-x 1 root root 53880 Apr 8 09:59 libnss_files.so.2
-rwxr-xr-x 1 root root 123152 Apr 7 17:02 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:54 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 17:00 libplds4.so
-rwxr-xr-x 1 root root 145824 Apr 7 16:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Apr 7 20:55 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Apr 7 16:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Apr 7 16:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Apr 7 20:55 libutil.so.1
-rwxr-xr-x 1 root root 85928 Apr 7 17:00 libz.so.1
./libexec:
total 4
drwxr-xr-x 2 root root 4096 Apr 7 13:35 openssh
./libexec/openssh:
total 0
./testing:
total 0
./usr:
total 12
drwxr-xr-x 2 root root 4096 Apr 7 17:03 bin
drwxr-xr-x 2 root root 4096 Apr 7 14:05 lib64
drwxr-xr-x 3 root root 4096 Apr 7 16:55 libexec
./usr/bin:
total 252
-rwxr-xr-x 1 root root 29712 Apr 7 15:05 rssh
-rwxr-xr-x 1 root root 57504 Apr 7 15:05 scp
-rwxr-xr-x 1 root root 96280 Apr 7 15:05 sftp
-rwxr-xr-x 1 root root 53072 Apr 7 17:03 sftp-server
./usr/lib64:
total 2680
-rwxr-xr-x 1 root root 190976 Apr 7 16:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 16:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Apr 7 16:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 16:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 233112 Apr 7 16:18 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 16:18 libnss3.so
-rwxr-xr-x 1 root root 123152 Apr 7 16:18 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:18 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 16:18 libplds4.so
-rwxr-xr-x 1 root root 85928 Apr 7 20:55 libz.so.1
./usr/libexec:
total 76
drwxr-xr-x 2 root root 4096 Apr 7 13:45 openssh
-rwsr-xr-x 1 root root 67691 Apr 7 16:55 rssh_chroot_helper
./usr/libexec/openssh:
total 56
-rwxr-xr-x 1 root root 53072 Apr 7 15:05 sftp-server
{code}
I am not sure what else to do – can anyone else provide any guidance?
Hi JP,
In my case the solution for the same problem was to add /[chrootedlibrary]/lib64/libnss_files.so.2
But in your case it might be some other lib files missing.
I would try to run /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-serverâ€
from shell to see whether I get any error message. You might want to try with different users.
Also if the user (At least the user number )is not in the /chrootlibrary/etc/passwd file, then you will get the same error as above, but when you run it from shell it will tell you that couldn’t find the user id.
I hope it helps
the problem is solved by copying the folder libexeclocated in /users/libexec to /users/usr/libexec.
Run the command: cp-R usr libexec/
and try again.
Hi JP,
Actually I found another possibe reason.
The rssh_chroot_helper is exeuted from the original folder and not the chrooted one, so you need to make sure that your chroot user has execute access to it.
Hi Zoltan,
I have changed the user permissions on the original rssh_chroot_helper to root:testing and then performed a chmod to reassert the SetUID.
I still get the same error and an extrea one when I do this.
Apr 8 14:55:46 testing-ftp rssh_chroot_helper[5621]: chroot() failed, 2: Operation not permitted
I have run throught the example 3 times and I know I have added more libs than are nessary at this point.
I have already copied /libnss_files.so.2 into the rewlative location as shown in my ls –lR above.
I can’t run the command /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server†as the testing user as the user is not allowed a shell. While trying to run the command as root. I get the following error
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: new session for root, UID=0
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: user’s home dir is /root
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: couldn’t find /root in chroot jail
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: chrooted to /users
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: changing working directory to / (inside jail)
Thanks for your help.
What you get as a root is not an error, it just tells that the root user’s home directory is not in the chrooted folder. This is expected
It seems your rssh is working with root user, so now you just need to figure out why it’s not working with your chroot user.
Probably one of the necessary lib files, passwd file, sftp-server, rssh_chroot_helper etc file is not readable or executable by that user.
Unfortunately I couldn’t figure out how to get logging activated to see what is missing, so from this point on you just need to check all these files for proper access rights.
ps.: also make sure that your chroot user exists in the chroot/etc/passw file.
JP – /libexec is inside /usr. You can remove libexec from your /chroot dir. That probably won’t fix your problem but it could be messing with something. Other than that, I noticed your permissions in /etc are only operational for root. Try giving read permissions on the files in /etc. If that doesn’t work, change it back.
When in doubt, verify that the /chroot/dev/null exists. Worked for me.
I also found MySecureShell to be a superior tool to rssh.
It solved the issue that Ivan and Stefan warned about.
Their comments are dated August 22, 2008 & September 2, 2008.
Hi Vivek,
In the first few lines, the you instructed
and then after that, you said
which will,of course, produce an error. I thought I could skip that code, but when I did, upon login it immediately prompted me “Connection closed” without any error whatsoever.
So what I did was to
so I can proceed with
which is, apparently, quite important because after doing so, it let me connect to it.
Success!
