2005-03-28, 03:15 PM
First off install ssh (must be the PAM enabled version)and you also need the libpam_chroot module.
if you have install ssh by default on fedora this module is installed :)
Ok so they should be installed.
Then edit "/etc/pam.d/sshd".
Code:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_chroot.so
if you do have pam_limits.so in the sshd config file comment it out with a # or remove the line
Hopefully a pam 'head' can explain why the limit file gives difficulties... probably something simple.
Ok so now when ssh uses pam it should use the pam_chroot. Thats what we just setup. Now we need to tell ssh to actaully use it [img]<___base_url___>/uploads/emoticons/default_laugh.png[/img]
Edit "/etc/ssh/sshd_config". I'm not going to put in the WHOLE sshd_config file here just the two lines that require to be set the ... represent the rest of the file.
Code:
#normally this is yes.. so switch to no
UsePrivilegeSeparation no
#normally this is yes...but check
UsePAM yes
Ok it should be stressed that you should NEVER run ssh with UsePriv.. set to no unless you plan on chroot'in. This basically gives ssh the ability to be root, this can lead to real dangers. We need it to run as root because we cannot chroot the user into the new chroot enviroment unless we are root.
Right.. so sshd is ready... Now to finish off the PAM setup.
Edit "/etc/security/chroot.conf"
Code:
znx /home/chroot
NOW we're ready.... Restart your ssh daemon to get the new config:
Code:
/etc/init.d/sshd restart
Once you have got this far you will want to chown /home/znx to root:root
Code:
chown root.root /home/znx
The finally change the permission to 755
Code:
chmod 755 /home/znx
you will need to add the binarys and library files to the chroot as shown below:
Code:
# cd /home/
# mkdir chroot
# cd chroot/
# mkdir bin lib
# cp /bin/bash bin/
# ldd /bin/bash
libncurses.so.5 => /lib/libncurses.so.5 (0x40025000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0x40062000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0x40065000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
# cp /lib/libncurses.so.5 lib/
# mkdir lib/tls/i686/cmov -p
# cp /lib/ld-linux.so.2 lib/
# cp /lib/tls/i686/cmov/{libdl.so.2,libc.so.6} lib/
# cd
# chroot /home/chroot/ /bin/bash
bash-2.05b# ls
bash: ls: command not found
bash-2.05b# exit
Well thats it. The ssh daemon will now force a user into the chroot 'jail' using PAM. Lets test...
Code:
# ssh -l znx localhost
Password: *******
Last login: Fri Mar 25 19:28:08 2005 from localhost.localdomain
-bash-2.05b$ ls
-bash: ls: command not found
-bash-2.05b$ logout
Connection to ubuntu closed.
Jy provided a link to the following site with a script that will move the binarys and librarys to the chrooted dir:
[/url][url=http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/]http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/
This guide was produced by znx and edited by xDamox ;) many thanks to znx