Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

Posted by Dave on November 16, 2008 in Uncategorized

I was in need of providing SFTP access for an Ubuntu Hardy AMD64 setup. After some trial and error with the varied information returned by the search engines I was able to get this working. Once finished with the steps below you’ll be able to provide SFTP accounts to semi trusted users who need access to your server.

First we need to install RSSH:

sudo apt-get install rssh

Then we need to edit /etc/rssh.conf:

sudo vi /etc/rssh.conf

Uncomment the following lines and change CHROOTPATH value to /home/chroot:

allowsftp

chrootpath = /home/chroot

Create a copy of mkchroot.sh to work with:

 sudo cp /usr/share/doc/rssh/examples/mkchroot.sh ~/mkchroot.sh

Edit mkchroot.sh and update the following lines (based on output of command: rssh -v)

scp_path="/usr/bin/scp"
sftp_server_"path=/usr/lib/openssh/sftp-server"
rssh_path="/usr/bin/rssh"
chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

We also need to include AMD64 library files and make /dev/null available. Add the following directly after this line:

mkdir -p “$jail_dir/dev”

################################
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
mknod -m 666 "$jail_dir/dev/null" c 1 3
################################

Save our changes to mkchroot.sh and make it executable with:

 sudo chmod u+x ~/mkchroot.sh

Now make rssh a valid shell by running the command:

sudo add-shell /usr/bin/rssh

The contents of /etc/passwd have been coppied to /home/chroot/etc/passwd and should be pruned to only users that will be under chroot control. We can also create a new chrooted user. First lets create /home/chroot/home for our chrooted users:

sudo mkdir /home/chroot/home

Then we create a new user:

sudo useradd -m -d /home/chroot/home/joe -s /usr/bin/rssh joe

Give them a password:

sudo passwd joe

Next we need to set up logging.

sudo vi /etc/default/syslogd

Update the SYSLOGD=”" line with our chrooted log information:

 SYSLOGD="-a /home/chroot/dev/log"

The chrooting process /usr/lib/rssh/rssh_chroot_helper has to be setuid root in order to work:

 sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper

Without the above command you will see errors such as this in your /var/log/syslog:

Nov 16 20:30:04 server1 rssh[10241]: setting log facility to LOG_USER
Nov 16 20:30:04 server1 rssh[10241]: allowing sftp to all users
Nov 16 20:30:04 server1 rssh[10241]: setting umask to 022
Nov 16 20:30:04 server1 rssh[10241]: chrooting all users to /home/chroot
Nov 16 20:30:04 server1 rssh[10241]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: new session for joe, UID=1002
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: chroot() failed, 2: Operation not permitted

And that’s that!

You should now be able to SFTP into your box with Joe’s chrooted account.

Write a Comment on Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

Subscribe

Follow comments by subscribing to the Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH Comments RSS feed.

More

Read more posts by Dave

AWstats with Vlogger Rotation What gender wrote this?