OpenSSH has this feature (on the server side) of chrooting users to a specific directory after they log in, that way you can ensure the users dont have access to your data. Useful when reverse tunneling.
First, you need to make a directory in which you can chroot using chroot... i.e you need the bear miminal, usually mount binding /bin and /lib64 (x64) or /lib (on x86) readonly will do so (I'm not sure about x86). Assuming /home/chroot is this directory -
mount --bind /bin /home/chroot/bin
Same for /lib(64)
Try chrooting into /home/chroot, it should work. Since you're using the libraries and executables in /home/chroot/* will be used for the by, even by SSH.
Next you need to create/modify a user which ssh will chroot to; notice that the files in /home/chroot needs to be used for this, not those in /. While creating/modifying the user, you need to take a note that the paths will be relative to /home/chroot NOT the usual way. i.e. if you're specifying bash as the default shell for the user, it will not be /home/chroot/bin/bash, but /bin/bash, thus when ssh chroots the user, it will use /home/chroot/bin/bash and not /bin/bash. Sounds confusing.
Now let's make a home directory for the user (optional, i.e you can specify / as the home directory)
mkdir /home/chroot/ch_root
Make or modify a user (I'll modify here) -
usermod -s /bin/bash --home /ch_root ch_root
Notice -- in the server /ch_root does not exist, but in /home/chroot, it does; this is what I meant to say -- paths are relative to /home/chroot and not /.
Now add the following directive to /etc/ssh/sshd_config -
ChrootDirectory /home/chroot
Restart ssh, ssh using ch_root, and the user will be logged in to a chrooted jail in /home/chroot.
No comments:
Post a Comment