[PLUG] setting up SSH to chrrot to user homeDir

Chris Dawson xrdawson at gmail.com
Sat Jul 22 00:02:35 UTC 2006


The man page says:

"the following are disallowed or not performed:

       ·      changing directories with cd
,,,,"

So, no, you cannot change directories.

Read the man page.  The first page is super simple and tells you
everthing you need to know.

Chris

On 7/21/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> Tim,
>
> Reading backwards on post this sounds like the only option there is.
> Too bad. I would have liked an easier way to accomplish this.  I like
> SSH but do to it's nature of sharing the entire computer file system I
> have elected to not allow it.  Now I need to and I'm trying to judge
> rather to just allow and trust all SSH users or find a more secure way
> of giving them access but locking their ability.
>
> When you mentioned that you did a Chattr on the files I'm unfamiliar
> with this.  I see it is like chmod but I think not the same.  I see by
> putting a +i with chattr on a file that prevents a user from modifying
> the files.  Hmm, okay the more I write the more I understand.  Perhaps I
> could do this without too much more.
>
> How do I get the other shells to re-route back to rbash?
>
> Thanks,
>
> Josh
>
> Tim Slighter wrote:
> > The rbash idea is a good one but there are still many more steps to
> > take to
> > make sure the user stays within that shell and within the confines of
> > their
> > home directory.  You have to create a directory somewhere like /usr/progs
> > and put the binaries and only the binaries that you want the user to have
> > access to and then declare that directory and the users only path in
> > their
> > .bash_profile or .bashrc or both.  Better off if any programs with
> > potential
> > shell escapes like pine, vi, emacs etc, are all replaced with a
> > restricted
> > version of the binary such as rvi or rvim, etc.  You will also need to
> > declare restrictive aliases for each user to prevent them access to any
> > other shells so declare an alias for ksh to /bin/rbash and csh ->
> > /bin/rbash, so what you are doing here is making sure that any shell they
> > attempt to get to will always put them back into and keep them in rbash.
> > Make sure also that you prevent them from using the unalias command by
> > declaring that to /bin/rbash as well and then you must prevent the
> > user from
> > modifying the file so do a chattr +i on the .bashrc or .bash_profile
> > files
> > in their home directories.  I did manage to do this but it was a pain and
> > quite a bit of work and a lot of trial and error.  Feel free to ask
> > questions if you need help with this.
> >
> > On 7/21/06, Larry Brigman <larry.brigman at gmail.com> wrote:
> >>
> >> On 7/20/06, Josh Orchard <josh at emediatedesigns.com> wrote:
> >> > Hello all,
> >> >
> >> > Been looking about the wonderful web and reading about how I could
> >> > achieve this but all that I've found makes it sound like I need to
> >> setup
> >> > yet another customer product of sorts.  So...
> >> >
> >> > Is there a way that I can configure SSHD to allow clients to login but
> >> > be chrooted to their home directory?
> >> >
> >> > FTP does this well and I would like to have it do the same for SSHD.
> >> > I'm actually surprised this isn't a configuration option on OpenSSH as
> >> > it would make sense that you would want to allow certain shell access
> >> > but not allow all people to go about browsing your entire server.
> >> >
> >> > So, is this possible?  Do I need some sort of custom SSH or is there
> >> > another program I can use to give secure Shell access?
> >> >
> >>
> >> What about setting the users shell to rbash or bash -r.
> >>
> >> >From the bash man page:
> >> RESTRICTED SHELL
> >>        If bash is started with the name rbash, or the -r option is
> >> supplied at
> >>        invocation,  the  shell becomes restricted.  A restricted
> >> shell is
> >> used
> >>        to set up an environment more controlled than the
> >> standard  shell.   It
> >>        behaves  identically  to bash with the exception that the
> >> following
> >> are
> >>        disallowed or not performed:
> >>
> >>              changing directories with cd
> >>              setting or unsetting the values of SHELL, PATH, ENV, or
> >> BASH_ENV
> >>              specifying command names containing /
> >>              specifying  a  file  name containing a / as an argument to
> >> the .
> >>                 builtin command
> >>              Specifying a filename containing a slash as an
> >> argument  to  the
> >>                 -p option to the hash builtin command
> >>              importing  function  definitions  from  the shell
> >> environment
> >> at
> >>                 startup
> >>              parsing the value of SHELLOPTS
> >> from  the  shell  environment  at
> >>                 startup
> >>              redirecting  output using the >, >|, <>, >&, &>, and >>
> >> redirec-
> >>                 tion operators
> >>              using the exec builtin command to replace the shell with
> >> another
> >>                 command
> >>              adding  or  deleting builtin commands with the -f and -d
> >> options
> >>                 to the enable builtin command
> >>              Using
> >> the  enable  builtin  command  to  enable  disabled  shell
> >>                 builtins
> >>              specifying the -p option to the command builtin command
> >>              turning off restricted mode with set +r or set +o
> >> restricted.
> >> _______________________________________________
> >> PLUG mailing list
> >> PLUG at lists.pdxlinux.org
> >> http://lists.pdxlinux.org/mailman/listinfo/plug
> >>
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list