WinSCP chroot

Advertisement

radnix
Guest

WinSCP chroot

:D Hi, I'm extreemly impressed with WinSCP, as are several others that I see posted in your forums. I'm having some good success chrooting users directories AND letting them use WinSCP. I will report it to you once it's completed. Do you also supply the source code for WinSCP?

I did try the suggested openssl-chroot attempt but ran into some complexity that made me want to attempt it with an original proceedure that should be much simpler, and so far it's working out....but toooooo much overhead, so I've got a little more refinement to do.
:idea:
radnix@hotmail.com

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
28,802
Location:
Prague, Czechia

Re: WinSCP chroot

I'm looking forward for your guide.
_________________
Martin Prikryl

Reply with quote

Guest

Re: WinSCP chroot

martin wrote:

I'm looking forward for your guide.

WinSCP chroot()

Preface : OK, this is sloppy but works. I'll need everyone's input for refinement so email me results and

also I'll need to send you david.tar.gz.

:idea: radnix@hotmail.com

This test performed on Linux RedHat 7.2 This proceedure is a prorotype. Sign in as root.

I._________________________________________________________________________________
SSH2 - download and install SSH Secure Shell 3.2 non-commercial :

<invalid link removed>

tar -xvpf ssh-3.2.0.tar.gz

cd ssh-3.2.0

./configure
make
install

note : Observe that new folder has been created /etc/sshd2.

II.________________________________________________________________________________

USER FOLDER - to be SSH2 chrooted : example will assume user "paul" in /home/paul. He's using a bash shell.

Place david.tar.gz in /home folder, tar -xzpf david.tar.gz. This example presumes that user "david" does NOT exist.

Now folder "/home/david" is created. Rename folder to be SSHD2 chrooted to it's name dot bak i.e."paul.bak".

Rename "/home/david" to "/home/name" i.e. "/home/paul".

Observe ownerships of new user directory are "david", so change the folder and internal "david" user/group to "paul",

that is, only the files/folders for renamed folder "paul" from "david" to "paul".

Edit "home/paul/etc/passwd" - replace "david:x:656:507:david bosshardt:/home/david:/bin/bash" with

pauls' /etc/passwd entry. Delete david's line in "/home/paul/etc/passwd", copy pauls line from "/etc/passwd" and

paste it in "/home/paul/etc/passwd".

Edit "home/paul/etc/group" - replace "david:x:507:" with

pauls' /etc/group entry. Delete david's line in "/home/paul/etc/group", copy pauls line from "/etc/group" and

paste it in "/home/paul/etc/group".


III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config - Find line "ChRootUsers". Add paul as

"ChrootUsers paul"

If you have sshd running, kill it. Now, start SSHD2 by simply typing in sshd2. Remember, we're NOT running the

old sshd, we're going to run the new install sshd2.

Now, from my window xp machine, I run WinSCP :

paul@xxx.xxx.xxx.xxx port 22

suppy pauls login name and password and I'm in. Pauls folder is chrooted and I appear to have full functionality

of WinSCP.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
28,802
Location:
Prague, Czechia

Re: WinSCP chroot

Thanks for you comprehensive description. I surely would help other users.
_________________
Martin Prikryl

Reply with quote

Advertisement

radnix
Guest

Re: WinSCP chroot

Anonymous wrote:

HI all,

Where can I get david.tar.gz?

Best Regards
Klaus

Just email me at radnix@hotmail.com and I'll give it to ya' ! :) david.tar.gz simply contains the scp,sftp....ect, shell dependencies necessary for the chroot jail. :idea:

Reply with quote

Guest

Re: WinSCP chroot

Here's a listing of david.tar.gz, if ya' don't want the tar you should be able to figure the dependency listing out here :
.:
bin
dev
etc
lib
usr

./bin:
bash
bash2
ls
mkdir
mv
pwd
rm
rmdir
sftp-server
sftp-server2
sh
ssh-dummy-shell
tcsh

./dev:
null
zero

./etc:

./lib:
ld-linux.so.2
libcrypto.so.2
libcrypt.so.1
libc.so.6
libdl.so.2
libnsl.so.1
libnss_compat.so.2
libnss_files.so.2
libresolv.so.2
libtermcap.so.2
libutil.so.1

./usr:
bin
lib

./usr/bin:
groups
id
scp

./usr/lib:
libz.a
libz.so
libz.so.1
libz.so.1.1.3
libzvt.a
libzvt.so
libzvt.so.2
libzvt.so.2.2.10

good luck! :)

Reply with quote

radnix
Guest

Re: WinSCP chroot

Correction to instructions above : WinSCP chroot()

III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config - Find line "ChRootUsers". Add paul as

"ChrootUsers paul"

If you have sshd running, kill it. Now, start SSHD2 by simply typing in :arrow: "sshd". [not sshd2]. Remember, we're NOT running the

old sshd, we're going to run the new install sshd2.

