Restricted shell with OpenSSH

If you need to have users that can download or upload files to your server but over an encrypted (SSH) protocol you quickly end up with scp or sftp. The bad thing about this is that it requires an account, with actually a shell. What if you don’t want them give a shell, and if we are at it we also want to give that user a chrooted / jailed environment. With my search I ended up with rssh. This application gives you the possibility to limit the account to only do what you want to do.

I will give here a step – by – step howto configure rssh with 1 account that is chrooted and only allow sftp / scp

My setup is as follow:

  • a system running on Red Hat Enterprise Linux Server release 6.1
  • OpenSSH 5.31p1-52.el6_1.2.x86_64
  • I want the user user1 only be able to do scp/sftp while being chrooted to /home/user1


Install rssh

RSSH is not standard available on RHEL but it is in the Extra Packages for Enterprise Linux (EPEL) repository.

[root@test ~]# rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/x86_64/\
rssh-2.3.3-1.el6.x86_64.rpm
Retrieving http://download.fedora.redhat.com/pub/epel/6/x86_64/
           rssh-2.3.3-1.el6.x86_64.rpm
warning: /var/tmp/rpm-tmp.opdj11: Header V3 RSA/SHA256 Signature,
         key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:rssh                   ########################################### [100%]
[root@test ~]#


Configure rssh

You can find the configuration file of rssh in /etc/rssh.conf. You can make a global configuration or a per user configuration. I will use a per user configuration, so every user can gets in its own chrooted environment.

The configuration per user is only 1 line:
user = [username]:[umask]:[allow bits]:[chroot directory]

  • username: The username of the user for whom the entry provides options
  • umask: The umask for this user, in octal, just as it would be specified to the shell. For example 022 will result in files created with 755 permissions
  • allow bits: Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not. For example 10101 would mean to allow rsync, cvs and scp but not rdist and sftp
  • chroot directory: The directory to which this user should be chrooted

So for my case the configuration line would like as follow:
user = user1:022:00011:/home/user1

[root@test ~]# cat /etc/rssh.conf | grep -v -e ^# -e ^$
logfacility = LOG_USER
umask = 022
user = user1:022:00011:/home/user1
[root@test ~]#


Create chrooted environment

The user will get a chrooted environment, but it is necessary to setup a directory that supports this. That includes all library’s / applications that are required.
This is the tricky bit…

First copy the applications that are required:

[root@test ~]# cd ~user1/
[root@test user1]# mkdir -p usr/libexec/openssh usr/bin
[root@test user1]# cp /usr/libexec/openssh/sftp-server usr/libexec/openssh/
[root@test user1]# cp /usr/bin/scp /usr/bin/sftp usr/bin

Copy the configuration files that are required:

[root@test user1]# mkdir etc
[root@test user1]# cat /etc/passwd | grep ^user1: > etc/passwd

We also need /dev/null in the chrooted environment

[root@test user1]# mkdir dev
[root@test user1]# mknod -m 666 dev/null c 1 3

And now the hard stuff, the library’s required. I made this little one liner to copy at least a part of the required library’s:

[root@test user1]# find usr/ -type f -exec ldd "{}" \; | awk '{print $3}' |\
grep '^/' | sort | uniq | while read FILENAME; do
  NEWDIR=$(echo ${FILENAME} | sed 's/\/\(.*\)\/.*/\1/');
  NEWFILE=$(echo ${FILENAME} | sed 's/.*\///');
  echo "Checking ${NEWFILE}";
  if [ ! -r "${NEWDIR}/${NEWFILE}" ]; then
    mkdir -p "${NEWDIR}";
    echo -e "\t Copying...";
    cp "${FILENAME}" "${NEWDIR}";
  fi
done;
Checking libcom_err.so.2
         Copying...
Checking libcrypt.so.1
         Copying...
Checking libc.so.6
         Copying...
Checking libdl.so.2
         Copying...
Checking libfreebl3.so
         Copying...
Checking libgssapi_krb5.so.2
         Copying...
Checking libk5crypto.so.3
         Copying...
Checking libkeyutils.so.1
         Copying...
Checking libkrb5.so.3
         Copying...
Checking libkrb5support.so.0
         Copying...
Checking libncurses.so.5
         Copying...
Checking libnsl.so.1
         Copying...
Checking libnspr4.so
         Copying...
Checking libplc4.so
         Copying...
Checking libplds4.so
         Copying...
Checking libpthread.so.0
         Copying...
Checking libresolv.so.2
         Copying...
Checking libselinux.so.1
         Copying...
Checking libtinfo.so.5
         Copying...
Checking libutil.so.1
         Copying...
Checking libz.so.1
         Copying...
Checking libcrypto.so.10
         Copying...
Checking libedit.so.0
         Copying...
Checking libnss3.so
         Copying...
Checking libnssutil3.so
         Copying...
[root@test user1]# cp /lib64/libnss_compat* lib64/
[root@test user1]# cp /lib64/ld-linux-x86-64.so.2 lib64/
[root@test user1]#

So you end up with the following files:

[root@test user1]# find . -type f
./usr/bin/sftp
./usr/bin/scp
./usr/lib64/libcrypto.so.10
./usr/lib64/libnss3.so
./usr/lib64/libnssutil3.so
./usr/lib64/libedit.so.0
./usr/libexec/openssh/sftp-server
./lib64/libncurses.so.5
./lib64/libkrb5.so.3
./lib64/libdl.so.2
./lib64/libresolv.so.2
./lib64/libselinux.so.1
./lib64/libgssapi_krb5.so.2
./lib64/libpthread.so.0
./lib64/libutil.so.1
./lib64/libtinfo.so.5
./lib64/libcrypt.so.1
./lib64/libnss_compat.so.2
./lib64/libkeyutils.so.1
./lib64/libcom_err.so.2
./lib64/libc.so.6
./lib64/libz.so.1
./lib64/libnss_compat-2.12.so
./lib64/libkrb5support.so.0
./lib64/libplds4.so
./lib64/ld-linux-x86-64.so.2
./lib64/libnspr4.so
./lib64/libk5crypto.so.3
./lib64/libplc4.so
./lib64/libnsl.so.1
./lib64/libfreebl3.so
./etc/passwd
[root@test user1]#
Please note that this is one a 64 bit system, on a 32 bit system these files will look different


User configuration

Now the hard stuff is done, it’s time to configure the shell of the user to /usr/bin/rssh, and try to login as the user:

[root@test user1]# usermod -s /usr/bin/rssh -G rsshusers user1
[root@test user1]# ssh user1@localhost
user1@localhost's password:
Last login: Wed Jul 20 23:46:44 2011 from ::1

This account is restricted by rssh.
Allowed commands: scp sftp 

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.
[root@test user1]# scp /etc/hosts user1@localhost:
user1@localhost's password:
hosts                                                                                                                                                                                                                         100%  158     0.2KB/s   00:00

And now you have an account with only scp/sftp rights in a chrooted environment.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>