Saturday, 25 August 2012

How to configure rssh on RHEL 5.5


Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

If you want to chroot users, then use rssh support chrooting option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/manish normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.
First download the rssh rpm (rssh-2.3.3-1.fc16.x86_64.rpm)
Configuring rssh chroot
chroot directory : /users


root@mansh.bhandari#] rpm -ivh rssh-2.3.3-1.fc16.x86_64.rpm

root@mansh.bhandari#] mkdir /users
root@mansh.bhandari#] mkdir -p /users/{dev,etc,lib,usr,bin}
root@mansh.bhandari#] mkdir -p /users/usr/bin
root@mansh.bhandari#] mkdir -p /users/usr/libexec/openssh/

root@mansh.bhandari#] mkdir -p /users/libexec/openssh
Create /users/dev/null:
root@mansh.bhandari#] mknod -m 666 /users/dev/null c 1 3

Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
root@mansh.bhandari#] cd /users/etc
root@mansh.bhandari#] cp /etc/ld.so.cache .
root@mansh.bhandari#] cp /etc/ld.so.conf .
root@mansh.bhandari#] cp /etc/nsswitch.conf .
root@mansh.bhandari#] cp /etc/passwd .
root@mansh.bhandari#] cp /etc/group .
root@mansh.bhandari#] cp /etc/hosts .
root@mansh.bhandari#] cp /etc/resolve.conf .
Open /usres/group and /users/passwd file and remove root and all other accounts.
Copy required binary files, as described above to your jail directory /users/bin and other locations:
root@mansh.bhandari#] cd /users/usr/bin
root@mansh.bhandari#] cp /usr/bin/scp .
root@mansh.bhandari#] cp /usr/bin/rssh .
root@mansh.bhandari#] cp /usr/bin/sftp .
root@mansh.bhandari#] cd /users/usr/libexec/openssh/
root@mansh.bhandari#] cp /usr/libexec/openssh/sftp-server .
or
root@manish.bhandari#] cp /usr/lib/openssh/sftp-server . (not found)

root@manish.bhandari#] cd /users/usr/libexec/
root@manish.bhandari#] cp /usr/libexec/rssh_chroot_helper .
OR
root@manish.bhandari#] cp /usr/lib/rssh/rssh_chroot_helper (not found)

root@manish.bhandari#] cd /users/bin/
root@manish.bhandari#] cp /bin/sh .
OR
root@manish.bhandari#] cp /bin/bash .
Copy all shared library files
The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp

Output:
linux-gate.so.1 =>  (0×00456000)
libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
libz.so.1 => /usr/lib/libz.so.1 (0×00110000)
libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0×00656000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0×00271000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0×00304000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0×00777000)
libdl.so.2 => /lib/libdl.so.2 (0×00123000)
libnss3.so => /usr/lib/libnss3.so (0×00569000)
libc.so.6 => /lib/libc.so.6 (0x00b6c000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0×00127000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0×00130000)
/lib/ld-linux.so.2 (0×00525000)
libplc4.so => /usr/lib/libplc4.so (0x008c9000)
libplds4.so => /usr/lib/libplds4.so (0×00133000)
libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
libselinux.so.1 => /lib/libselinux.so.1 (0×00341000)
libsepol.so.1 => /lib/libsepol.so.1 (0×00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using this automated script called l2chroot:
root@manish.bhandari#] cd /sbin
root@manish.bhandari#] wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
root@manish.bhandari#] chmod +x l2chroot
Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE=”/users”
Now copy all shared library files

root@manish.bhandari#] l2chroot /usr/bin/scp
root@manish.bhandari#] l2chroot /usr/bin/rssh
root@manish.bhandari#] l2chroot /usr/bin/sftp
root@manish.bhandari#] l2chroot /usr/libexec/openssh/sftp-server
OR
root@manish.bhandari#] l2chroot /usr/lib/openssh/sftp-server (not found)
root@manish.bhandari#] l2chroot /usr/libexec/rssh_chroot_helper
OR
root@manish.bhandari#] l2chroot /usr/lib/rssh/rssh_chroot_helper
root@manish.bhandari#] l2chroot /bin/sh
OR
root@manish.bhandari#]l2chroot /bin/bash
Modify syslogd configuration
root@mansh.bhandari#] vi /etc/sysconfig/syslog

Find line that read as follows:
SYSLOGD_OPTIONS=”-m 0″
Append -a /users/dev/log
SYSLOGD_OPTIONS=”-m 0 -a /users/dev/log”
Save and close the file. Restart syslog:
root@manish.bhandari#] /etc/init.d/syslog restart
Set chroot path
Open configuration file /etc/rssh.conf:
root@manish.bhandari#] vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
user=manish:022:00010:”/users”
Save and close the file. If sshd is not running start it:
root@manish.bhandari#] /etc/init.d/sshd restart
Set chroot path:
root@manish.bhandari3] vim /etc/rssh.conf

chrootpath=/users
Subsystem sftp internal-sftp
root@manish.bhandari#] /etc/init.d/sshd restart
Add user to jail
root@manish.bhandari#] useradd -m -d /users/manish -s /usr/bin/rssh manish
root@manish.bhandari#] passwd manish
Now vivek can login using sftp or copy files using scp:


sftp>
sftp> ls
sftp > pwd
Remote working directory : /users/manish
sftp > cd /tmp

 
Couldn't canonicalise: No such file or directory
User manish is allowed to login to server to trasfer files, but not allowed to browse entier file system.


http://pensacola-tech.com/pensacola/2010/05/05/configure-rssh/

                                                                                                                                  Manish Bhandari
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)