[nycbug-talk] ChrootDirectory user w/OpenSSH 5.3 on OpenBSD 4.4

Jesse Callaway bonsaime at gmail.com
Fri Oct 16 13:59:44 EDT 2009


On Thu, Oct 15, 2009 at 11:22 AM, Josh Rivel <josh at rivels.org> wrote:
> Hi,
>
> So I'm trying to setup a user on my OpenBSD 4.4 box (OpenSSH 5.3)
> using the ChrootDirectory option in sshd_config.  I know that for a
> scp/sftp only account it's trivial and you don't need to do anything
> other than what's in the manpage for sshd_config.  However, for ssh
> access there's more required.  I found quite a few guides on how to do
> this with Linux, but I'm wondering if anyone has done it with OpenBSD,
> or can provide me with a suggestion on how to give someone a shell
> account on my box, but not let them have access to any files outside
> of /home/username.  If it were a FreeBSD box or OpenSolaris I could
> just setup a jail for them, but it's not.  I came across jailkit -
> http://olivier.sessink.nl/jailkit/ - has anyone used that w/OpenBSD?
> It looks like it might do what I need it to.
>
> Thanks in advance,
> Josh
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

I've only done this in linux as well. But either way, you'll need to
run your shell entirely in the chroot. I'm guessing you know this, but
don't hit me if you do. Usually your shell program is dynamically
linked to libraries in order to do anything interesting. These
libraries will likely lie outside of the chroot, in your system
library directories. So one thing you'll need to do is either a) list
the libraries using the 'ldd' tool and make them accessible in the
chroot path. Or b) find yourself a statically linked shell.
You will likely need to have some sort of /etc/passwd file in there
unless you use directory services. I usually just have a couple lines
for any users in that chroot.
Do this for all the commands you want to run in the chroot
environment. There is a great deal of overlap in these libraries, I
guess that's the point, right ; ) Point being, once you satisfy the
shell things like cp, ls, etc should already be covered.
I'm not sure what login classes are, and Michaels' mention of them
makes me want to get educated on them as well. Whatever the case, if
you do use the chroot option you'll need to go through the usual
rigamorole as described above.

-jesse



More information about the talk mailing list