openssh unix dev - Apr 2002 - Chrooted sftp, did you getting it working?

Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit
:
> I was curious to know if you had any luck in getting openssh's sftp
> server properly configured to allow chrooted sftp logins? I have had
> no success and need something quickly.
Dear Mike,

Unfortunately, I did not succeed to have it work.

I got in contact with James Dennis <jdennis at law.harvard.edu>, who send
me a
chroot patch. I applied the patch and did not succeed to log into a chrooted 
account.

The patch is quite simple. I don't understand why it does not work. Any
idea?

Best regards,
Jean-Michel

Hello,
Chrooting sftp is not much more complicated than just chrooting ssh. It requires
placing certain libraries (you can probably figure these out using truss or
strace) in a location that appears the same as the regular file system while
under the chroot. As far as I remember from doing this, the only thing sftp
requires different from ssh is sftp-server which most likely lies in
/usr/libexec or /usr/local/libexec. The best way to determine if chrooted ssh is
working is to apply the patch (which I will include with this email), create a
test username. Then login with the chrooted ssh daemon. It should run fine. Then
change the users home directory to have a period in it (/home/./username) and
then try logging in. If it fails the patch is working because you haven't
built a chroot yet so after the chroot is applied to your user the users shell
will not be found and the login fails. Chrooting ssh/sftp isn't necessarily
easy, but if your comfortable with truss or strace it becomes qu!
ite a bit easier. 
Because the whole process of building a chroot is beyond the scope of my reply
in regard to the patch not working I leave any inquisitive minds to finding a
good article on how to build chroot's to themselves (hint: a good article on
chrooting ssh (not sftp) is on securityfocus.com).
Good luck to anyone. This patch does indeed work as we use it in production here
at Harvard Law School.
-James

On Fri, 12 Apr 2002 08:04:03 +0200
jm.poure at freesurf.fr wrote:
> Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit :
> > I was curious to know if you had any luck in getting openssh's
sftp
> > server properly configured to allow chrooted sftp logins? I have had
> > no success and need something quickly.
> 
> Dear Mike,
> 
> Unfortunately, I did not succeed to have it work.
> 
> I got in contact with James Dennis <jdennis at law.harvard.edu>, who
send me a
> chroot patch. I applied the patch and did not succeed to log into a
chrooted
> account.
> 
> The patch is quite simple. I don't understand why it does not work. Any
idea?
> 
> Best regards,
> Jean-Michel
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chroot.diff
Type: application/octet-stream
Size: 2561 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020412/6bfce47b/attachment.obj

Oh, it works, just not properly :-)

If I sftp in using this patch, it shows all files as owned
by UID instead of username. I am however able to now log in.

My original problem was using ftp put, that failed due to the
fact that I was originally following the chroot+sftp-server.patch,
doc which stated that I must chmod the chrooted homedir to 555
and make it owned by root. I've since then properly rechmodded
and all seems well, again aside from the UID bug noted above.

Thanks again,

-mike

-----Original Message-----
From: James Dennis [mailto:jdennis at law.harvard.edu]
Sent: Friday, April 12, 2002 9:33 AM
To: jm.poure at freesurf.fr; dci at webquill.com
Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org;
secureshell at securityfocus.com
Subject: Re: Chrooted sftp, did you getting it working?


Hello,
Chrooting sftp is not much more complicated than just chrooting ssh. It
requires placing certain libraries (you can probably figure these out using
truss or strace) in a location that appears the same as the regular file
system while under the chroot. As far as I remember from doing this, the
only thing sftp requires different from ssh is sftp-server which most likely
lies in /usr/libexec or /usr/local/libexec. The best way to determine if
chrooted ssh is working is to apply the patch (which I will include with
this email), create a test username. Then login with the chrooted ssh
daemon. It should run fine. Then change the users home directory to have a
period in it (/home/./username) and then try logging in. If it fails the
patch is working because you haven't built a chroot yet so after the chroot
is applied to your user the users shell will not be found and the login
fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable
with truss or strace it becomes quite a bit easier. 
Because the whole process of building a chroot is beyond the scope of my
reply in regard to the patch not working I leave any inquisitive minds to
finding a good article on how to build chroot's to themselves (hint: a good
article on chrooting ssh (not sftp) is on securityfocus.com).
Good luck to anyone. This patch does indeed work as we use it in production
here at Harvard Law School.
-James

