Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing sftp on linux with rssh + chrootjail

Status
Not open for further replies.
ngxGraz

ngxGraz

Technical User
Jun 22, 2007
56
CA
Hey guys, we have a client that needs access to one of our boxes. We're using sftp, but this allows them access to a bash shell, and viewing capabilities of most directories. I installed and setup rssh, which is set to allow sftp only. Install went okay, but i had to manually disable installing man5. I set my user's shell as kssh, added kssh to /etc/shells, and in /usr/local/etc/rssh.conf i set the chrootpath to /home, and allowed sftp.
in /home i created directories, and copied over needed files.

Code: 
cd home
mkdir lib
mkdir usr
mkdir bin
mkdir usr/local
mkdir usr/local/bin
mkdir usr/local/libexec
mkdir usr/libexec
mkdir usr/libecec/openssh
mkdir usr/kerberos
mkdir usr/kerberos/lib
cp /usr/local/bin/rssh usr/local/bin
cp /usr/bin/sftp usr/bin
cp /usr/local/libexec/rssh_chroot_helper usr/local/libexec/
cp /usr/libexec/openssh/sftp-server usr/libexec/openssh/

cp /lib/libresolv.so.2 lib
cp /lib/libutil.so.1 lib
cp /usr/lib/libz.so.1 usr/lib
cp /lib/libnsl.so.1 lib
cp /lib/libcrypto.so.4 lib
cp /usr/kerberos/lib/libkrb5.so.3 usr/kerberos/lib
cp /usr/kerberos/lib/libk5crypto.so.3 usr/kerberos/lib
cp /usr/kerberos/lib/libcom_err.so.3 usr/kerberos/lib
cp /lib/tls/libc.so.6 lib
cp /usr/kerberos/lib/libgssapi_krb5.so.2 usr/kerberos/lib
cp /lib/libdl.so.2 lib
cp /lib/ld-linux.so.2 lib
cp /lib/libcrypt.so.1 lib

cp /etc/passwd etc/passwd
cp /etc/group etc/group

usermod -s /usr/local/bin/rssh iceftp
and i added dev/null too.
I tried to get the user to log in to ssh -- perfect, it shows it's running rssh and kills the connection, however, when trying to connect into sftp, I get an error, "Fatal: unable to initialize SFTP: could not connect" but SFTPing other users (where kssh isn't their shell works)
I can't seem to get an error log either, anyone have a similar issue?
 
Sort by date Sort by votes
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
963
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
266
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
254
mcisar
mcisar
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
218
ISDPCMAN
ISDPCMAN
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
293
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top