SFTP Only Chroot Jail (OpenSSH v4)

This tutorial will help you create an automatic backup on dropbox for your server.

Warning: This tutorial is for OpenSSH version 4.x only.
PLEASE update to 5.0(or newer). If you have 6.x, head here to get the tutorial for the update. Its much easier.

Story time: I run one web server with 5 users. I wasn't really interested in allowing them to see the systems (and my personal) files even if they couldn't edit them. I posted a question about what to do on codingforums.com. The tutorial I was given there seemed faulty hence my post on linuxquestions.org. I eventually found several tutorials and got it to work. Here is a tutorial that is really a mix or several other tutorials and tips I have found on the net in my epic search.

NOTE: This tutorial is for attempting to jail users to their home directory and allowing them ONLY sftp access.

NOTE: This works and has been tested on centos 4.4

What does this do again...?

This will majorly increase security for a multi-user server. The main things it does are:

Lock users to their home directory
--This blocks their eyes from the rest of your system and from files like: system binaries, other users' files, backups, configuration files

Disable regular ssh access
--Many users just having a web site won't need an actual command interface. Its just one more thing to be hacked.

---

FTP already does this!!! right?
Yes, but your forgetting one thing... this is SFTP!!! It's encrypted and so it is much harder for hackers to sniff packets. Also, the user management is at the system level, so your server tells users what they can and can't do. If your FTPd runs as root or with a high permissions level and a ftp user hacks it, it means they have root or at least high permissions over the ENTIRE server? Not anymore.

The Tutorial

Warning: This tutorial is for OpenSSH version 4.x only.
PLEASE update to 5.0(or newer). If you have 6.x, head here to get the tutorial for the update. Its much easier.

This tutorial uses the /opt directory to install the necessary dependences. If you wish to install them anywhere else or do not have an opt directory on your server you may do so, but make sure to change all the paths in the code below. All commands must be run as root

NOTE: The jailing setup for OpenSSH ver5 is much cleaner and uses less hacks then ver4. If you need to jail users, make sure to update to version 5.

NOTE: This setup is meant for installing on a fresh server. If you already have configuration files for the programs we will be installing (zlib,openssl, and openssh), they will not be overwritten, but you will have to copy them from their old paths to the paths you install with here (recommended: /opt/...).

1. You need the GNU Compiler Collection to install these programs. yum install gcc When it asks you if you want to proceed reply with a "y".
2. Install zlib cd /tmp mkdir -p /opt/zlib mkdir zlib1.23 cd zlib1.23/ wget http://www.zlib.net/zlib123.zip unzip zlib123.zip make make install prefix=/opt/zlib/
3. Now we install openssl into the opt directory as well cd /tmp mkdir -p /opt/openssl wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz tar xvzf openssl-0.9.8e.tar.gz cd openssl-0.9.8e ./config --prefix=/opt/openssl --openssldir=/opt/openssl make make test make install The make commands here take forever to run.
4. Next we will download openssh cd /tmp mkdir -p /opt/openssh wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz tar xvzf openssh-4.7p1.tar.gz cd openssh-4.7p1
5. Now we have to replace the sftp-server.c file(in the openssh-4.7p1 folder) with this one: sftp-server.c
6. Now we will install openssh. To find your xauth file is located you may need to run the "which xauth" command. If you know what you are doing you may add your own options to the configure command below. ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib make make install Some of these commands make take some time to run. Go grab a coke.
   REMEMBER: This tutorial is meant for setting up a server for the first time. You may need to copy your sshd_config file (or at least the directives you want to keep) from /etc/ssh to save your old settings.
7. To automatically run the new ssh shell, we will use init. You need to change the following lines in /etc/init.d/sshd # Some functions to make the below more readable KEYGEN=/opt/openssh/bin/ssh-keygen SSHD=/opt/openssh/sbin/sshd RSA1_KEY=/opt/openssh/etc/ssh_host_key RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key Then we will restart ssh and test to see if it is running smoothly. /etc/init.d/sshd restart telnet localhost 22 The telnet command should return some lines looking like this: Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. SSH-2.0-OpenSSH_4.7 You need to be sure that the last line includes the "OpenSSH_4.7" to confirm that it is the version we jsut installed.
8. The sftp-server file needs to be run with root privileges. chmod +s /opt/openssh/libexec/sftp-server
9. Download the sftpsh shell to your /opt directory. cd /opt wget http://www.minstrel.org.uk/papers/sftp/sftpsh.c Then edit the following lines in that file. #define SFTP_BINARY "/opt/openssh/libexec/sftp-server" #define SFTP_EXNAME "sftp-server" #define SFTP_ARGS ""
10. We will compile the new shell, move it to the system path, and add it to the shells file. gcc sftpsh.c -o sftpsh cp sftpsh /bin echo /bin/sftpsh >> /etc/shells
11. You're all set.
    • Set all users shell (NOT ROOT'S!!!) to /bin/sftpsh.
    • Set the users new home directories using our chroot token.
      Example: /home/username/./
      This will make the user see "/home/username/" as just "/" with no ability to see any higher in the directory tree.
12. Now test. Try to login with putty (or any terminal) and see what happens(you should get a nice error). Then try to login with WinSCP or another SFTP transfer program. You should start in a directory called "/" and only be able to see and edit your own files.

NOTICE: Yum will not update these programs anymore (zlib,openssl,openssh). When a new version comes out, you will have to make your own install from a tarball again. Just follow the same directions.

Credits

• http://www.minstrel.org.uk
• http://www.pantz.org