Topic "WinSCP chroot"

Author Message
radnix

Guest


Very Happy Hi, I'm extreemly impressed with WinSCP, as are several others that I see posted in your forums. I'm having some good success chrooting users directories AND letting them use WinSCP. I will report it to you once it's completed. Do you also supply the source code for WinSCP?

I did try the suggested openssl-chroot attempt but ran into some complexity that made me want to attempt it with an original proceedure that should be much simpler, and so far it's working out....but toooooo much overhead, so I've got a little more refinement to do.
Idea
radnix@hotmail.com
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24556
Location: Prague, Czechia
I'm looking forward for your guide.
_________________
Martin Prikryl
Guest




prikryl wrote:
I'm looking forward for your guide.


WinSCP chroot()

Preface : OK, this is sloppy but works. I'll need everyone's input for refinement so email me results and

also I'll need to send you david.tar.gz.

Idea radnix@hotmail.com

This test performed on Linux RedHat 7.2 This proceedure is a prorotype. Sign in as root.

I._________________________________________________________________________________
SSH2 - download and install SSH Secure Shell 3.2 non-commercial :

<invalid link removed>

tar -xvpf ssh-3.2.0.tar.gz

cd ssh-3.2.0

./configure
make
install

note : Observe that new folder has been created /etc/sshd2.

II.________________________________________________________________________________

USER FOLDER - to be SSH2 chrooted : example will assume user "paul" in /home/paul. He's using a bash shell.

Place david.tar.gz in /home folder, tar -xzpf david.tar.gz. This example presumes that user "david" does NOT exist.

Now folder "/home/david" is created. Rename folder to be SSHD2 chrooted to it's name dot bak i.e."paul.bak".

Rename "/home/david" to "/home/name" i.e. "/home/paul".

Observe ownerships of new user directory are "david", so change the folder and internal "david" user/group to "paul",

that is, only the files/folders for renamed folder "paul" from "david" to "paul".

Edit "home/paul/etc/passwd" - replace "david:x:656:507:david bosshardt:/home/david:/bin/bash" with

pauls' /etc/passwd entry. Delete david's line in "/home/paul/etc/passwd", copy pauls line from "/etc/passwd" and

paste it in "/home/paul/etc/passwd".

Edit "home/paul/etc/group" - replace "david:x:507:" with

pauls' /etc/group entry. Delete david's line in "/home/paul/etc/group", copy pauls line from "/etc/group" and

paste it in "/home/paul/etc/group".


III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config - Find line "ChRootUsers". Add paul as

"ChrootUsers paul"

If you have sshd running, kill it. Now, start SSHD2 by simply typing in sshd2. Remember, we're NOT running the

old sshd, we're going to run the new install sshd2.

Now, from my window xp machine, I run WinSCP :

paul@xxx.xxx.xxx.xxx port 22

suppy pauls login name and password and I'm in. Pauls folder is chrooted and I appear to have full functionality

of WinSCP.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24556
Location: Prague, Czechia
Thanks for you comprehensive description. I surely would help other users.
_________________
Martin Prikryl
Guest




HI all,

Where can I get david.tar.gz?

Best Regards
Klaus
radnix

Guest


Anonymous wrote:
HI all,

Where can I get david.tar.gz?

Best Regards
Klaus


Just email me at radnix@hotmail.com and I'll give it to ya' ! Smile david.tar.gz simply contains the scp,sftp....ect, shell dependencies necessary for the chroot jail. Idea
Guest




Here's a listing of david.tar.gz, if ya' don't want the tar you should be able to figure the dependency listing out here :
.:
bin
dev
etc
lib
usr

./bin:
bash
bash2
ls
mkdir
mv
pwd
rm
rmdir
sftp-server
sftp-server2
sh
ssh-dummy-shell
tcsh

./dev:
null
zero

./etc:

./lib:
ld-linux.so.2
libcrypto.so.2
libcrypt.so.1
libc.so.6
libdl.so.2
libnsl.so.1
libnss_compat.so.2
libnss_files.so.2
libresolv.so.2
libtermcap.so.2
libutil.so.1

./usr:
bin
lib

./usr/bin:
groups
id
scp

./usr/lib:
libz.a
libz.so
libz.so.1
libz.so.1.1.3
libzvt.a
libzvt.so
libzvt.so.2
libzvt.so.2.2.10

good luck! Smile
radnix

Guest


Correction to instructions above : WinSCP chroot()

III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config - Find line "ChRootUsers". Add paul as

"ChrootUsers paul"

If you have sshd running, kill it. Now, start SSHD2 by simply typing in Arrow "sshd". [not sshd2]. Remember, we're NOT running the

old sshd, we're going to run the new install sshd2.
dougculnane
[View user's profile]

Joined: 2003-08-06
Posts: 1
Dear RadNix,

Thank you for taking the time to send me your tar file.

