SecureShell and chroot environments
Abstract
The following article describe how to setup HP-UX SecureShell on a chroot environment on versions A.05.00.24 (11.11) | A.05.00.25 (11.23) | A.05.00.26 (11.31).
SecureShell on chroot environment have change from previous versions and this article tries to fill the gap.
Contents
Introduction
HP-UX Secure Shell version A.05.00 supports chroot functionality for ssh,sftp and scp . chroot functionality is mainly used as an added security measure It forces the root directory to become something other than its default.
chroot is a directory "jail". It allows an application to start in a specified directory and allows all its users to accessing that directory and the directories below it, but prevents the users from doing a cd above that specified directory. It is intended to allow restricted file and directory access to users of that application "while they are in the application". This is not an end-user feature.
The system administrator is required to do the necessary setup to enable chroot for an application, and all users of that application will automatically be subject to the restrictions imposed by chroot. The administrator will need to create new directories, and copy the "relevant" set of files into those newly created directories, in order for chroot to take effect.
Configuring chroot environment for new users
Setting the chroot environment for a new user involves the following steps.
The chroot directory location has to be decided for the specific user. This is the directory that the user are restricted within. In the example below, newroot is the chroot directory, and appuser is a sample userid.
- 1. Add / Create the new user [and group] on the system with the chroot directory location as the home directory for the user.
# /usr/sbin/useradd -g users -d /home/appuser -s /bin/sh appuser
- 2. Configure the user password.
# passwd appuser Changing password for appuser New password:
- 3. Create the chroot directory and the user home directory under the chroot directory , as shown (In the example, the newroot directory is under /).
# /sbin/mkdir -m 755 /newroot/ # /sbin/mkdir -p -m 755 /newroot/home/appuser # /sbin/chown appuser:users /newroot/home/appuser
Configuring chroot environment for existing users
1. Verify that /etc/passwd file shows the normal user path, no the chroot directory/home directory. Since SSH will perform the chroot, no special changes are require on this file.
# cat /etc/passwd . . . appuser:GCKj25rq04UY:114:20::/home/appuser:/bin/sh
2. Move user home directory to the chroot directory
# mv /home/appuser /newroot/home/appuser
Configuring chroot
Use /opt/ssh/utils/ssh_chroot_setup.sh script
Once the new chroot directory has been created as in [[SecureShell and chroot environments] or SecureShell and chroot environments, do the following if the newroot is not already created.
HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------
Select one of the option below
1.Configure a chroot enviroment
2.Exit
Enter your choice : 1
Chroot setup
---------------
User name (Maximum eight chars) : appuser
chroot setup checks for user details
Enter the new root directory for appuser with absolute path (or press r
eturn for default(/newroot)):
---------------------------------
Select chroot secure shell option
----------------------------------
1 sftp
2 ssh & sftp & scp
press return key to skip this step
Option : 2
Now configuring the chroot environment for ssh & sftp & scp...finished
Summary
--------
Chroot-ed user : appuser
Chroot-ed user's new root directory : /newroot
Secure Shell configuration : SSH & SFTP & SCP
press Return key
HP SECURE SHELL: CHROOT ENVIRONMENT SETUP - MAIN MENU
-----------------------------------------------------
Select one of the option below
1.Configure a chroot enviroment
2.Exit
Enter your choice : 2
Change permissions of /newroot/tmp directory
# /sbin/chmod 666 /newroot/tmp
Modify /newroot/etc/passwd
Change "/newroot/etc/passwd" to only contain the users that will use the chroot enviroment.
# cat /newroot/etc/passwd appuser:.GCKj25rq04UY:114:20:chrooted user:/home/appuser:/bin/sh
Modify /opt/ssh/etc/sshd_config
Add a Match statement to /opt/ssh/etc/sshd_config configuration file to made userapp to chroot into newroot directory when login. For example:
Match User appuser ChrootDirectory /newroot
- Note: Alternative, if you need to do this for a large number of users, is easier to set with a "Match group" statement. Users should belong to your match group. For example:
Match group sshonly ChrootDirectory /newroot
Restart SecureShell
Restarting SecureShell daemon will enforce the Match
# /sbin/init.d/secsh stop HP-UX Secure Shell stopped # /sbin/init.d/secsh start HP-UX Secure Shell started
Test login
# ssh appuser@localhost Password: Last successful login: Wed Sep 17 20:01:11 CDT 2008 localhost Last login: Wed Sep 17 20:01:11 2008 from localhost $ echo $HOME /home/appuser $ cd / $ ls bin dev etc home opt sbin tmp usr var
Example using Putty terminal emulator:
Reference
- <Webpage Title> <URL>