On Fri, 12 Apr 2002 08:04:03 +0200
jm.poure at freesurf.fr wrote:
> Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit :
> > I was curious to know if you had any luck in getting openssh's
sftp
> > server properly configured to allow chrooted sftp logins? I have had
> > no success and need something quickly.
> 
> Dear Mike,
> 
> Unfortunately, I did not succeed to have it work.
> 
> I got in contact with James Dennis <jdennis at law.harvard.edu>, who
send me
a 
> chroot patch. I applied the patch and did not succeed to log into a
chrooted 
> account.
> 
> The patch is quite simple. I don't understand why it does not work. Any
idea?
> 
> Best regards,
> Jean-Michel
>

Arghh! Tha is what was I thinking, until I tried it. %^}

username:x:100:100:Real User:/home/username:/bin/sh

/usr/local/libexec/sftp-server has been copied over to /chroot/bin/sh
and I have tried with /usr/local/libexec/sftp-server as the shell
too. I have also tried changing the homedir to various locations.

Hey, I am happy, it works beautifully, would just like to get it 
to work as you say it does :-)

Thank you,

-mike

-----Original Message-----
From: James Dennis [mailto:jdennis at law.harvard.edu]
Sent: Friday, April 12, 2002 3:19 PM
To: Ibarra, Michael
Cc: jm.poure at freesurf.fr; dci at webquill.com;
openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
Subject: Re: Chrooted sftp, did you getting it working?


It shows the uid instead because it can't read a passwd file to find what
username is associated with the uid. Copy that file (though stripped down to
just chrooted users) into the chroot under /chroot/etc/passwd where /chroot
is your chroot path and you should be all set.
-James
PS. I'm sorry if this is redundant, I am not on the openssh mailing list,
though I probably should be now, so I am only seeing things cc'd to me.

On Fri, 12 Apr 2002 15:04:48 -0400
m.ibarra at cdcixis-na.com wrote:
> Oh, it works, just not properly :-)
> 
> If I sftp in using this patch, it shows all files as owned
> by UID instead of username. I am however able to now log in.
> 
> My original problem was using ftp put, that failed due to the
> fact that I was originally following the chroot+sftp-server.patch,
> doc which stated that I must chmod the chrooted homedir to 555
> and make it owned by root. I've since then properly rechmodded
> and all seems well, again aside from the UID bug noted above.
> 
> Thanks again,
> 
> -mike
> 
> -----Original Message-----
> From: James Dennis [mailto:jdennis at law.harvard.edu]
> Sent: Friday, April 12, 2002 9:33 AM
> To: jm.poure at freesurf.fr; dci at webquill.com
> Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org;
> secureshell at securityfocus.com
> Subject: Re: Chrooted sftp, did you getting it working?
> 
> 
> Hello,
> Chrooting sftp is not much more complicated than just chrooting ssh. It
> requires placing certain libraries (you can probably figure these out
using
> truss or strace) in a location that appears the same as the regular file
> system while under the chroot. As far as I remember from doing this, the
> only thing sftp requires different from ssh is sftp-server which most
likely
> lies in /usr/libexec or /usr/local/libexec. The best way to determine if
> chrooted ssh is working is to apply the patch (which I will include with
> this email), create a test username. Then login with the chrooted ssh
> daemon. It should run fine. Then change the users home directory to have a
> period in it (/home/./username) and then try logging in. If it fails the
> patch is working because you haven't built a chroot yet so after the
chroot
> is applied to your user the users shell will not be found and the login
> fails. Chrooting ssh/sftp isn't necessarily easy, but if your
comfortable
> with truss or strace it becomes quite a bit easier. 
> Because the whole process of building a chroot is beyond the scope of my
> reply in regard to the patch not working I leave any inquisitive minds to
> finding a good article on how to build chroot's to themselves (hint: a
good
> article on chrooting ssh (not sftp) is on securityfocus.com).
> Good luck to anyone. This patch does indeed work as we use it in
production
> here at Harvard Law School.
> -James
> 
> On Fri, 12 Apr 2002 08:04:03 +0200
> jm.poure at freesurf.fr wrote:
> 
> > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit :
> > > I was curious to know if you had any luck in getting
openssh's sftp
> > > server properly configured to allow chrooted sftp logins? I have
had
> > > no success and need something quickly.
> > 
> > Dear Mike,
> > 
> > Unfortunately, I did not succeed to have it work.
> > 
> > I got in contact with James Dennis <jdennis at law.harvard.edu>,
who send
me
> a 
> > chroot patch. I applied the patch and did not succeed to log into a
> chrooted 
> > account.
> > 
> > The patch is quite simple. I don't understand why it does not
work. Any
> idea?
> > 
> > Best regards,
> > Jean-Michel
> > 
>