WinSCP chroot

Advertisement

radnix
Guest

WinSCP chroot

Hi, I'm extremely impressed with WinSCP, as are several others that I see posted in your forums. I'm having some good success chrooting users directories AND letting them use WinSCP. I will report it to you once it's completed. Do you also supply the source code for WinSCP?

I did try the suggested OpenSSL-chroot attempt but ran into some complexity that made me want to attempt it with an original procedure that should be much simpler, and so far it's working out....but too much overhead, so I've got a little more refinement to do.

radnix@hotmail.com

Reply with quote

Advertisement

Guest

Re: WinSCP chroot

WinSCP chroot()

Preface : OK, this is sloppy but works. I'll need everyone's input for refinement so email me results and

also I'll need to send you david.tar.gz.

radnix@hotmail.com

This test performed on Linux RedHat 7.2 This procedure is a prototype. Sign in as root.

I._________________________________________________________________________________
SSH2 - download and install SSH Secure Shell 3.2 non-commercial :

<invalid link removed>
tar -xvpf ssh-3.2.0.tar.gz
 
cd ssh-3.2.0
 
./configure
make
install
note : Observe that new folder has been created /etc/sshd2.

II.________________________________________________________________________________

USER FOLDER - to be SSH2 chrooted : example will assume user paul in /home/paul. He's using a bash shell.

Place david.tar.gz in /home folder, tar -xzpf david.tar.gz. This example presumes that user david does NOT exist.

Now folder /home/david is created. Rename folder to be SSHD2 chrooted to it's name dot bak i.e. paul.bak.

Rename /home/david to /home/name i.e. /home/paul.

Observe ownerships of new user directory are david, so change the folder and internal david user/group to paul,

That is, only the files/folders for renamed folder paul from david to paul.

Edit home/paul/etc/passwd – replace david:x:656:507:david bosshardt:/home/david:/bin/bash with paul's /etc/passwd entry. Delete david's line in /home/paul/etc/passwd, copy paul's line from /etc/passwd and paste it in /home/paul/etc/passwd.

Edit home/paul/etc/group – replace david:x:507: with paul's /etc/group entry. Delete david's line in /home/paul/etc/group, copy paul's line from /etc/group and paste it in /home/paul/etc/group.


III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config – Find line ChRootUsers. Add paul as
ChrootUsers paul

If you have sshd running, kill it. Now, start SSHD2 by simply typing in sshd. Remember, we're NOT running the old sshd, we're going to run the new install sshd2.

Now, from my window xp machine, I run WinSCP :
paul@xxx.xxx.xxx.xxx port 22

supply paul's login name and password and I'm in. Pauls folder is chrooted and I appear to have full functionality of WinSCP.

Reply with quote

Advertisement

radnix
Guest

Re: WinSCP chroot

@Guest:: Just email me at radnix@hotmail.com and I'll give it to ya' ! :) david.tar.gz simply contains the scp, sftp....etc, shell dependencies necessary for the chroot jail.

Reply with quote

Guest

Re: WinSCP chroot

Here's a listing of david.tar.gz, if ya' don't want the tar you should be able to figure the dependency listing out here :
.:
bin
dev
etc
lib
usr

./bin:
bash
bash2
ls
mkdir
mv
pwd
rm
rmdir
sftp-server
sftp-server2
sh
ssh-dummy-shell
tcsh

./dev:
null
zero

./etc:

./lib:
ld-linux.so.2
libcrypto.so.2
libcrypt.so.1
libc.so.6
libdl.so.2
libnsl.so.1
libnss_compat.so.2
libnss_files.so.2
libresolv.so.2
libtermcap.so.2
libutil.so.1

./usr:
bin
lib

./usr/bin:
groups
id
scp

./usr/lib:
libz.a
libz.so
libz.so.1
libz.so.1.1.3
libzvt.a
libzvt.so
libzvt.so.2
libzvt.so.2.2.10
good luck! :)

Reply with quote

dougculnane
Joined:
Posts:
1

Dear RadNix,

Thank you for taking the time to send me your tar file.

In the hope that my experience will help others and that the WinSCP developers will get some insight into how the product can be improved here is experience.

