For When You Can't Have The Real Thing
[ start | index | login ]
start > CentOS > 5 > rssh

rssh

Created by dave. Last edited by dave, 6 years and 119 days ago. Viewed 2,240 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
mkchroot.sh (7152)

Jailing sftp/scp connections

(1206.12)

Short notes: this uses the rssh functionality from rpmforge. To set up a jail for $USER:

# chsh -s /usr/bin/rssh $USER
# cd ~$USER
# ls -ld .
(make note of $GROUP)
# /usr/local/sbin/mkchroot.sh `pwd` $USER 2755 $GROUP
(lots of noise)
# vi /etc/rssh.conf
- add line like:
  user = $USER:011:00011:$PATH-TO-JAIL
...and you are good to go.

Example:

# chsh -s /usr/bin/rssh daveftp
Changing shell for daveftp.
Shell changed.
# cd ~daveftp
# ls -ld .
drwxr-x--- 6 daveftp daveftp 4096 Jun 12 11:33 .
# /usr/local/sbin/mkchroot.sh `pwd` daveftp 2775 daveftp
(noise)
# vi /etc/rssh.conf
  user = daveftp:011:00011:/opt/ftproot/daveftp
Done!

Comments

  • Fucking around with syslog is left as an exercise for the reader.
  • I copied mkchroot.sh from >>http://www.andreyvoev.com/programming/restrict-ssh-users-and-lock-them-into-a-specific-folder-centos-5-4/
  • This isn't as secure as using the built-in chroot'ing in OpenSSH 5.x and higher, but it is a hell of a lot more convenient.
  • If you are making a lot of jails on the same file system, you could probably change the script to make one reference jail, then hard-link all the sharable files (which at first glance appear to be all of them except /etc/group and /etc/passwd) to save some space. On the other hand, the total footprint of a complete, stand-alone jail on CentOS 5.8 is less than 9MB.
  • WinSCP works with these jails.
no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt