Erik's blog

Code, notes, recipes, general musings

tutorial: building an OpenSSH chroot jail on CentOS 5.3

leave a comment »

Goal:

allow users to log into a CentOS 5.3 server via ssh, but then constrain their mobility by using the chroot support introduced in OpenSSH 4.8p1.

Resources:

1) http://v2.robbyt.com/2008/howto/chrooted-sftp-with-openssh-5/

2) http://www.dotnux.com/?p=3

3) http://forums.fedoraforum.org/archive/index.php/t-30684.html

Procedure:

I followed the tutorial in resource 2 for the most part, but the rpm build will fail with an error if the “/usr/src/redhat/RPMS/i386” and “/usr/src/redhat/BUILD” directories are not made in advance, a step in resource 1.  

With these two tutorials, I was able to build and install OpenSSH 5.1, but then I ran into a couple hiccups.  When I tried to log in using a dummy account (“random1”) assigned to the “sshusers” group described in resource 1, ssh rejected my log in with an error: “Permission denied (publickey,gssapi-with-mic).”.  Looking in the ssh logs (“/var/log/secure”), I saw: “Authentication refused: bad ownership or modes for file “/home/random1/.ssh/authorized_keys”.  Referring to the details provided in resource 3, I changed the permissions on “random1/.ssh” and “random1/.ssh/authorized_users” to 700.  Then I was able to ssh in, but immediately I received the error “/bin/bash: No such file or directory”, and was bounced out.  I moved the ls and bash executables placed in “/usr/bin” in resource 2, to “/bin” and then all was good 🙂

Special thanks to robbyt, author of resource 1, for his assistance.

Advertisements

Written by Erik

July 28, 2009 at 7:51 pm

Posted in tutorial

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: