{"id":1261,"date":"2012-10-03T22:15:22","date_gmt":"2012-10-04T02:15:22","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=1261"},"modified":"2019-12-07T09:54:53","modified_gmt":"2019-12-07T13:54:53","slug":"makejail-limited-ssh-account-on-ubuntu","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2012\/makejail-limited-ssh-account-on-ubuntu\/","title":{"rendered":"Makejail &#8211; limited SSH account on Ubuntu"},"content":{"rendered":"<div><a href=\"https:\/\/www.flickr.com\/photos\/hadsie\/3703461460\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" title=\"Jail Cell in the Rock by hadsie, on Flickr\" src=\"https:\/\/farm3.static.flickr.com\/2642\/3703461460_41106de78a.jpg\" alt=\"Jail Cell in the Rock by hadsie, on Flickr\" border=\"0\" \/><\/a><br \/>\n<a href=\"http:\/\/creativecommons.org\/licenses\/by-nc-sa\/2.0\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" title=\"Creative Commons Attribution-Noncommercial-Share Alike 2.0 Generic License\" src=\"https:\/\/i.creativecommons.org\/l\/by-nc-sa\/2.0\/80x15.png\" alt=\"Creative Commons Attribution-Noncommercial-Share Alike 2.0 Generic License\" align=\"left\" border=\"0\" \/><\/a>\u00a0 photo by\u00a0<a href=\"https:\/\/www.flickr.com\/people\/hadsie\/\" target=\"_blank\" rel=\"noopener noreferrer\">\u00a0hadsie<\/a><a href=\"http:\/\/www.imagecodr.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">\u00a0<\/a><\/div>\n<p>Previous I had covered <a href=\"https:\/\/lowtek.ca\/roo\/2012\/restricted-shell-file-server-with-scponly\/\">how to setup scponly<\/a> as a restricted fileserver environment. While this works well, it is very limited and didn&#8217;t allow for <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rsync\">rsync<\/a> to run (without heroics beyond what I was willing to do). Using <a href=\"http:\/\/www.floc.net\/makejail\/\">makejail<\/a> seems to be a better solution for my needs, and it turns out to be quite easy to setup on <a href=\"http:\/\/www.ubuntu.com\/\">Ubuntu 12.04<\/a>. On the journey here I had also tried out\u00a0<a href=\"http:\/\/www.pizzashack.org\/rssh\/\">rssh<\/a> which I also decided wasn&#8217;t a good fit.<\/p>\n<p>You&#8217;ll of course need sshd installed which I&#8217;ll assume you have, and makejail which we can install easily:<\/p>\n<p><code>$ sudo apt-get install makejail<\/code><\/p>\n<p>Now we need to modify our <a href=\"http:\/\/en.wikipedia.org\/wiki\/Openssh\">openssh<\/a> configuration by editing <code>\/etc\/ssh\/sshd_config<\/code>, there are two changes we need to make.\u00a0Modify the yes setting for UsePrivilegeSeparation:<\/p>\n<p><code># Disable Privilege Separation to allow chroot<br \/>\nUsePrivilegeSeparation no<br \/>\n<\/code><br \/>\nand at the bottom of the configuration file we&#8217;ll add:<\/p>\n<p><code>Match User frank<br \/>\nChrootDirectory \/home\/frank<br \/>\nAllowTCPForwarding no<br \/>\nX11Forwarding no<br \/>\nPasswordAuthentication no<\/code><\/p>\n<p>Of course, for each restricted user you need to specify the username and home directory. You may have noticed that for the restricted users I&#8217;ve disabled password authentication, this is because changing the password is broken in the &#8216;jailed&#8217; environment so we just avoid the issue by insisting on the use of keys (yes, you&#8217;ll need the restricted user to send you their public key to install in the <code>.ssh\/authorized_keys<\/code> file of the restricted user).<\/p>\n<p>Next we need to create a simple python script file that we can pass to makejail as a configuration file. I called mine jailconf.py and the contents look like:<\/p>\n<p><code>chroot = \"\/home\/frank\"<br \/>\ntestCommandsInsideJail = [\"bash\", \"ls\", \"touch\", \"rm\", \"rmdir\", \"less\", \"cat\", \"rsync\" ]<\/code><\/p>\n<p>Then execute makejail with this configuration file.<\/p>\n<p><code>$ sudo makejail jailconf.py<\/code><\/p>\n<p>For some reason, I needed to run makejail twice initially before it ran without errors &#8211; but it is something you can run multiple times with no serious side effects, this is handy if you want to add more commands later.<\/p>\n<p>That&#8217;s it, now if you take a peek at the filesystem structure that&#8217;s been created &#8211; it&#8217;s a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Chroot\">chroot environment<\/a>. You&#8217;ll probably want to go in and create a <code>\/home\/frank\/stuff<\/code> directory and assign ownership to the user so they can stick files there.<\/p>\n<p><code>$ sudo ls -l \/home\/frank<br \/>\ntotal 36<br \/>\ndrwxr-xr-x 2 root root 4096 Sep 19 22:59 bin<br \/>\ndrwxr-xr-x 2 root root 4096 Sep 19 22:55 dev<br \/>\ndrwxr-xr-x 3 root root 4096 Sep 19 22:56 etc<br \/>\ndrwxrwxrwx 4 frank frank 4096 Sep 19 23:28 stuff<br \/>\ndrwxr-xr-x 4 root root 4096 Sep 19 22:55 lib<br \/>\ndrwxr-xr-x 2 root root 4096 Sep 19 22:55 root<br \/>\ndrwxr-xr-x 2 root root 4096 Sep 19 22:59 sbin<br \/>\ndrwxr-xr-x 2 root root 4096 Dec 5 2009 selinux<br \/>\ndrwxr-xr-x 5 root root 4096 Sep 19 22:55 usr<\/code><\/p>\n<p>Now once you sort out the public key login (and remember to make sure the permissions on the .ssh directory and authorized keys are correct), the user frank will be able to log in and see the directory tree \/home\/frank as if it were the root of the filesystem. Only commands listed in the configuration file (jailconf.py) will be available to that user. Of course, if the filesystem is writeable (and executable) then they could always upload copies of the commands they want to run &#8211; but hopefully these are people you trust to some level.<\/p>\n<p>References: I came to this solution initially through <a href=\"http:\/\/www.sr4l.de\/article\/it\/chroot_jail_for_ssh_user.html\">this article<\/a>. There was a <a href=\"http:\/\/serverfault.com\/questions\/285800\/how-to-disable-ssh-login-with-password-for-some-users\">serverfault post<\/a> that helped with the ssh configuration changes related to disabling password authentication.<\/p>\n<p>In my case this is one component in allowing a friend to use my system as a remote (encrypted) backup site using rsync. I&#8217;ll post more details on that in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0 photo by\u00a0\u00a0hadsie\u00a0 Previous I had covered how to setup scponly as a restricted fileserver environment. While this works well, it is very limited and didn&#8217;t allow for rsync to run (without heroics beyond what I was willing to do). Using makejail seems to be a better solution for my needs, and it turns out &hellip; <a href=\"https:\/\/lowtek.ca\/roo\/2012\/makejail-limited-ssh-account-on-ubuntu\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Makejail &#8211; limited SSH account on Ubuntu&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1261","post","type-post","status-publish","format-standard","hentry","category-computing"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1261"}],"version-history":[{"count":7,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1261\/revisions"}],"predecessor-version":[{"id":1653,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1261\/revisions\/1653"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}