OpenSSH Chroot Patch
Introduction
The patches explained here expand the functionality of OpenSSH to allow users
to be chrooted inside a specified directory before a login shell is spawned.
This becomes extremely handy when building hardened hosts with remote login
enabled, as it prevents the remotely logged in user haivng any access to the
rest of the system.
Firstly, credit where credit is due - this patch is based in the code found
over at Chrootssh.sf.net, and as such the documentation found at that website
is applicable to this patch.
Top
They've already got a patch? Why'd you do it again?
Yes, they already have a patch. However, it only works on half the platforms.
The chunk of code the author had decided to write, he put within a preprocessor
if..else statement, and so would only get executed on the "else".
This probably works fine under Linux. However, under OpenBSD (My OS of choice),
This patch failed to work. After some time, I re-wrote the patch to firstly
be more functional, and secondly to correctly set group memberships and the
like for ALL platforms that OpenSSH will run on.
Secondly, I also provide a diff for the Non-Portable version of OpenSSH, the
one that is designed to run on OpenBSD. This code has less overhead than the
portable one, and so may be desirable to some.
Top
Download
OpenBSD
Portable
Top
Installation
Download Source from OpenSSH/OpenBSD
The OpenBSD Mirror Page gives a list of mirrors using different
protocols by which you'll be able to fetch a copy of OpenSSH, which in most
cases should be in /OpenSSH.
Unpack and Patch Source
Assuming you've downloaded the correct patch for the version of OpenSSH
you downloaded, you should be able to do this thus (portable specific
text in blue):
$ tar -zxvf openssh-4.3p2.tar.gz
$ patch -p0 -d openssh-4.3p2 < chrootssh-43-xxxx.diff
They should apply without a problem.
Portable Only: Run configure
Specific options for the configuration can be obtained by running
./configure --help.
Build
Once a valid makefile exists (pre-existing on the OpenBSD distribution),
you can run "make" followed by "make install".
Basic Configuration
Most of the configuration guidelines can be found on the website mentioned
above. However, here is a breif overview:
- By inserting a '/./' in a user's home directory, this will trigger
the chroot code. the directory before the "." will be where chroot
will be set to, and the directory after the "." will be where the
user's home directory will be after the chroot.
For example:
/home/chrooted/./bill
As bill's home directory will cause chroot to change to
/home/chrooted/ and will then set his home directory to "/bill".
Caveats
- Under openBSD, if you wish to do further ssh'ing, you need to make
sure that the pwd.db and spwd.db are kept up-to-date INSIDE the
chroot - so wherever you chroot your users, it's best to have a
floating /chroot/etc/pwd.db and spwd.db.
- It's also advisable to change the home path in the floating
/etc/passwd and /etc/master.passwd (if you choose to have them)
so that the chrooted directory is removed. This is for those
programs that ignore $HOME.
- Your logging will fail to work after chroot, unless you're using
Internet sockets, or you have a seperate syslog process in
/dev/log within your chrooted directory.
- You should also populate your own /dev tree for the shell (if it's
interactive account) to contain /dev/fd/*, /dev/tty, /dev/urandom,
/dev/null and /dev/zero.
Document Prepared by: Matt Bradford, 20060310