[BlueOnyx:08377] Re: limit ssh access

Michael Stauber mstauber at blueonyx.it
Sat Sep 3 19:41:57 PET 2011


> Yeah, I tried to implement chrooted SSH on BlueOnyx sometime last year.
> Almost  got it done and then hit a snag. It worked, but there were some
> drawbacks that I've forgotten by now. Will look into it again.

I looked into it again. Yeah, there were some problems with chrooted SSH on 
CentOS5. Partially that's because it is showing it's age already and things 
that work a bit more seamlessly on never distributions are more complicated on 
CentOS5. When CentOS5 was shipped, it's SSHd didn't have provisions for 
chroots in it. So in the end I settled for working SFTP acess back then and 
put off the attempts to get chrooted SSH working.

With a few bits and pieces from rpmforge and epel one can generally get 
chrooted SSH working on CentOS5 nowadays. 

But the problems start with setting up the chroot. For a regular user (non-
siteAdmin) we could simply use his home directory as base of the chrooted 
environment, which is doable.

The chroot must be populated with devices, the binaries that we allow the 
chrooted user to use and their dependencies. That's the ugly part, because we 
must populate the chroot with this stuff on login and must clean that stuff up 
on logout. There are some mechanisms and tools available that help with this.

The part where it hits a snag is when we try to chroot a siteAdmin. Using the 
home directory of the siteAdmin won't suffice, because he certainly would like 
to be able to access the sites /web directory, too, which is outside his home 
directory and therefore outside the chrooted jail.

So we'd have to start the chroot for the siteAdmin at the site-root instead. 

Which a chrooted SSH won't allow us to do, because the site-root has the wrong 
permissions for that purpose and SSH is really picky about the permissions. A 
site-root directory usually has 42775 permissions (i.e.: drwxrwsr-x), which 
means: Set GID on execution, rwx for owner, rwx for group, r-x for others. I 
think SSH already chokes on group readable and r-x for others is a strict no-
go area for it. Temporarily removing the extra bits would break web, FTP and 
email for the entire site and all it's users, so that's not the best of ideas 
either.

I'm looking into other options for this now. Maybe "Jailkit" can help to 
overcome these obstacle. Or the implementation of an SCP-only shell could 
help. That wouldn't allow full SSH access, but at least SCP would work.

I haven't entirely given up on this yet, but if we provide chrooted SSH, then 
I want it to be a robust solution. And for it to be robust enough a couple of 
architectural oddities like our site-root permissions must first be overcome 
without breaking other things.

-- 
With best regards

Michael Stauber



More information about the Blueonyx mailing list