chrooted sftponly - how ?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

chrooted sftponly - how ?

Bambero-3
Hello

Is there any good way to setup chrooted sftp-server without shell access ?

I tried scponly but it's not secure enough (I heard), there is no port
for openbsd,
and I had problems to set it up.

Second way is rssh, but compilation fails becouse of worexp.

Now I'm using ftpd but I want to change it becouse of text/plain passwords.

Any suggestions ?

Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Francois Visconte-2
Hello,
Try changing sftp-only user's shell to /usr/libexec/sftp-server

Cheers,
Frangois Visconte

Bambero wrote:

> Hello
>
> Is there any good way to setup chrooted sftp-server without shell
> access ?
>
> I tried scponly but it's not secure enough (I heard), there is no port
> for openbsd,
> and I had problems to set it up.
>
> Second way is rssh, but compilation fails becouse of worexp.
>
> Now I'm using ftpd but I want to change it becouse of text/plain
> passwords.
>
> Any suggestions ?
>
> Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Bambero-3
Seems to work fine but it's still not chrooted environment. Users have
access to a whole system.

On 9/18/06, Francois Visconte <[hidden email]> wrote:

> Hello,
> Try changing sftp-only user's shell to /usr/libexec/sftp-server
>
> Cheers,
> Frangois Visconte
>
> Bambero wrote:
>
> > Hello
> >
> > Is there any good way to setup chrooted sftp-server without shell
> > access ?
> >
> > I tried scponly but it's not secure enough (I heard), there is no port
> > for openbsd,
> > and I had problems to set it up.
> >
> > Second way is rssh, but compilation fails becouse of worexp.
> >
> > Now I'm using ftpd but I want to change it becouse of text/plain
> > passwords.
> >
> > Any suggestions ?
> >
> > Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Francois Visconte-2
Hello,

You can create a chrooted environment for another ssh server:
 1/ ldd sshd and sftp-server binaries and copy dependencies
 2/ copy
/etc/{group,hosts,passwd,protocols,pwd.db,resolv.conf,services,ttys} and
/bin/{cat,pwd,rm,sh} into your chroot
 3/ modify /etc/ files to change users groups ...
 3bis/ run pwd_mkdb(8) with appropriate options to regenerate password
db into your chrooted env
 4/ create devices /dev/{log,null,random,...} in your chrooted env
 5/ configure your ssh server to listen on another port than 22 if there
is already one on this machine
 6/ put "chroot /my_chroot /usr/sbin/sshd" in your rc.local
 7/ make a script to apply userland upgrades to your chroot env

...Or....
You can create a systrace policy for a sshd instance dedicated to sftp
service


Cheers,
Frangois Visconte
Bambero wrote:

> Seems to work fine but it's still not chrooted environment. Users have
> access to a whole system.
>
> On 9/18/06, Francois Visconte <[hidden email]> wrote:
>
>> Hello,
>> Try changing sftp-only user's shell to /usr/libexec/sftp-server
>>
>> Cheers,
>> Frangois Visconte
>>
>> Bambero wrote:
>>
>> > Hello
>> >
>> > Is there any good way to setup chrooted sftp-server without shell
>> > access ?
>> >
>> > I tried scponly but it's not secure enough (I heard), there is no port
>> > for openbsd,
>> > and I had problems to set it up.
>> >
>> > Second way is rssh, but compilation fails becouse of worexp.
>> >
>> > Now I'm using ftpd but I want to change it becouse of text/plain
>> > passwords.
>> >
>> > Any suggestions ?
>> >
>> > Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Bambero-3
On 9/18/06, Francois Visconte <[hidden email]> wrote:

> Hello,
>
> You can create a chrooted environment for another ssh server:
>  1/ ldd sshd and sftp-server binaries and copy dependencies
>  2/ copy
> /etc/{group,hosts,passwd,protocols,pwd.db,resolv.conf,services,ttys} and
> /bin/{cat,pwd,rm,sh} into your chroot
>  3/ modify /etc/ files to change users groups ...
>  3bis/ run pwd_mkdb(8) with appropriate options to regenerate password
> db into your chrooted env
>  4/ create devices /dev/{log,null,random,...} in your chrooted env
>  5/ configure your ssh server to listen on another port than 22 if there
> is already one on this machine
>  6/ put "chroot /my_chroot /usr/sbin/sshd" in your rc.local
>  7/ make a script to apply userland upgrades to your chroot env
>

For each user ? Noo it's not for me.