I am thinking of making a script for CentOS 5.5 based on this. I will post any update about my plan. 🙂
Thanks Vivek!
I am getting this error.. please help
Status: Connected to x.x.x.x
Error: Connection closed by server with exitcode 1
Error: Could not connect to server
Everyone stuck at:
“… ssh_chroot_helper[4470]: changing working directory to / (inside jail)”
but then getting a refused connection on your sftp client. *Trust other posters* in that it is a library issue… I thought it was bullshit myself and almost gave up hope (no aparent error on my /var/log/syslog). My last resort was to copy all the files in the /lib folder to the /chroot/lib folder. Use the -p and –preserve=link switches so you preserve permissions and links (otherwise linked libraries will be copied as a file…).
cp -v -p -d –preserve=link /lib/* /chroot/lib/
It *will* work… Now it’s a matter of deleting one by one (if you want) and figuring it out the minimum subset required. In my case (Ubuntu 11.04 server):
ld-2.12.1.so
ld-linux-x86-64.so.2
libc-2.12.1.so
libc.so.6
libnsl-2.12.1.so
libnsl.so.1
libnss_compat-2.12.1.so
libnss_compat.so.2
I also followed all previous suggestions in the earlier comments on this site (e.g., adding user to /chroot/etc/passwd… etcetera). Good hunting!
Try to upgrade openSSH version and enjoy the new inbuilt jailroot system. Much easier.
CyberCiti : please post an article for the same.
Got this working on Solaris, works well. Here are some of the errors encountered, and the solutions:
Error: unknown user xxx
Occurs during SCP. Missing “nss* lib in chroot, copy /lib/nss_files.so.1 to chroot. (Solaris 10)
Error: connection closed
Occurs during SFTP. Missing *ksh* in chroot, copy /bin/ksh and/or /usr/bin/ksh to chroot
Error: connection closed
Occurs during SCP on Solaris 9. Missing *nss* lib in chroot, different library path than in Solaris 10. Copy /usr/lib/nss_files.so.1 to chroot.
Error: rssh_chroot_helper failed, Not owner
/usr/local/libexec/rssh_chroot_helper must be SUID root
Error: user attempted to execute forbidden commands; /usr/lib/ssh/sftp-server
Occurs during SFTP, logged in /var/adm/messages. Target system had both OpenSSH and SolarisSSH, error caused by conflict between rssh config and sshd_config. run ‘/usr/local/bin/rssh -v’ to get sftp server binary path, compare to ‘Subsystem sftp’ path in sshd_config (both config files, OpenSSH and SolarisSSH). Edit sshd_config to match rssh config.
Found a pretty good script file for setting up the chroot on Solaris…
Working!!
This work perfectly,at first I’d connection problems but these problems were fixed just adding /chroot/lib64/libnss_files.so.2.
I have RHEL 6
Thanks
Very good tutorial, I wonder if there is no way to change the message out to access “This account is restricted by rssh.
Allowed commands: scp
If you believe this is in error, please contact your system administrator.
”
For another message.
Thank you for your help. Greetings from Colombia
In version 5, jailing is now natively supported.
The problem is that SSH with centos 5.5 lower came with ssh 4.8 < .
So if you upgrade you will automatically get Jailing.
I followed these instructions. http://adamsworld.name/chrootjailv5.php
Vivek, this is a crazy good utility to use, made my life so much easier when I implemented chroot.
I ran into one issue, in which certain utilities like “vim” and “file” require support libraries under /usr/share. I also needed to include /usr/share/locale and /usr/share/terminfo (for “vim” for instance.
Is there a way to check within l2chroot for these support libs as well? It makes the installation a little more bullet proof.
Thanks so much.
You can confine the user to their home folder by changing permissions on all the folders other than their home folder to 751. As per the example in this article:
cd /
chmod 751 users
cd users
find . -type d -exec chmod 751 {} ;
If you need to return the home folder back to normal permissions then:
chmod 700 vivek
cd vivek
find . -type d -exec chmod 755 {} ;
If user home is chmod 700
And internal folders is find . -type d -exec chmod 755 {} ;
How is possible to readable by apache2 the public_html , or if we execute the username:nobody /home/username/public_html and set the virtual host is can readable by the world ?
Thank you.
Hi, just discovered problem on 64-bit OS, not copying shared libs:
l2chroot /usr/bin/scp
Copying shared files/libs to /home/jails…
Copying /lib64/ld-linux-x86-64.so.2 /home/jails/lib64…
when it should be:
ldd /usr/bin/scp
linux-vdso.so.1 => (0x00007fff4e35f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffb9ed2e000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffb9f2cf000)
This is one area where SSH really falls down. I’ve looked at other options like RSSH– what a joke. Unnecessarily complex. This should be just as easy as implementing cvsroot for ftp. Well, it is but nobody seems to know about it– take a look at Minstrel– have been using this solution production since 2008 without a single problem Just specify the user’s shell and the appropriate path to their home directory and voila, root-jailed sftp only.: http://www.minstrel.org.uk/papers/sftp/