Reply with quote

dougculnane
Joined:
Posts:
1

Dear RadNix,

Thank you for taking the time to send me your tar file.

In the hope that my experiance will help others and that the winSCP developers will get some insight into how the product can be improved here is experiance.

I tryed the david.tar.gz file it but I have the same result winSCP works but copy times out with error "External exception C000009"

A linux comand line scp works and dos pscp works but winSCP does not copy. This is (I think) becuase winSCP is doing too much clever stuff on the server with the user account there and in my (and your david.tar.gz) chroot environment it does not work ( on my server.)

For information I am using SuSE 8.3 and here is the contents of my ChrootUser.tar
bin/
bin/ls
bin/mv
bin/rm
bin/bash
bin/mkdir
bin/rmdir
lib/
lib/libreadline.so.4
lib/libacl.so.1
lib/libhistory.so.4
lib/libncurses.so.5
lib/libattr.so.1
lib/ld-linux.so.2
lib/libdl.so.2
lib/libpthread.so.0
lib/libc.so.6
lib/librt.so.1

However I got a gui file explorer working using iXplorer from http://www.i-tree.org/ this is not as advanced as winSCP but in my case that is an advantage.

Here is my set up HowTo for a webserver on SUSE 8.3

Log on to webserver as root
> ssh root@webserver.isp.com

# Add a new user max using yast.
> yast
..

# edit new users line to change the Home dir.:
> vi /etc/passwd
max:x:503:100:Max Smith:/usr2/apache/www.smith.com:/bin/bash

# tidy up
> rm -r /home/max

# set up file structure
> cd /usr2/apache/www.smith.com
> mkdir log
> mkdir web
> tar -xvzf /usr2/apache/ChRootUserSys.tgz

# allow user to write to web
> chown max web

# catch the user at log on and chroot them.
> vi /etc/profile.local
if [ "$USER" = "max" ]; then
echo "Hi Max Muster";
chroot /usr2/apache/www.smith.com /bin/bash
exit
fi

# set up VirtualHost
> vi /usr2/apache/hosts.conf
<VirtualHost _default_>
ServerAdmin admin@isp.com
ServerName www.smith.com
DocumentRoot /usr2/apache/www.smith.com/web
ErrorLog /usr2/apache/www.smith.com/log/error_log
CustomLog /usr2/apache/www.smith.com/log/access_log combined
</VirtualHost>

All the best,

Doug Culnane

Reply with quote

Advertisement

lnx.kid
Joined:
Posts:
2

WinSCP chroot - the quick way

Just thought I'd add my $0.02 on chroot w/winSCP3 (the best secure file transfer client out there, period!)

Tools necessary to successfully complete this job:
1)SSH, The Secure Shell (O'reilly and Associates)
Barrett & Silverman.
-Buy it and sleep with it under your pillow.

2)JailChroot Project Homepage:
<invalid hyperlink removed by admin>

3)WinSCP3

4)Your favorite Linux distro (Gentoo, anyone?).

I've created an environment that uses RSA SSH2 key exchange for authentication (see prereq. #1 above)and, after successfully authenticating, the user falls into a chrooted environment (shell == /usr/local/bin/jail) where they can safely upload / download files without backticking my server.

Using the JailChroot project will DRAMATICALLY ease your testing/implementation of this _jail_ functionality, but you *may* have to tweak some of it's features in order for it to seamlessly work and be secure (relatively for the moment anyway). A *feature* that I ended up abandoning was the addjailsw (add jail software) program - much easier to do manually for relatively few commands.

If you have to tweak JailChroot, I strongly recommend gaining a thorough understanding of manually creating a chroot environment by looking here:

<invalid hyperlink removed by admin>

Customizing it will be a snap after this tutorial, but it should work ootBox.

Hope this helps someone....I was able to get it up and running in a day - thanks to prikryl for WinSCP!!!
_________________
kandah-mahnos-kandah

Reply with quote

bhurley
bhurley avatar
Joined:
Posts:
1

Re: WinSCP chroot - the quick way

Another option for chroot'ing a user for sftp/scp only access is to use rssh, available at http://www.pizzashack.org/rssh/ . I was able to get working easily (<1 hour from download to operational) on RH9 with WinSCP 3 (also tested with FileZilla 2.2) as the client running SFTP. :D

Misc notes :!: :

    Use with OpenSSH version > 3.5.

    Edit the /etc/rssh.conf file to restrict chroot access per user if desired.

    Edit /etc/shells to add /usr/bin/rssh as a valid shell

    Read: "$man rssh" and "$man rssh.conf" for details on usage.

    Details on how to setup the chroot environment for rssh scp/sftp are included in the rssh source tarball.

Reply with quote

Advertisement

You can post new topics in this forum