> ...Or....
> You can create a systrace policy for a sshd instance dedicated to sftp
> service
>

This sems to be better way.
Whatever, it will be nice to have builtin chroot in sftp-sever. Such
in ftpd. But I suppose it's technicaly impossible.

Thanks for help
Bambero

>
> Cheers,
> Frangois Visconte
> Bambero wrote:
>
> > Seems to work fine but it's still not chrooted environment. Users have
> > access to a whole system.
> >
> > On 9/18/06, Francois Visconte <[hidden email]> wrote:
> >
> >> Hello,
> >> Try changing sftp-only user's shell to /usr/libexec/sftp-server
> >>
> >> Cheers,
> >> Frangois Visconte
> >>
> >> Bambero wrote:
> >>
> >> > Hello
> >> >
> >> > Is there any good way to setup chrooted sftp-server without shell
> >> > access ?
> >> >
> >> > I tried scponly but it's not secure enough (I heard), there is no port
> >> > for openbsd,
> >> > and I had problems to set it up.
> >> >
> >> > Second way is rssh, but compilation fails becouse of worexp.
> >> >
> >> > Now I'm using ftpd but I want to change it becouse of text/plain
> >> > passwords.
> >> >
> >> > Any suggestions ?
> >> >
> >> > Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

smith-16
In reply to this post by Bambero-3
If you have a spare IP address (outside your firewall), just setup a server
with it with default openbsd configurations.  Make sure it's only function is
for sftp.  I would recommend you do the same thing on an ftpd server as well.
 Make sure you have a policy that all your users are aware of that it's not
secure.  If you ever get rooted, it's outside your firewall.

On Mon, 18 Sep 2006 15:23:37 +0200, Bambero wrote

> Hello
>
> Is there any good way to setup chrooted sftp-server without shell
> access ?
>
> I tried scponly but it's not secure enough (I heard), there is no
> port for openbsd, and I had problems to set it up.
>
> Second way is rssh, but compilation fails becouse of worexp.
>
> Now I'm using ftpd but I want to change it becouse of text/plain passwords.
>
> Any suggestions ?
>
> Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Simon Slaytor
In reply to this post by Bambero-3
I'm sure the people behind

http://chrootssh.sourceforge.net/index.php

would argue about it being impossible.

Before I saw the light and went OpenBSD I used these patches on an FC1
box and it worked like a charm, doing exactly what your after.

I've not tried to replace the OpenSSH install on OpenBSD with a patched
version always assuming it would break horribly.

If you get it working let me know as I'd love to be able to chroot
SSH/SFTP again.


Bambero wrote:
>> You can create a systrace policy for a sshd instance dedicated to sftp
>> service
>>
> This sems to be better way.
> Whatever, it will be nice to have builtin chroot in sftp-sever. Such
> in ftpd. But I suppose it's technicaly impossible.
>
> Thanks for help
> Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Bambero-3
On 9/18/06, Simon Slaytor <[hidden email]> wrote:

> I'm sure the people behind
>
> http://chrootssh.sourceforge.net/index.php
>
> would argue about it being impossible.
>
> Before I saw the light and went OpenBSD I used these patches on an FC1
> box and it worked like a charm, doing exactly what your after.
>
> I've not tried to replace the OpenSSH install on OpenBSD with a patched
> version always assuming it would break horribly.

Ofcourse patching is not right solution.

>
> If you get it working let me know as I'd love to be able to chroot
> SSH/SFTP again.
>

In my opinion the best and the most secure way is setup rssh. But
there are two problems. BSD systems are not supported and program wont
compile becouse of missing wordexp() function. Secondly sftp-server
requires /dev/null device in chrooted environment so you cannot mount
/home partition as nodev.

