[PLUG] setting up SSH to chrrot to user homeDir

Josh Orchard josh at emediatedesigns.com
Fri Jul 21 23:17:52 UTC 2006 

Tim,

Reading backwards on post this sounds like the only option there is.  
Too bad. I would have liked an easier way to accomplish this.  I like 
SSH but do to it's nature of sharing the entire computer file system I 
have elected to not allow it.  Now I need to and I'm trying to judge 
rather to just allow and trust all SSH users or find a more secure way 
of giving them access but locking their ability. 

When you mentioned that you did a Chattr on the files I'm unfamiliar 
with this.  I see it is like chmod but I think not the same.  I see by 
putting a +i with chattr on a file that prevents a user from modifying 
the files.  Hmm, okay the more I write the more I understand.  Perhaps I 
could do this without too much more. 

How do I get the other shells to re-route back to rbash? 

Thanks,

Josh

Tim Slighter wrote:
> The rbash idea is a good one but there are still many more steps to 
> take to
> make sure the user stays within that shell and within the confines of 
> their
> home directory.  You have to create a directory somewhere like /usr/progs
> and put the binaries and only the binaries that you want the user to have
> access to and then declare that directory and the users only path in 
> their
> .bash_profile or .bashrc or both.  Better off if any programs with 
> potential
> shell escapes like pine, vi, emacs etc, are all replaced with a 
> restricted
> version of the binary such as rvi or rvim, etc.  You will also need to
> declare restrictive aliases for each user to prevent them access to any
> other shells so declare an alias for ksh to /bin/rbash and csh ->
> /bin/rbash, so what you are doing here is making sure that any shell they
> attempt to get to will always put them back into and keep them in rbash.
> Make sure also that you prevent them from using the unalias command by
> declaring that to /bin/rbash as well and then you must prevent the 
> user from
> modifying the file so do a chattr +i on the .bashrc or .bash_profile 
> files
> in their home directories.  I did manage to do this but it was a pain and
> quite a bit of work and a lot of trial and error.  Feel free to ask
> questions if you need help with this.
>
> On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
>>
>> On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
>> > Hello all,
>> >
>> > Been looking about the wonderful web and reading about how I could
>> > achieve this but all that I've found makes it sound like I need to 
>> setup
>> > yet another customer product of sorts.  So...
>> >
>> > Is there a way that I can configure SSHD to allow clients to login but
>> > be chrooted to their home directory?
>> >
>> > FTP does this well and I would like to have it do the same for SSHD.
>> > I'm actually surprised this isn't a configuration option on OpenSSH as
>> > it would make sense that you would want to allow certain shell access
>> > but not allow all people to go about browsing your entire server.
>> >
>> > So, is this possible?  Do I need some sort of custom SSH or is there
>> > another program I can use to give secure Shell access?
>> >
>>
>> What about setting the users shell to rbash or bash -r.
>>
>> >From the bash man page:
>> RESTRICTED SHELL
>>        If bash is started with the name rbash, or the -r option is
>> supplied at
>>        invocation,  the  shell becomes restricted.  A restricted 
>> shell is
>> used
>>        to set up an environment more controlled than the
>> standard  shell.   It
>>        behaves  identically  to bash with the exception that the 
>> following
>> are
>>        disallowed or not performed:
>>
>>              changing directories with cd
>>              setting or unsetting the values of SHELL, PATH, ENV, or
>> BASH_ENV
>>              specifying command names containing /
>>              specifying  a  file  name containing a / as an argument to
>> the .
>>                 builtin command
>>              Specifying a filename containing a slash as an
>> argument  to  the
>>                 -p option to the hash builtin command
>>              importing  function  definitions  from  the shell 
>> environment
>> at
>>                 startup
>>              parsing the value of SHELLOPTS
>> from  the  shell  environment  at
>>                 startup
>>              redirecting  output using the >, >|, <>, >&, &>, and >>
>> redirec-
>>                 tion operators
>>              using the exec builtin command to replace the shell with
>> another
>>                 command
>>              adding  or  deleting builtin commands with the -f and -d
>> options
>>                 to the enable builtin command
>>              Using
>> the  enable  builtin  command  to  enable  disabled  shell
>>                 builtins
>>              specifying the -p option to the command builtin command
>>              turning off restricted mode with set +r or set +o 
>> restricted.
>> _______________________________________________
>> PLUG mailing list
>> PLUG at lists.pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list