# OpenSSH and chrooting SFTP

## tcd

I'm pretty confused. For a start.

I need to have the admin use SSH to maintain the server even from other locations. But I need to have also some (l)users chrooted in where they can do VERY minimal damage if they decide to, say, learn PHP without telling me.

I already know that these (l)users need:

1) SFTP access ONLY

2) their directories must be on a noexec partition

3) some of their subdirectories need to be symlinked so that their webpages can be displayed by the webserver (on another partition)

The idea of rssh+copying (dynamic or static) files to their chrooted environment leaves me perplexed: it would mean that I'd have to put a post-it note on my monitor reminding me of re-copying said files every time portage or glsa-check tells me there's the need to upgrade.

Plus it's not clear if the rssh chroot solution would still allow the admin to SSH in the normal environment.

The others solutions are a bit too confused and the USE="chroot" flag on openssh is (imho) not adequately explained. It's a bit strange that just putting users in passwd with a dot in their home path would tell openssh that these users must be jailed padlocked and shushed as soon as they log on. :)

And I wouldn't want to rely only on PAM for chrooting seeing the mess that last PAM upgrade caused :)

I'm open to pointers, suggestions. Just don't make me compile twice, don't make me run two different sshd services on different ports (because that's what rssh would imply... If I'm not mistaken)

Thanks in advance!

----------

## Benny007

Hi tcd,

try gentoo-wiki: http://gentoo-wiki.com/HOWTO_SFTP_Server_(chrooted,_without_shell)

or: http://chrootssh.sourceforge.net/docs/chrootedsftp.html

It should be what you are looking for.

----------

## Dagger

some time ago I had to set up something very similar. it works perfectly fine for me.

https://forums.gentoo.org/viewtopic-t-579875-highlight-chroot+sftp.html

----------

## tcd

Ehm, actually both your replies contained EXACTLY what I did NOT wish to implement.

I already said that the idea of building (statically or dynamically linked) different binaries for ssh/sftp (normal binaries for admin access and chrooted binaries) makes the whole thing hard to maintain across updates!

I'll look into the howto jail, maybe it can make the process less painful than banging lusers in the head with a broken keyboard. :)

----------

## Hu

Is PHP your only concern?  Assuming you use Apache, you could use the Apache configuration file to remap parts of the exposed virtual directory structure onto the user home directories without using symlinks.  Combine that with directives to Apache that it is only permitted to serve static content from those directories, and PHP/other CGI should become a non-issue.  This does not address the possibility of the user running a script using an interpreter that does not honor noexec.

Are these users employees or friends?  If they are employees, it may be more effective to constrain them with a strict Acceptable Use Policy.  Something along the lines of "running scripts will revoke your access privileges for the machine."  Friends are a bit harder to constrain, in part because the threat of losing access is not as powerful.

----------

## darkphader

This may be easier at some point in the future as OpenBSD -current now offers that feature with its OpenSSH:

http://undeadly.org/cgi?action=article&sid=20080220110039.

Maybe it will trickle down to other platforms in a future release.

----------

## noganex

 *darkphader wrote:*   

> This may be easier at some point in the future as OpenBSD -current now offers that feature with its OpenSSH:
> 
> http://undeadly.org/cgi?action=article&sid=20080220110039.
> 
> Maybe it will trickle down to other platforms in a future release.

 

http://openbsd.org/43.html#new says 

 *Quote:*   

> OpenSSH 4.8:
> 
>     * New features:
> 
>           o Added chroot(2) support for sshd(, controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully.

 

Of course we have sys-auth/pam_chroot, but why mess with PAM, when there would be something stable in openssh? Sad thing, it seems that we "only" have 4.7 and 5.0.... Anybody knows what has happened to 4.8?  :Rolling Eyes: 

 *Quote:*   

> % ls /usr/portage/net-misc/openssh
> 
> ChangeLog  metadata.xml              openssh-4.6_p1-r4.ebuild   openssh-5.0_p1-r1.ebuild
> 
> Manifest   openssh-4.4_p1-r6.ebuild  openssh-4.7_p1-r20.ebuild
> ...

 

----------

## xces

 *noganex wrote:*   

> Sad thing, it seems that we "only" have 4.7 and 5.0.... Anybody knows what has happened to 4.8?

 

OpenSSH 4.8 was an OpenBSD-only release shipped with OpenBSD 4.3.

----------