In the hope that my experiance will help others and that the winSCP developers will get some insight into how the product can be improved here is experiance.

I tryed the david.tar.gz file it but I have the same result winSCP works but copy times out with error "External exception C000009"

A linux comand line scp works and dos pscp works but winSCP does not copy. This is (I think) becuase winSCP is doing too much clever stuff on the server with the user account there and in my (and your david.tar.gz) chroot environment it does not work ( on my server.)

For information I am using SuSE 8.3 and here is the contents of my ChrootUser.tar
bin/
bin/ls
bin/mv
bin/rm
bin/bash
bin/mkdir
bin/rmdir
lib/
lib/libreadline.so.4
lib/libacl.so.1
lib/libhistory.so.4
lib/libncurses.so.5
lib/libattr.so.1
lib/ld-linux.so.2
lib/libdl.so.2
lib/libpthread.so.0
lib/libc.so.6
lib/librt.so.1

However I got a gui file explorer working using iXplorer from http://i-tree.org/ this is not as advanced as winSCP but in my case that is an advantage.

Here is my set up HowTo for a webserver on SUSE 8.3

Log on to webserver as root
> ssh root@webserver.isp.com

# Add a new user max using yast.
> yast
..

# edit new users line to change the Home dir.:
> vi /etc/passwd
max:x:503:100:Max Smith:/usr2/apache/www.smith.com:/bin/bash

# tidy up
> rm -r /home/max

# set up file structure
> cd /usr2/apache/www.smith.com
> mkdir log
> mkdir web
> tar -xvzf /usr2/apache/ChRootUserSys.tgz

# allow user to write to web
> chown max web

# catch the user at log on and chroot them.
> vi /etc/profile.local
if [ "$USER" = "max" ]; then
echo "Hi Max Muster";
chroot /usr2/apache/www.smith.com /bin/bash
exit
fi

# set up VirtualHost
> vi /usr2/apache/hosts.conf
<VirtualHost _default_>
ServerAdmin admin@isp.com
ServerName www.smith.com
DocumentRoot /usr2/apache/www.smith.com/web
ErrorLog /usr2/apache/www.smith.com/log/error_log
CustomLog /usr2/apache/www.smith.com/log/access_log combined
</VirtualHost>

All the best,

Doug Culnane
lnx.kid
[View user's profile]

Joined: 2003-10-01
Posts: 2
Just thought I'd add my $0.02 on chroot w/winSCP3 (the best secure file transfer client out there, period!)

Tools necessary to successfully complete this job:
1)SSH, The Secure Shell (O'reilly and Associates)
Barrett & Silverman.
-Buy it and sleep with it under your pillow.

2)JailChroot Project Homepage:
http://www.gsyc.inf.uc3m.es/~assman/jail/

3)WinSCP3

4)Your favorite Linux distro (Gentoo, anyone?).

I've created an environment that uses RSA SSH2 key exchange for authentication (see prereq. #1 above)and, after successfully authenticating, the user falls into a chrooted environment (shell == /usr/local/bin/jail) where they can safely upload / download files without backticking my server.

Using the JailChroot project will DRAMATICALLY ease your testing/implementation of this _jail_ functionality, but you *may* have to tweak some of it's features in order for it to seamlessly work and be secure (relatively for the moment anyway). A *feature* that I ended up abandoning was the addjailsw (add jail software) program - much easier to do manually for relatively few commands.

If you have to tweak JailChroot, I strongly recommend gaining a thorough understanding of manually creating a chroot environment by looking here:

http://www.tjw.org/chroot-login-HOWTO

Customizing it will be a snap after this tutorial, but it should work ootBox.

Hope this helps someone....I was able to get it up and running in a day - thanks to prikryl for WinSCP!!!
_________________
kandah-mahnos-kandah
bhurley
[View user's profile]

Joined: 2003-10-16
Posts: 1
Another option for chroot'ing a user for sftp/scp only access is to use rssh, available at http://www.pizzashack.org/rssh . I was able to get working easily (<1 hour from download to operational) on RH9 with WinSCP 3 (also tested with FileZilla 2.2) as the client running SFTP. Very Happy

Misc notes Exclamation :

    Use with OpenSSH version > 3.5.

    Edit the /etc/rssh.conf file to restrict chroot access per user if desired.

    Edit /etc/shells to add /usr/bin/rssh as a valid shell

    Read: "$man rssh" and "$man rssh.conf" for details on usage.

    Details on how to setup the chroot environment for rssh scp/sftp are included in the rssh source tarball.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License