>
> Bambero wrote:
> >> You can create a systrace policy for a sshd instance dedicated to sftp
> >> service
> >>
> > This sems to be better way.
> > Whatever, it will be nice to have builtin chroot in sftp-sever. Such
> > in ftpd. But I suppose it's technicaly impossible.
> >
> > Thanks for help
> > Bambero

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Aiko Barz
In reply to this post by Bambero-3
On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:
> Hello
>
> Is there any good way to setup chrooted sftp-server without shell access ?

I wrote a shell script for this kind of stuff. Maybe you can use it
for yourself. I keep my users within an OpenLDAP database and want to
enable some users to access the www directory on my OpenBSD webserver
by scponly. Maybe you can use some parts of it.


#!/bin/sh
#
# Written by Aiko Barz
#


altroot="/var/www"
USERSHELL="/opt/sbin/scponlyc"


function checkChroot
{
    ##
    #  Hierachy
    ##
    if [ ! -d "$altroot" ]; then
        mkdir -p $altroot
        chown root:daemon $altroot
    fi
    if [ ! -d "$altroot/bin" ]; then
        mkdir -p $altroot/bin
        chown root:daemon $altroot/bin
    fi
    if [ ! -d "$altroot/etc" ]; then
        mkdir -p $altroot/etc
        chown root:daemon $altroot/etc
    fi
    if [ ! -d "$altroot/lib" ]; then
        mkdir -p $altroot/lib
        chown root:daemon $altroot/lib
    fi
    if [ ! -d "$altroot/usr" ]; then
        mkdir -p $altroot/usr
        chown root:daemon $altroot/usr
    fi
    if [ ! -d "$altroot/usr/bin" ]; then
        mkdir -p $altroot/usr/bin
        chown root:daemon $altroot/usr/bin
    fi
    if [ ! -d "$altroot/usr/sbin" ]; then
        mkdir -p $altroot/usr/sbin
        chown root:daemon $altroot/usr/sbin
    fi
    if [ ! -d "$altroot/usr/lib" ]; then
        mkdir -p $altroot/usr/lib
        chown root:daemon $altroot/usr/lib
    fi
    if [ ! -d "$altroot/usr/libexec" ]; then
        mkdir -p $altroot/usr/libexec
        chown root:daemon $altroot/usr/libexec
    fi
    if [ ! -d "$altroot/usr/libexec/openssh" ]; then
        mkdir -p $altroot/usr/libexec/openssh
        chown root:daemon $altroot/usr/libexec/openssh
    fi


    ##
    #  Static commands
    ##
    CHGRP=$(which chgrp)
    if [ -x "$CHGRP" ]; then
        cp $CHGRP $altroot/usr/sbin
    fi
    CHMOD=$(which chmod)
    if [ -x "$CHMOD" ]; then
        cp $CHMOD $altroot/$CHMOD
    fi
    CHOWN=$(which chown)
    if [ -x "$CHOWN" ]; then
        cp $CHOWN $altroot/usr/sbin
    fi
    LN=$(which ln)
    if [ -x "$LN" ]; then
        cp $LN $altroot/$LN
    fi
    LS=$(which ls)
    if [ -x "$LS" ]; then
        cp $LS $altroot/$LS
    fi
    MKDIR=$(which mkdir)
    if [ -x "$MKDIR" ]; then
        cp $MKDIR $altroot/$MKDIR
    fi
    MV=$(which mv)
    if [ -x "$MV" ]; then
        cp $MV $altroot/$MV
    fi
    RM=$(which rm)
    if [ -x "$RM" ]; then
        cp $RM $altroot/$RM
    fi
    RMDIR=$(which rmdir)
    if [ -x "$RMDIR" ]; then
        cp $RMDIR $altroot/$RMDIR
    fi
    ECHO=$(which echo)
    if [ -x "$ECHO" ]; then
        cp $ECHO $altroot/$ECHO
    fi
    PWD=$(which pwd)
    if [ -x "$PWD" ]; then
        cp $PWD $altroot/$PWD
    fi
    GROUPS=$(which groups)
    if [ -x "$GROUPS" ]; then
        cp $GROUPS $altroot/$GROUPS
    fi


