Chrooted SSH

Chrooted SSH is still an experimental feature in DISC

The idea behind chrooted SSH on DISC is that it is possible to set up a ssh chroot per hosted domain. Users with SSH access will have access to all directories that belong to that host. Executables have to be available within this chrooted environment.

Problems

Many features (cron!) are running globally

Every user has his/her own preferred executables, so this chroot can make the filesystem quite big

DISC was not developed for chroot so the web directory is writable for all users in the chroot!

Sources

We are using the chroot patch to OpenSSH. This patch can be found on http://chrootssh.sourceforge.net/ It is quite easy to patch the standard debian package for this, too:

# cd /usr/local/src/
# wget 
# cd openssh-3.8.1p1 (or your version)
# patch -p1 < ../osshChroot-3.8.1p1.diff
# debian/rules binary
# cd ..
# dpkg -i ssh_3.8.1p1-4_i386.deb

To create the chrooted environment we use a script called create_chroot_env, which was found in the outskirts of internet and is now part of the DISC cvs. It will be updated to reflect the needs of genuine DISC users.

Setup

Update your SSH package to support chroot. If you are using the debian package, you need to "pin" this version so that it will not be upgraded by accident. You do that by putting this in /etc/apt/preferences :

Package: ssh
Pin: version 3.8p1-4
Pin-Priority: 200

Run "create_chroot_environment" for each host where you want to have ssh users (this is not integrated in DISC yet).

Use phpldapadmin to set "shell" to /bin/bash and homedir to /hosting/domain/./home/user (the /./ will take care of the chroot

[PREV] | [UP] | [NEXT]