The steps of building ssh with chroot
作者:管怀剑(James Guan)
更新日期:2006/05/26
Require:
zlib-devel
pam-devel
gcc
ssl
openssh-4.2p1-chroot.tar.gz (download from )
Building:
LDFLAGS=-ldl ./configure --with-zlib=/usr/local/lib --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl
make clean
make
make install
add user sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cd /usr/bin
mv ssh ssh.orig
mv scp scp.orig
mv ssh-add ssh-add.orig
mv ssh-agent ssh-agent.orig
mv ssh-keygen ssh-keygen.orig
mv ssh-keyscan ssh-keyscan.orig
ln -sf /usr/local/bin/ssh ssh
ln -sf /usr/local/bin/scp scp
ln -sf /usr/local/bin/ssh-add ssh-add
ln -sf /usr/local/bin/ssh-agent ssh-agent
ln -sf /usr/local/bin/ssh-keygen ssh-keygen
ln -sf /usr/local/bin/ssh-keyscan ssh-keyscan
cd /usr/sbin
mv sshd sshd.orig
ln -sf /usr/local/sbin/sshd sshd
cd /usr/libexec/openssh
mv sftp-server sftp-server
ln -sf /usr/local/libexec/sftp-server sftp-server
ln -sf /usr/local/libexec/ssh-keysign sshkeysign
/etc/init.d/sshd restart
Create sftp chroot:
[root@localhost openssh-chroot]# cat create-sftp-chroot.sh
#!/bin/sh
# This script about to chroot specific user($1),two thing will be done by this script:
# 1, set specific use's home directory as its / directory,then create needful commands and related LIBRARY files.
# 2, change specific use's default shell to /usr/libexec/sftp-server.
# EDITOR: Taylor Lee < >
# Date: 2006-04-18
echo "INFO: username checking..."
if [ x$1 == "x" ];then
echo "No argument/username specified,exiting..."
echo "Usage: create-chroot.sh username"
exit 1
else
id $1 > /dev/null 2>&1
if [ $? == 0 ];then
break
else
echo "ERROR:specified user $1 don't exist, exiting with value 2..."
exit 2
fi
fi
echo "INFO: creating chroot for user $1..."
CHROOT_DIR=`grep ^$1: /etc/passwd | awk -F: '{print $6}'`
REQUIRED_CHROOT_FILES="/usr/local/libexec/sftp-server"
# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR
# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment
for FILE in $REQUIRED_CHROOT_FILES
do
DIR=`dirname $FILE | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
cp $FILE `echo $FILE | cut -c2-`
for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
do
DIR=`dirname $SHARED_LIBRARY | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
[ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
done
done
# Change user's default shell to /usr/local/libexec/sftp-server
echo $CHROOT_DIR | grep "\/.\/$" > /dev/null 2>&1
if [ $? == 0 ];then
usermod -s /usr/local/libexec/sftp-server $1 && echo "INFO: user $1 had been chrooted,please check below $1 user entry in /etc/passwd"
grep ^$1: /etc/passwd
exit 0
else
usermod -d $CHROOT_DIR/./ -s /usr/local/libexec/sftp-server $1 && echo "INFO: user $1 had been chrooted,please check below $1 user entry in /etc/passwd"
grep ^$1: /etc/passwd
fi
#adduser test
#passwd test
#./create-sftp-chroot.sh test
[root@CentOS42-VM chroottest]# ./create-sftp-chroot.sh test
INFO: username checking...
INFO: creating chroot for user test...
INFO: user test had been chrooted,please check below test user entry in /etc/passwd
test:x:501:502::/home/test/./:/usr/local/libexec/sftp-server
Verification:
To verify if is sftp chrooted, run sftp command to check it:
(For example, to verify if test user is sftp chrooted)
[root@CentOS42-VM chroottest]# sftp
Connecting to localhost...
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 5b:41:e2:e7:c7:27:bc:c1:8b:e6:2d:3b:56:85:03:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
password:
sftp> ls
lib usr
sftp> pwd
Remote working directory: /
sftp> quit
Make sure you got “Remote working directory: / “ message as above, it mean chroot successful.
