rssh

Jailing sftp/scp connections

Short notes: this uses the rssh functionality from rpmforge. To set up a jail for $USER:

# chsh -s /usr/bin/rssh $USER
# cd ~$USER
# ls -ld .
(make note of $GROUP)
# /usr/local/sbin/mkchroot.sh `pwd` $USER 2755 $GROUP
(lots of noise)
# vi /etc/rssh.conf
- add line like:
  user = $USER:011:00011:$PATH-TO-JAIL

Example:

# chsh -s /usr/bin/rssh daveftp
Changing shell for daveftp.
Shell changed.
# cd ~daveftp
# ls -ld .
drwxr-x--- 6 daveftp daveftp 4096 Jun 12 11:33 .
# /usr/local/sbin/mkchroot.sh `pwd` daveftp 2775 daveftp
(noise)
# vi /etc/rssh.conf
  user = daveftp:011:00011:/opt/ftproot/daveftp

Comments

• Fucking around with syslog is left as an exercise for the reader.
• I copied mkchroot.sh from http://www.andreyvoev.com/programming/restrict-ssh-users-and-lock-them-into-a-specific-folder-centos-5-4/
• This isn't as secure as using the built-in chroot'ing in OpenSSH 5.x and higher, but it is a hell of a lot more convenient.
• If you are making a lot of jails on the same file system, you could probably change the script to make one reference jail, then hard-link all the sharable files (which at first glance appear to be all of them except /etc/group and /etc/passwd) to save some space. On the other hand, the total footprint of a complete, stand-alone jail on CentOS 5.8 is less than 9MB.
• WinSCP works with these jails.