[BlueOnyx:08377] Re: limit ssh access
mstauber at blueonyx.it
Sat Sep 3 19:41:57 PET 2011
> Yeah, I tried to implement chrooted SSH on BlueOnyx sometime last year.
> Almost got it done and then hit a snag. It worked, but there were some
> drawbacks that I've forgotten by now. Will look into it again.
I looked into it again. Yeah, there were some problems with chrooted SSH on
CentOS5. Partially that's because it is showing it's age already and things
that work a bit more seamlessly on never distributions are more complicated on
CentOS5. When CentOS5 was shipped, it's SSHd didn't have provisions for
chroots in it. So in the end I settled for working SFTP acess back then and
put off the attempts to get chrooted SSH working.
With a few bits and pieces from rpmforge and epel one can generally get
chrooted SSH working on CentOS5 nowadays.
But the problems start with setting up the chroot. For a regular user (non-
siteAdmin) we could simply use his home directory as base of the chrooted
environment, which is doable.
The chroot must be populated with devices, the binaries that we allow the
chrooted user to use and their dependencies. That's the ugly part, because we
must populate the chroot with this stuff on login and must clean that stuff up
on logout. There are some mechanisms and tools available that help with this.
The part where it hits a snag is when we try to chroot a siteAdmin. Using the
home directory of the siteAdmin won't suffice, because he certainly would like
to be able to access the sites /web directory, too, which is outside his home
directory and therefore outside the chrooted jail.
So we'd have to start the chroot for the siteAdmin at the site-root instead.
Which a chrooted SSH won't allow us to do, because the site-root has the wrong
permissions for that purpose and SSH is really picky about the permissions. A
site-root directory usually has 42775 permissions (i.e.: drwxrwsr-x), which
means: Set GID on execution, rwx for owner, rwx for group, r-x for others. I
think SSH already chokes on group readable and r-x for others is a strict no-
go area for it. Temporarily removing the extra bits would break web, FTP and
email for the entire site and all it's users, so that's not the best of ideas
I'm looking into other options for this now. Maybe "Jailkit" can help to
overcome these obstacle. Or the implementation of an SCP-only shell could
help. That wouldn't allow full SSH access, but at least SCP would work.
I haven't entirely given up on this yet, but if we provide chrooted SSH, then
I want it to be a robust solution. And for it to be robust enough a couple of
architectural oddities like our site-root permissions must first be overcome
without breaking other things.
With best regards
More information about the Blueonyx