    ##
    #  Dynamic commands
    ##
    ID=$(which id)
    if [ -x "$ID" ]; then
        cp $ID $altroot/$ID
        for lib in $(ldd $ID | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi
    PASSWD=$(which passwd)
    if [ -x "$PASSWD" ]; then
        cp $PASSWD $altroot/$PASSWD
        for lib in $(ldd $PASSWD | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi
    QUOTA=$(which quota)
    if [ -x "$QUOTA" ]; then
        cp $QUOTA $altroot/$QUOTA
        for lib in $(ldd $QUOTA | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi
    SCP=$(which scp)
    if [ -x "$SCP" ]; then
        cp $SCP $altroot/$SCP
        for lib in $(ldd $SCP | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi
    RSYNC=$(which rsync)
    if [ -x "$RSYNC" ]; then
        cp $RSYNC $altroot/$RSYNC
        for lib in $(ldd $RSYNC | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi
    SFTP="/usr/libexec/sftp-server"
    if [ -x "$SFTP" ]; then
        cp $SFTP $altroot/$SFTP
        for lib in $(ldd $SFTP | awk '{if ($3 == "rlib"){print $5}}'); do
            if [ -f "$lib" ]; then
                cp -f $lib $altroot/$lib
            fi
        done
    fi


    ##
    #  ld.so
    ##
    LD_SO="/usr/libexec/ld.so"
    if [ -f $LD_SO ]; then
        cp -f $LD_SO $altroot/$LD_SO
    fi
    LD_SO_HINTS="/var/run/ld.so.hints"
    if [ -f $LD_SO_HINTS ]; then
        cp -f $LD_SO_HINTS $altroot/$LD_SO_HINTS
    fi


    ##
    #  passwd
    ##
    FILE="/etc/master.passwd"
    if [ ! -f "$altroot/$FILE" ]; then
        touch $altroot/$FILE
    fi
}


function addUser
{
    if [ ! -z "$1" ]; then
        USERNAME="$1"
        useradd -d $altroot -s $USERSHELL -L ldap $USERNAME

        i=$(egrep "^$USERNAME:" $altroot/etc/master.passwd | wc -l)
        if [ $i = 0 ]; then
            # Create user within chroot
            egrep "^$USERNAME:" /etc/master.passwd >> $altroot/etc/master.passwd
            pwd_mkdb -d "$altroot/etc" $altroot/etc/master.passwd
            rm -f  $altroot/etc/spwd.db
        fi
    fi
}


function delUser
{
    if [ ! -z "$1" ]; then
        USERNAME="$1"
        userdel $USERNAME

        # Remove user
        egrep -v "^$USERNAME:" $altroot/etc/master.passwd > $altroot/etc/master.tmp
        mv -f $altroot/etc/master.tmp $altroot/etc/master.passwd

        # Create new pwd.db
        pwd_mkdb -d "$altroot/etc" $altroot/etc/master.passwd
        rm -f  $altroot/etc/spwd.db
    fi
}


function helpMe
{
    echo "$1 (--check|--add|--del|--help)"
}


if [ ! -z "$1" ]; then
    case $1 in
        --check)
            checkChroot
            ;;
        --add)
            [ ! -z "$2" ] && addUser $2
            ;;
        --del)
            [ ! -z "$2" ] && delUser $2
            ;;
        *)
            helpMe $0
            ;;
    esac
else
    helpMe $0
fi


Bye,
    Aiko
--
Aiko Barz <[hidden email]>
Web: http://www.haeckser.de

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Lukasz Sztachanski
In reply to this post by Bambero-3
On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:

> Hello
>
> Is there any good way to setup chrooted sftp-server without shell access ?
>
> I tried scponly but it's not secure enough (I heard), there is no port
> for openbsd,
> and I had problems to set it up.
>
> Second way is rssh, but compilation fails becouse of worexp.
>
> Now I'm using ftpd but I want to change it becouse of text/plain passwords.
>
> Any suggestions ?
>
use stsh[1]; if you want to simplify rulesets, you can just change
the code to inherit policy(-i). All my users have chrooted shell/sftp
accounts - no problems so far :)




