rssh
Jailing sftp/scp connections
(1206.12)
Short notes: this uses the rssh functionality from rpmforge. To set up a jail for $USER:
# chsh -s /usr/bin/rssh $USER
# cd ~$USER
# ls -ld .
(make note of $GROUP)
# /usr/local/sbin/mkchroot.sh `pwd` $USER 2755 $GROUP
(lots of noise)
# vi /etc/rssh.conf
- add line like:
user = $USER:011:00011:$PATH-TO-JAIL
...and you are good to go. Example:
# chsh -s /usr/bin/rssh daveftp
Changing shell for daveftp.
Shell changed.
# cd ~daveftp
# ls -ld .
drwxr-x--- 6 daveftp daveftp 4096 Jun 12 11:33 .
# /usr/local/sbin/mkchroot.sh `pwd` daveftp 2775 daveftp
(noise)
# vi /etc/rssh.conf
user = daveftp:011:00011:/opt/ftproot/daveftp
Done!
Comments
- Fucking around with syslog is left as an exercise for the reader.
- I copied mkchroot.sh from http://www.andreyvoev.com/programming/restrict-ssh-users-and-lock-them-into-a-specific-folder-centos-5-4/
- This isn't as secure as using the built-in chroot'ing in OpenSSH 5.x and higher, but it is a hell of a lot more convenient.
- If you are making a lot of jails on the same file system, you could probably change the script to make one reference jail, then hard-link all the sharable files (which at first glance appear to be all of them except /etc/group and /etc/passwd) to save some space. On the other hand, the total footprint of a complete, stand-alone jail on CentOS 5.8 is less than 9MB.
- WinSCP works with these jails.