[BlueOnyx:08384] Re: limit ssh access

Eiji Hamano bluequartz at hypersys.ne.jp
Tue Sep 6 01:43:08 PET 2011


Hi  Michael Stauber;

However,
over 4.9 OpenSSH in FreeBSD is supporting this function with 
"ChrootDirectory"
on sshd_config definition.  I am using this  'limit ssh directry access'
at FreeBSD.

BlueOnyx has now 4.3 OpenSSH,  right ?
So let's upgrade OpenSSH from 4.3 to 4.9.

Is any problem on OpenSSH 4.9 on BlueOnyx ?

Eiji Hamano




>> Yeah, I tried to implement chrooted SSH on BlueOnyx sometime last year.
>> Almost  got it done and then hit a snag. It worked, but there were some
>> drawbacks that I've forgotten by now. Will look into it again.
>
> I looked into it again. Yeah, there were some problems with chrooted SSH 
> on
> CentOS5. Partially that's because it is showing it's age already and 
> things
> that work a bit more seamlessly on never distributions are more 
> complicated on
> CentOS5. When CentOS5 was shipped, it's SSHd didn't have provisions for
> chroots in it. So in the end I settled for working SFTP acess back then 
> and
> put off the attempts to get chrooted SSH working.
>
> With a few bits and pieces from rpmforge and epel one can generally get
> chrooted SSH working on CentOS5 nowadays.
>
> But the problems start with setting up the chroot. For a regular user 
> (non-
> siteAdmin) we could simply use his home directory as base of the chrooted
> environment, which is doable.
>
> The chroot must be populated with devices, the binaries that we allow the
> chrooted user to use and their dependencies. That's the ugly part, because 
> we
> must populate the chroot with this stuff on login and must clean that 
> stuff up
> on logout. There are some mechanisms and tools available that help with 
> this.
>
> The part where it hits a snag is when we try to chroot a siteAdmin. Using 
> the
> home directory of the siteAdmin won't suffice, because he certainly would 
> like
> to be able to access the sites /web directory, too, which is outside his 
> home
> directory and therefore outside the chrooted jail.
>
> So we'd have to start the chroot for the siteAdmin at the site-root 
> instead.
>
> Which a chrooted SSH won't allow us to do, because the site-root has the 
> wrong
> permissions for that purpose and SSH is really picky about the 
> permissions. A
> site-root directory usually has 42775 permissions (i.e.: drwxrwsr-x), 
> which
> means: Set GID on execution, rwx for owner, rwx for group, r-x for others. 
> I
> think SSH already chokes on group readable and r-x for others is a strict 
> no-
> go area for it. Temporarily removing the extra bits would break web, FTP 
> and
> email for the entire site and all it's users, so that's not the best of 
> ideas
> either.
>
> I'm looking into other options for this now. Maybe "Jailkit" can help to
> overcome these obstacle. Or the implementation of an SCP-only shell could
> help. That wouldn't allow full SSH access, but at least SCP would work.
>
> I haven't entirely given up on this yet, but if we provide chrooted SSH, 
> then
> I want it to be a robust solution. And for it to be robust enough a couple 
> of
> architectural oddities like our site-root permissions must first be 
> overcome
> without breaking other things.
>
> -- 
> With best regards
>
> Michael Stauber
> 



More information about the Blueonyx mailing list