[BlueOnyx:08385] Re: limit ssh access

Eiji Hamano bluequartz at hypersys.ne.jp
Tue Sep 6 01:48:45 -05 2011 

Additin,
OpenSSH 4.9 has 'Match User' function.
So we can distinguish USERs.

Eiji Hamano


> Hi  Michael Stauber;
>
> However,
> over 4.9 OpenSSH in FreeBSD is supporting this function with 
> "ChrootDirectory"
> on sshd_config definition.  I am using this  'limit ssh directry access'
> at FreeBSD.
>
> BlueOnyx has now 4.3 OpenSSH,  right ?
> So let's upgrade OpenSSH from 4.3 to 4.9.
>
> Is any problem on OpenSSH 4.9 on BlueOnyx ?
>
> Eiji Hamano
>
>
>
>
>>> Yeah, I tried to implement chrooted SSH on BlueOnyx sometime last year.
>>> Almost  got it done and then hit a snag. It worked, but there were some
>>> drawbacks that I've forgotten by now. Will look into it again.
>>
>> I looked into it again. Yeah, there were some problems with chrooted SSH 
>> on
>> CentOS5. Partially that's because it is showing it's age already and 
>> things
>> that work a bit more seamlessly on never distributions are more 
>> complicated on
>> CentOS5. When CentOS5 was shipped, it's SSHd didn't have provisions for
>> chroots in it. So in the end I settled for working SFTP acess back then 
>> and
>> put off the attempts to get chrooted SSH working.
>>
>> With a few bits and pieces from rpmforge and epel one can generally get
>> chrooted SSH working on CentOS5 nowadays.
>>
>> But the problems start with setting up the chroot. For a regular user 
>> (non-
>> siteAdmin) we could simply use his home directory as base of the chrooted
>> environment, which is doable.
>>
>> The chroot must be populated with devices, the binaries that we allow the
>> chrooted user to use and their dependencies. That's the ugly part, 
>> because we
>> must populate the chroot with this stuff on login and must clean that 
>> stuff up
>> on logout. There are some mechanisms and tools available that help with 
>> this.
>>
>> The part where it hits a snag is when we try to chroot a siteAdmin. Using 
>> the
>> home directory of the siteAdmin won't suffice, because he certainly would 
>> like
>> to be able to access the sites /web directory, too, which is outside his 
>> home
>> directory and therefore outside the chrooted jail.
>>
>> So we'd have to start the chroot for the siteAdmin at the site-root 
>> instead.
>>
>> Which a chrooted SSH won't allow us to do, because the site-root has the 
>> wrong
>> permissions for that purpose and SSH is really picky about the 
>> permissions. A
>> site-root directory usually has 42775 permissions (i.e.: drwxrwsr-x), 
>> which
>> means: Set GID on execution, rwx for owner, rwx for group, r-x for 
>> others. I
>> think SSH already chokes on group readable and r-x for others is a strict 
>> no-
>> go area for it. Temporarily removing the extra bits would break web, FTP 
>> and
>> email for the entire site and all it's users, so that's not the best of 
>> ideas
>> either.
>>
>> I'm looking into other options for this now. Maybe "Jailkit" can help to
>> overcome these obstacle. Or the implementation of an SCP-only shell could
>> help. That wouldn't allow full SSH access, but at least SCP would work.
>>
>> I haven't entirely given up on this yet, but if we provide chrooted SSH, 
>> then
>> I want it to be a robust solution. And for it to be robust enough a 
>> couple of
>> architectural oddities like our site-root permissions must first be 
>> overcome
>> without breaking other things.
>>
>> -- 
>> With best regards
>>
>> Michael Stauber
>>

More information about the Blueonyx mailing list