Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Locking a SSH logon to their home directory only... 1

Status
Not open for further replies.
LedZepRock

LedZepRock

MIS
Feb 20, 2002
265
GB
Hi

When somebody logs into a server (using SSH), I want to limit them to only their home directory, is there a way to do this??? I dont want people browsing around the machine /etc and so on.

Any help would be great...

Ta
Simon
 
Sort by date Sort by votes
Hi,

you may make their login shell a restricted one, e.g. rbash.
Read the section on 'Restricted Shell' in 'man bash'.

hth
 
Upvote 0 Downvote
Thanks for the reply

I have just installed the shell "scponly" and that works a treat.

Thanks for pointing me in the correct direction.

Simon
 
Upvote 0 Downvote
Where did you get that shell? I am looking for the same thing.
 
Upvote 0 Downvote
Okay I found out where to get it from but when I try to untar it I get the following:

tar: This does not look like a tar archive
tar: Skipping to next header
tar: Archive contains obsolescent base-64 headers
tar: Error exit delayed from previous errors


Tried on two machines.
 
Upvote 0 Downvote
I figured it out, when I downloaded it on my Windows machine it renamed the extension from .tgz to .tar.

Anyway, now I cant run ./configure becuase I get an error re no C compiler found in $PATH.

ARGGG
 
Upvote 0 Downvote
:)

Sounds like you are having fun, I guess gcc is the norm C compiler, check with "which gcc" to see if its in your path (or on the machine), else go get it...

I know this sounds obvious, but scponly, will only allow SCP (windows sftp client), so if you want SSH logons also to the box you will need another shell such as Jailkit..


I have to admit though, I am having trouble getting this to work.

Simon
 
Upvote 0 Downvote
Anyway, now I cant run ./configure becuase I get an error re no C compiler found in $PATH."

Pretty common failure [wink]

Use YUM or APT-GET (up2date may get the right version) to get gcc+. Or if you really feel like some self abuse, go to and grab the source files [thumbsup2]. I ran into this several times when I was building a few different test servers for LAMP testing and some other applications.

MikeS

Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Thanks guys, I was an idiot and forgot to install gcc on my test system during the original install.

I have scponly up and running and it works great! There is still one issue though. Although we have stopped them from being able to do anything via SSH login, when you login using SFTP or SCP the user is still able to browse through the entire root directory of the server! I need to somehow lock them in their home directory. I've tried a few things already like creating a folder owned and only accessible by root, then making the scponly user dirs in that directory in hopes it would stop them from being able to escape from their home directories. No luck, now they can't even get into the home directory.

Any ideas?
 
Upvote 0 Downvote
I got it working with no major problems, and it does lock them into their home directory only, so it does do it... Not sure what I did to get it working correctly, just followed the instructions...

Simon
 
Upvote 0 Downvote
The only thing I didn't do in the instructions (becuase it looked very complicated) was setup the chroot limitation. I don't know enough about it yet.

What program are you using to access the SCPonly accounts? I am using WinSCP on my Windows machine and it allows me to move to the /etc, /boot, /var and all the other root folders on the server.

How can I stop this?
 
Upvote 0 Downvote
So the answer I found is to configure scponly, but it looks a bit above my head. The INSTALL file reads the following about chroot with scponly:

Otherwise, consider the following:
- If you do use chroot(), your binary will need to be setuid. This
should make any security conscious administrator wary.
- Also consider that scponly will only execute AFTER sshd has
authenticated the remote user. Given this, you should be
able to rest a little easier knowing that utilizing scponly
will not open you up to impersonal vulnerability subnet scans.
- If you are still unsure, read the code. There is a seteuid
that ensures that the execution of any commands is
never done with an effective uid of 0.
- Lastly, I make no guarantees that this code is unexploitable.
Any system administrator utilizing scponly bears the full
responsibility for maintaining a secure system. (see 18/08/02
CHANGELOG!)
- Without chroot() functionality, scponly still functions just
fine. However, most all files on any root filesystem for any
default installation are globally readable.
- installing scponly with chroot could incur some pretty hairy
troubleshooting. The binaries and libraries must be set
up properly in the chroot subdirectories properly.



AND:


ADDITIONAL STEPS FOR CHROOT-ENABLED INSTALLATIONS ONLY:

Step 7. You will need to install some directories, passwd files,
libraries and binaries in your chroot path so that scponly has
something to invoke when it comes time to execute the remote
request.

I have added the script that performs most setup for chroot:
You can run it with:

make jail

Please be aware that chroot installation varies WIDELY from
system to system. check in the build_extras directory if
make jail has failed you.


That's it, you're done!


Additional Installation notes:

- Some operating systems (notably redhat 9), use a shell script for
the "groups" command. Though "groups" is an allowable command, the
"#!/bin/sh" interpreter specification at the beginning of this script
will attempt to load /bin/sh, which is not available in the chrooted
jail. This is only a problem when you are also using WinSCP compatibiliy,
because WinSCP will attempt to run "groups" upon connection initialization.

You have three choices:
- you can either put /bin/sh in your jail, which is a security problem
- you can deselect "lookup user groups" in the WinSCP configuration
- you can "make groups" using the provided groups.c and move the fake
groups program into your chroot.

- There are additional notes and scripts in the "build_extras" directory
for specific platforms



LedZepRock, is this what you had to do?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
742
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
343
spamjim
spamjim
MCP2000
  • Locked
  • Question
CentOS 6.9, LDAP, Vault, Active Directory
Replies
0
Views
144
MCP2000
MCP2000
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
171
Steve Bowman
Steve Bowman
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
159
kasperelectronics
kasperelectronics

Part and Inventory Search

Sponsor

Back
Top