I tried the david.tar.gz file it but I have the same result WinSCP works but copy times out with error "External exception C000009"

A linux command line scp works and dos pscp works but winSCP does not copy. This is (I think) because WinSCP is doing too much clever stuff on the server with the user account there and in my (and your david.tar.gz) chroot environment it does not work (on my server.)

For information I am using SuSE 8.3 and here is the contents of my ChrootUser.tar
bin/
bin/ls
bin/mv
bin/rm
bin/bash
bin/mkdir
bin/rmdir
lib/
lib/libreadline.so.4
lib/libacl.so.1
lib/libhistory.so.4
lib/libncurses.so.5
lib/libattr.so.1
lib/ld-linux.so.2
lib/libdl.so.2
lib/libpthread.so.0
lib/libc.so.6
lib/librt.so.1
However I got a gui file explorer working using iXplorer from http://www.i-tree.org/ this is not as advanced as winSCP but in my case that is an advantage.

Here is my set up HowTo for a webserver on SUSE 8.3

Log on to webserver as root
ssh root@webserver.isp.com
Add a new user max using yast.
yast

edit new users line to change the home dir:
vi /etc/passwd
max:x:503:100:Max Smith:/usr2/apache/www.smith.com:/bin/bash
tidy up
rm -r /home/max
set up file structure
cd /usr2/apache/www.smith.com
mkdir log
mkdir web
tar -xvzf /usr2/apache/ChRootUserSys.tgz
allow user to write to web
chown max web
catch the user at log on and chroot them.
vi /etc/profile.local
if [ "$USER" = "max" ]; then
    echo "Hi Max Muster";
    chroot /usr2/apache/www.smith.com /bin/bash
    exit
fi
set up VirtualHost
vi /usr2/apache/hosts.conf
<VirtualHost _default_>
  ServerAdmin  admin@isp.com
  ServerName   www.smith.com
  DocumentRoot /usr2/apache/www.smith.com/web
  ErrorLog     /usr2/apache/www.smith.com/log/error_log
  CustomLog    /usr2/apache/www.smith.com/log/access_log combined
</VirtualHost>
All the best,
Doug Culnane

Reply with quote

lnx.kid
Joined:
Posts:
2

WinSCP chroot - the quick way

Just thought I'd add my $0.02 on chroot w/WinSCP3 (the best secure file transfer client out there, period!)

Tools necessary to successfully complete this job:
  1. SSH, The Secure Shell (O'Reilly and Associates)
    Barrett & Silverman.
    -Buy it and sleep with it under your pillow.
  2. JailChroot Project Homepage:
    <invalid hyperlink removed by admin>
  3. WinSCP3
  4. Your favorite Linux distro (Gentoo, anyone?).
I've created an environment that uses RSA SSH2 key exchange for authentication (see prereq. 1) above) and, after successfully authenticating, the user falls into a chrooted environment (shell == /usr/local/bin/jail) where they can safely upload / download files without backticking my server.

Using the JailChroot project will DRAMATICALLY ease your testing/implementation of this _jail_ functionality, but you *may* have to tweak some of it's features in order for it to seamlessly work and be secure (relatively for the moment anyway). A *feature* that I ended up abandoning was the addjailsw (add jail software) program - much easier to do manually for relatively few commands.

If you have to tweak JailChroot, I strongly recommend gaining a thorough understanding of manually creating a chroot environment by looking here:

<invalid hyperlink removed by admin>

Customizing it will be a snap after this tutorial, but it should work ootBox.

Hope this helps someone.... I was able to get it up and running in a day – thanks to @martin for WinSCP!!!

Reply with quote

Advertisement

bhurley
Joined:
Posts:
1

Re: WinSCP chroot - the quick way

Another option for chroot'ing a user for SFTP/SCP only access is to use rssh, available at http://www.pizzashack.org/rssh/. I was able to get working easily (<1 hour from download to operational) on RH9 with WinSCP 3 (also tested with FileZilla 2.2) as the client running SFTP.

Misc notes:
  • Use with OpenSSH version > 3.5.
  • Edit the /etc/rssh.conf file to restrict chroot access per user if desired.
  • Edit /etc/shells to add /usr/bin/rssh as a valid shell
  • Read: $man rssh and $man rssh.conf for details on usage.
  • Details on how to setup the chroot environment for rssh SCP/SFTP are included in the rssh source tarball.

Reply with quote

Advertisement

You can post new topics in this forum