Friday, 29 May 2009

Centos 5.1 Chrooting SFTP using SCPonly


Centos 5.1 Chrooting SFTP using SCPonly


Installation


GCC is installed.

OpenSSH is installed.


Download scponly from: https://sourceforge.net/project/showfiles.php?group_id=155849 and extract it to /tmp


Configure Your Installation

Navigate into the directory in /tmp where you extracted scponly. Configure with the bellow command:

./configure --enable-chrooted-binary


Build & Install The Binaries


make

make install


This will install your manpage and scponly binary/binaries.


Edit /etc/shells using vi to look like this:



/bin/sh

/bin/bash

/sbin/nologin

/bin/tcsh

/bin/csh

/bin/ksh

/usr/local/sbin/scponlyc


If you want to not use scponly in a chrooted fashion then use the following instead of scponlyc:


/usr/local/bin/scponly


Set up the jail with the following command which invokes a helper script:


make jail


The output will look similar to below:


/usr/bin/install -c -d /usr/local/bin

/usr/bin/install -c -d /usr/local/man/man8

/usr/bin/install -c -d /usr/local/etc/scponly

/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly

/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8

/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel

if test "xscponlyc" != "x"; then \

/usr/bin/install -c -d /usr/local/sbin; \

rm -f /usr/local/sbin/scponlyc; \

cp scponly scponlyc; \

/usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; \

fi

chmod u+x ./setup_chroot.sh

./setup_chroot.sh


Next we need to set the home directory for this scponly user.

please note that the user's home directory MUST NOT be writeable

by the scponly user. this is important so that the scponly user

cannot subvert the .ssh configuration parameters.


for this reason, a writeable subdirectory will be created that

the scponly user can write into.


Username to install [scponly]scponly

home directory you wish to set for this user [/home/scponly]

name of the writeable subdirectory [incoming]files

useradd: warning: the home directory already exists.

Not copying any file from skel directory into it.


creating /home/scponly/files directory for uploading files


Your platform (Linux) does not have a platform specific setup script.

This install script will attempt a best guess.

If you perform customizations, please consider sending me your changes.

Look to the templates in build_extras/arch.

- joe at sublimation dot org


please set the password for scponly:

Changing password for user scponly.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

if you experience a warning with winscp regarding groups, please install

the provided hacked out fake groups program into your chroot, like so:

cp groups /home/scponly/bin/groups


Note: I ran the command mentioned at the end.


cp groups /home/scponly/bin/groups


Note that this is not the end all for setting up chrooted scponly!


During "make jail", for example I used /home/scponly/ as mychroot main path. The following are the final steps I took to get scponly working.


Edit /home/scponly/etc/ld.so.conf and replace its content with :



/lib

/usr/lib


Type ldconfig -r /home/scponly/


Copy /lib/ld-linux.so.* in /home/scponly/lib/


cp /lib/ld-linux.so.* /home/scponly/lib/


Copy /etc/group in /home/scponly/etc/


cp /etc/group /home/scponly/etc/


Create the folder /home/scponly/etc/selinux


mkdir /home/scponly/etc/selinux


Create a file named config there and insert the following content in this file :



vi /home/scponly/etc/selinux/config


SELINUX=disabled

SELINUXTYPE=targeted

SETLOCALDEFS=0


Create the folder:


mkdir /home/scponly/dev


Create the null device in chroot:


mknod /home/scponly/dev/null c 1 3


Change permissions on the null device:


chmod 666 /home/scponly/dev/null