[PLUG] setting up SSH to chrrot to user homeDir
Tim Slighter
tcslighter at gmail.com
Fri Jul 21 17:45:32 UTC 2006
The rbash idea is a good one but there are still many more steps to take to
make sure the user stays within that shell and within the confines of their
home directory. You have to create a directory somewhere like /usr/progs
and put the binaries and only the binaries that you want the user to have
access to and then declare that directory and the users only path in their
.bash_profile or .bashrc or both. Better off if any programs with potential
shell escapes like pine, vi, emacs etc, are all replaced with a restricted
version of the binary such as rvi or rvim, etc. You will also need to
declare restrictive aliases for each user to prevent them access to any
other shells so declare an alias for ksh to /bin/rbash and csh ->
/bin/rbash, so what you are doing here is making sure that any shell they
attempt to get to will always put them back into and keep them in rbash.
Make sure also that you prevent them from using the unalias command by
declaring that to /bin/rbash as well and then you must prevent the user from
modifying the file so do a chattr +i on the .bashrc or .bash_profile files
in their home directories. I did manage to do this but it was a pain and
quite a bit of work and a lot of trial and error. Feel free to ask
questions if you need help with this.
On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
>
> On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> > Hello all,
> >
> > Been looking about the wonderful web and reading about how I could
> > achieve this but all that I've found makes it sound like I need to setup
> > yet another customer product of sorts. So...
> >
> > Is there a way that I can configure SSHD to allow clients to login but
> > be chrooted to their home directory?
> >
> > FTP does this well and I would like to have it do the same for SSHD.
> > I'm actually surprised this isn't a configuration option on OpenSSH as
> > it would make sense that you would want to allow certain shell access
> > but not allow all people to go about browsing your entire server.
> >
> > So, is this possible? Do I need some sort of custom SSH or is there
> > another program I can use to give secure Shell access?
> >
>
> What about setting the users shell to rbash or bash -r.
>
> >From the bash man page:
> RESTRICTED SHELL
> If bash is started with the name rbash, or the -r option is
> supplied at
> invocation, the shell becomes restricted. A restricted shell is
> used
> to set up an environment more controlled than the
> standard shell. It
> behaves identically to bash with the exception that the following
> are
> disallowed or not performed:
>
> changing directories with cd
> setting or unsetting the values of SHELL, PATH, ENV, or
> BASH_ENV
> specifying command names containing /
> specifying a file name containing a / as an argument to
> the .
> builtin command
> Specifying a filename containing a slash as an
> argument to the
> -p option to the hash builtin command
> importing function definitions from the shell environment
> at
> startup
> parsing the value of SHELLOPTS
> from the shell environment at
> startup
> redirecting output using the >, >|, <>, >&, &>, and >>
> redirec-
> tion operators
> using the exec builtin command to replace the shell with
> another
> command
> adding or deleting builtin commands with the -f and -d
> options
> to the enable builtin command
> Using
> the enable builtin command to enable disabled shell
> builtins
> specifying the -p option to the command builtin command
> turning off restricted mode with set +r or set +o restricted.
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list