Chrooted sftp, did you getting it working?

m.ibarra at cdcixis-na.com m.ibarra at cdcixis-na.com
Sat Apr 13 05:59:42 EST 2002


Arghh! Tha is what was I thinking, until I tried it. %^}

username:x:100:100:Real User:/home/username:/bin/sh

/usr/local/libexec/sftp-server has been copied over to /chroot/bin/sh
and I have tried with /usr/local/libexec/sftp-server as the shell
too. I have also tried changing the homedir to various locations.

Hey, I am happy, it works beautifully, would just like to get it 
to work as you say it does :-)

Thank you,

-mike

-----Original Message-----
From: James Dennis [mailto:jdennis at law.harvard.edu]
Sent: Friday, April 12, 2002 3:19 PM
To: Ibarra, Michael
Cc: jm.poure at freesurf.fr; dci at webquill.com;
openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
Subject: Re: Chrooted sftp, did you getting it working?


It shows the uid instead because it can't read a passwd file to find what
username is associated with the uid. Copy that file (though stripped down to
just chrooted users) into the chroot under /chroot/etc/passwd where /chroot
is your chroot path and you should be all set.
-James
PS. I'm sorry if this is redundant, I am not on the openssh mailing list,
though I probably should be now, so I am only seeing things cc'd to me.

On Fri, 12 Apr 2002 15:04:48 -0400
m.ibarra at cdcixis-na.com wrote:

> Oh, it works, just not properly :-)
> 
> If I sftp in using this patch, it shows all files as owned
> by UID instead of username. I am however able to now log in.
> 
> My original problem was using ftp put, that failed due to the
> fact that I was originally following the chroot+sftp-server.patch,
> doc which stated that I must chmod the chrooted homedir to 555
> and make it owned by root. I've since then properly rechmodded
> and all seems well, again aside from the UID bug noted above.
> 
> Thanks again,
> 
> -mike
> 
> -----Original Message-----
> From: James Dennis [mailto:jdennis at law.harvard.edu]
> Sent: Friday, April 12, 2002 9:33 AM
> To: jm.poure at freesurf.fr; dci at webquill.com
> Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org;
> secureshell at securityfocus.com
> Subject: Re: Chrooted sftp, did you getting it working?
> 
> 
> Hello,
> Chrooting sftp is not much more complicated than just chrooting ssh. It
> requires placing certain libraries (you can probably figure these out
using
> truss or strace) in a location that appears the same as the regular file
> system while under the chroot. As far as I remember from doing this, the
> only thing sftp requires different from ssh is sftp-server which most
likely
> lies in /usr/libexec or /usr/local/libexec. The best way to determine if
> chrooted ssh is working is to apply the patch (which I will include with
> this email), create a test username. Then login with the chrooted ssh
> daemon. It should run fine. Then change the users home directory to have a
> period in it (/home/./username) and then try logging in. If it fails the
> patch is working because you haven't built a chroot yet so after the
chroot
> is applied to your user the users shell will not be found and the login
> fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable
> with truss or strace it becomes quite a bit easier. 
> Because the whole process of building a chroot is beyond the scope of my
> reply in regard to the patch not working I leave any inquisitive minds to
> finding a good article on how to build chroot's to themselves (hint: a
good
> article on chrooting ssh (not sftp) is on securityfocus.com).
> Good luck to anyone. This patch does indeed work as we use it in
production
> here at Harvard Law School.
> -James
> 
> On Fri, 12 Apr 2002 08:04:03 +0200
> jm.poure at freesurf.fr wrote:
> 
> > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a écrit :
> > > I was curious to know if you had any luck in getting openssh's sftp
> > > server properly configured to allow chrooted sftp logins? I have had
> > > no success and need something quickly.
> > 
> > Dear Mike,
> > 
> > Unfortunately, I did not succeed to have it work.
> > 
> > I got in contact with James Dennis <jdennis at law.harvard.edu>, who send
me
> a 
> > chroot patch. I applied the patch and did not succeed to log into a
> chrooted 
> > account.
> > 
> > The patch is quite simple. I don't understand why it does not work. Any
> idea?
> > 
> > Best regards,
> > Jean-Michel
> > 
> 



More information about the openssh-unix-dev mailing list