# chroot user

## seVes

Hi guys and girls,

i know - this question be asked for several times in the past, but i am honest to you:

i really dont find any useful howto, to realize what i want.

i tried lots of examples and finally i throw all of them into the trash, drunk a beer and cool down.   :Confused: 

i (oh my god, the 4th "i"-starting...) have a dedicated server which hosts gameservers for a community.

the community has approx 4000 members, 100 admins, 10 server-operators (these should start,stop,restart a gameserver).

because the old provider/hoster gets hacked (or whatever, we lost everything), i decided to make my own server - with much more security features.

starting with iptables, ending with sftp-access over pubkey, root denied, ...

ok, so any server-operator (same group) must be able to connect via ssh (pubkey too.) to the dedicated server, but in chroot.

they should only launch one script (bash), can't surf the server, upload, download - whatever.

only connect, execute a bash-script and thats all..

(no ls, no cd, no pwd, no -whatever-, ...)

can someone of you and i know it would get on nerves describe me how to do? step for step?

you're so welcome for that!

ty anyway!

----------

## szatox

Well, I don't know what exacly your goal is, but you might be interested in giving virtual private servers to your users, so they would be able to login with ssh only to virtual servers and NOT to phisical host. You might also want to look at this tiny snippet cut from /etc/ssh/sshd.conf

```

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

# Example of overriding settings on a per-group basis

Match Group sftp

        ForceCommand internal-sftp

        ChrootDirectory /home/

```

AFAIR you can set ChrootDirectory to $HOME or /<something>/$USER (or maybe there should be ~ instead of $, not sure, I was a while ago)

You might also go with web interface rather than ssh. If you don't want users to do anything, don't give them shell access at all, and just trigger server-side command using php exec() function or something like that

----------

## gerdesj

Break the problem down into pieces.  

You have a lot of requirements and a large number of users.  Separate boxes are probably needed for a job this size.  They could be separate VMs on one physical box.  If you can then a VMWare ESXi or HyperV or Xen or a Gentoo minimal host with libvirtd and KVM.  Ideally you would have multiple physical hosts in a cluster.

You will probably need a firewall, a user directory, game servers and session servers.

If I was doing this then I would use pfSense for the firewall and router, with several VLANs - one for management, one for game servers, one for login session servers, one for WAN.  

I would probably use OpenLDAP for users.  I would have a login/session machine.  Finally I would have my game servers machine.  I might have another machine for oversight/monitoring.

Each machine would have just what is necessary for the job they have to do and they would be firewalled off from each other in such a way that minimal access is allowed between each one.  I would probably have multiple backend systems in a cluster and use pfSense to load balance them so I can update them one at a time without killing the service.

Now it becomes easier to secure and set things up, security and flexibility is built into the design.  As you finish a piece it stands alone and you can also update bits at a time without bringing down the entire service.

The session server(s) would have game server control scripts and chrooted user logins validated by the LDAP/AD/NIS directory chosen.  Only the session boxes would be available for shell login from the internet on a non standard ssh port with keys and password.  You may want to have two or more of these - one for admins, one for operators.  Each would be very basic in what it has installed.  Enough only for the job it does.

For real fun, you could have freshly minted images of user facing components that are recreated daily, so if someone hacked your session servers their little extras are destroyed  at the next refresh.

You would use OpenVPN or an IPSEC tunnel to the firewall to manage this lot and the firewall would only allow connections from your home IP address.

You might use containers instead of full VMs, but we don't have a huge amount to go on in your post  :Cool:   Hopefully I've given you some ideas.

Cheers

Jon

----------

## seVes

okay ty for your replies, but its just what i wrote i want

everything else is just setup.

i dont want openvpn, ldap, vservers, whatever...

i just want to have a shell where users can login, but only can access a script instead of browsing the whole server!

i finally get it worked with the portage-app "app-misc/jail".

i can locally change to the user "srvop" which is jailed, he gets log in and is jailed. works.

but this doesnt work from remote, because:

the main machine is setup to deny password-logins, just accept publickeys... okay...

the problem is, if the user "srvop" wants to login, he gets denied with "Permission denied (publickey)."

thats caused because he logins into the shell "jail", but the shell doesnt recognized his pubkey???

its hard to explain :-/

second:

why users can login with different username without enter passwords while using pubkey?

e.g.

- user1, pw1, home1

- user2, pw2, home1

user1 is able to login with account user2 without enter the password from user2 and see everything where user2 has permissions.

shouldn't be that password-protected? what i am missing in sshd?

i only want to have it that way:

logins via sftp only available via having a pubkey and enter the user-password

logins via ssh only with user "srvop", enter the password, having the pubkey

----------

## Hu

 *seVes wrote:*   

> the main machine is setup to deny password-logins, just accept publickeys... okay...
> 
> the problem is, if the user "srvop" wants to login, he gets denied with "Permission denied (publickey)."
> 
> thats caused because he logins into the shell "jail", but the shell doesnt recognized his pubkey???

 No.  Authentication is handled by sshd, not by the user shell.  Check your logs or run ssh and/or sshd in verbose mode.

 *seVes wrote:*   

> second:
> 
> why users can login with different username without enter passwords while using pubkey?
> 
> e.g.
> ...

 Users cannot do this, unless you have configured the system very strangely.  Perhaps you gave every user the same keypair, in which case that keypair must be revoked.  Each user must have a unique private key.

----------

## gerdesj

 *seVes wrote:*   

> okay ty for your replies, but its just what i wrote i want
> 
> everything else is just setup.
> 
> i dont want openvpn, ldap, vservers, whatever...
> ...

 

Fair enough.  I'm just a consultant making a few suggestions based on 15 odd years of experience.  

You mentioned that you have 4000 users and multiple administrators for this job and were interested in security - I suggest that you put some more thought into just how important it is to you.  I understand that you may have financial and complexity constraints but these can be dealt with.

Good luck

----------

