0

I'm setting up an sshd jail for some users on my system (archlinux). Without going into great detail I'd like to keep the scope of the question minimal.

Setting /etc/ssh/sshd_config:

Match group jaileduser
          ChrootDirectory /var/jailedusers
          X11Forwarding no
          AllowTcpForwarding no

and a system /etc/password entry similar to:

testuser1:x:2001:2000::/home/testuser1:/bin/bash

So the question is: Is the home directory of /home/testuser1 relative to the sshd_config entry /var/jailedusers i.e. should the passwd entry be /var/jailedusers/home/testuser1 or /home/testuser1 with a directory in /var/jailedusers of /home/testuser1 - AND is the shell in the same boat - is the passwd entry /var/jailedusers/bin/bash or simply /bin/bash.

Lastly upon login is the system /etc/passwd read or is /var/jailedusers/etc/passwd read as per sshd_config entry.

techraf
  • 64,883
  • 27
  • 193
  • 198
user3358194
  • 1

1 Answers1

1

Based on the manpage:

Specifies the pathname of a directory to chroot(2) to after
authentication.  All components of the pathname must be root-
owned directories that are not writable by any other user or
group.  After the chroot, sshd(8) changes the working directory
to the user's home directory.

So /etc/passwd needs to contain the paths relative to the system's root (i.e. /bin/bash and /home/testuser1) and the system's root will, after chroot, actually be /var/jailedusers (meaning that /var/jailedusers/home/testuser1 will be the actual home and /var/jailedusers/bin/bash the actual shell).

To answer the second part of the question, sshd will read /etc/passwd, perform authentication and then chroot to /var/jailedusers.

Note that /var/jailedusers will also need to contain additional files, such as the shared libraries required by bash and a minimal set of /dev entries (e.g. /dev/null).

isedev
  • 18,848
  • 3
  • 60
  • 59
  • Thanks for the answer - understand much more now - lastly, do I have to have 'two' home directories? i.e. /home/testuser1 and /var/jailedusers/home/testuser1? – user3358194 Feb 27 '14 at 00:30
  • well, you will need two paths: one under `/home` and one under `/var/jailedusers/home`. But these could be the same directory if using `bind` mounts (see `mount` manpage). Alternatively, put jailed user's homes only under `/var/jailedusers/home`, updating `/etc/passwd` accordingly and symlink `/var/jailedusers /var/jailedusers/home` to `/var/jailedusers/home` (so that `/var/jailedusers/home` is a valid path before and after `chroot`). – isedev Feb 27 '14 at 00:33
  • I guess what I'm asking is - does it have to authenticate 'outside' of the chroot dir before switching to it? – user3358194 Feb 27 '14 at 00:36
  • `sshd` authenticates before it does a `chroot`... that's the way it is designed. – isedev Feb 27 '14 at 00:37
  • Thanks mate - that answers it perfect - it's hard to visualize it unless explained sometimes :) Thanks again! – user3358194 Feb 27 '14 at 00:38
  • The reason I'm asking is I'm trying to execute a proprietary bash script - so the system passwd has /bin/bash but the chroot etc/passwd has /bin/menu - does that sound about right? – user3358194 Feb 27 '14 at 00:40
  • no need for chroot'd `/etc/passwd` unless the script wants to read it: `/etc/passwd` will be used by `sshd` only. So put `/bin/menu` in `/etc/passwd`, copy the `menu` script to `/var/jailedusers/bin/menu`, copy all the stuff `menu` needs under `/var/jailedusers` too and `sshd` will chroot then run `/bin/menu` in the jail. – isedev Feb 27 '14 at 00:45
  • One final question - it's showing /home/testuser1/menu as a directory 'Not a directory' is the error - I've checked everywhere for a trailing '/' but no matter what I do it won't execute the script - even double checked #!/usr/bin/bash in the script - befuddled. – user3358194 Feb 27 '14 at 02:21