                                - Lukasz Sztachanski

[1] http://monkey.org/~dugsong/openbsd/stsh-1.1.tar.gz
--
0x01A3E654 // 7832 E59C B733 9E6F CB54  6327 DFC1 161E 01A3 E654
                                                 *new keys*
http://entropy.pl
http://entropy.pl/?blog

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Francois Visconte-2
Lukasz Sztachanski wrote:

>On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:
>  
>
>>Hello
>>
>>Is there any good way to setup chrooted sftp-server without shell access ?
>>
>>I tried scponly but it's not secure enough (I heard), there is no port
>>for openbsd,
>>and I had problems to set it up.
>>
>>Second way is rssh, but compilation fails becouse of worexp.
>>
>>Now I'm using ftpd but I want to change it becouse of text/plain passwords.
>>
>>Any suggestions ?
>>
>>    
>>
>use stsh[1]; if you want to simplify rulesets, you can just change
>the code to inherit policy(-i). All my users have chrooted shell/sftp
>accounts - no problems so far :)
>  
>
I think it's the best way too.
One detail : your users are chrooted AND systraced or they have just
filesystem access
limitation thanks to systrace ?

>
>
>
>                                - Lukasz Sztachanski
>
>[1] http://monkey.org/~dugsong/openbsd/stsh-1.1.tar.gz
>  
>
Frangois Visconte

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Lukasz Sztachanski
On Tue, Sep 19, 2006 at 11:23:21AM +0200, Francois Visconte wrote:
> I think it's the best way too.
> One detail : your users are chrooted AND systraced or they have just
> filesystem access
> limitation thanks to systrace ?
>
users are `chrooted' because they're `systraced' ;) I just allow
specific fsreads/fswrites/chdirs:
        native-fsread: filename match "$HOME*" then permit
        native-fsread: filename inpath "$HOME" then permit

of course, i allowed execves from /bin, /usr/bin, and so on, but with
logging( you want only sftp, so probably only few programs have to be
execved/fsreaded).

It isn't trivial to write good policy, but you could change stsh`s code
to use systrace with `-A' and policy dir in $HOME, and then try to
generate base ruleset with test user. As i already said, systrace`s `-i'
opt would help a lot.

best ruleset i could find right now:
http://entropy.pl/misc/systrace/bin_ksh
... but you probably won't need all this syscalls.


                                - Lukasz Sztachanski


--
0x01A3E654 // 7832 E59C B733 9E6F CB54  6327 DFC1 161E 01A3 E654
                                                 *new keys*
http://entropy.pl
http://entropy.pl/?blog

Reply | Threaded
Open this post in threaded view
|

Re: chrooted sftponly - how ?

Bambero-3
In reply to this post by Francois Visconte-2
On 9/19/06, Francois Visconte <[hidden email]> wrote:

> Lukasz Sztachanski wrote:
>
> >On Mon, Sep 18, 2006 at 03:23:37PM +0200, Bambero wrote:
> >
> >
> >>Hello
> >>
> >>Is there any good way to setup chrooted sftp-server without shell access ?
> >>
> >>I tried scponly but it's not secure enough (I heard), there is no port
> >>for openbsd,
> >>and I had problems to set it up.
> >>
> >>Second way is rssh, but compilation fails becouse of worexp.
> >>
> >>Now I'm using ftpd but I want to change it becouse of text/plain passwords.
> >>
> >>Any suggestions ?
> >>
> >>
> >>
> >use stsh[1]; if you want to simplify rulesets, you can just change
> >the code to inherit policy(-i). All my users have chrooted shell/sftp
> >accounts - no problems so far :)
> >
> >
> I think it's the best way too.
> One detail : your users are chrooted AND systraced or they have just
> filesystem access
> limitation thanks to systrace ?
>

Now I'm using chrooted ftpd. I need to chroot users to
/var/www/users/user to have filesystem access. No systrace limitation.