How can i chroot user directories ssh?


(Loren Tedford (Kc9Zhv)) #1

I am trying to figure out how to correctly chroot a user directory any thoughts? I see you can do it with ftp however I would like to do it via ssh…

Here is what I thought i figured out so far…

nano /etc/ssh/sshd_config

Subsystem      sftp     /usr/libexec/openssh/sftp-server
X11DisplayOffset 10
X11Forwarding no
ClientAliveInterval 60
ClientAliveCountMax 3
PrintMotd yes

SyslogFacility AUTH
LogLevel INFO

Match User NAME
    ChrootDirectory /var/lib/nethserver/home/NAME
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

I also tried this…
chroot 700 /var/lib/nethserver/home/NAME

I have also tried this…

Subsystem      sftp     /usr/libexec/openssh/sftp-server
X11DisplayOffset 10
X11Forwarding no
ClientAliveInterval 60
ClientAliveCountMax 3
PrintMotd yes

SyslogFacility AUTH
LogLevel INFO

Match User NAME
    ChrootDirectory /var/lib/nethserver/home/NAME
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /usr/libexec/openssh/sftp-server

DIdn’t work… What am i missing?


(Stefano Zamboni) #2

first of all, be sure you’re not editing a templatized file


(Loren Tedford (Kc9Zhv)) #3

I think by now you know me… I always screw that up…

Where might i actually edit the proper file…


(Stefano Zamboni) #4

I’d strongly suggest you to read carefully the fine documentation… hint: NS’ paradigm is db, templates, events


(Loren Tedford (Kc9Zhv)) #5

Can you link me to the direct documentation on NS’ paradigm is db, templates, events?

I am assuming NS = Neth Server is the rest just topics?


(Stefano Zamboni) #6

NS is Nethserver, indeed :slight_smile:
anyway, start from the Architecture point you’ll find here:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/


(Loren Tedford (Kc9Zhv)) #7

Thanks… It doesn’t take me long to get lost…


(Loren Tedford (Kc9Zhv)) #8

I have to use Neth Sever 6.8 because Neth 7 is very broken it won’t even allow me to set my ip address and customized gateways… So unfortunately the documentation you sent probably won’t help me until we get neth 7 fixed…

http://community.nethserver.org/t/problems-setting-special-static-ips-on-neth-server-7/6932


(Stefano Zamboni) #9

Well, NS’ paradigm doesn’t change

Browse the documentation for 6 branche (guess how to reach from my previous link :wink: )


(Loren Tedford (Kc9Zhv)) #10

Yea I am looking at it and playing with commands example command
db accounts show NAME

It brings up a list of information but after playing with db -h it doesn’t seem to explain exactly what commands can be given… Is their any direct documentation on commands? Like example commands of what each command does?

[root@webserver ~]# db -h
usage:
    /sbin/e-smith/db dbfile keys
    /sbin/e-smith/db dbfile print [key]
    /sbin/e-smith/db dbfile printjson [key]
    /sbin/e-smith/db dbfile show [key]
    /sbin/e-smith/db dbfile showjson [key]
    /sbin/e-smith/db dbfile get key
    /sbin/e-smith/db dbfile getjson [key]
    /sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] ...
    /sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] ...
    /sbin/e-smith/db dbfile delete key
    /sbin/e-smith/db dbfile printtype [key]
    /sbin/e-smith/db dbfile gettype key
    /sbin/e-smith/db dbfile settype key type
    /sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] ...
    /sbin/e-smith/db dbfile getprop key prop
    /sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...
    /sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] ...

I am getting severely lost in this…


(Stefano Zamboni) #11

Search here for e-smith layer and read carefully, there are dozens of post with examples


(Loren Tedford (Kc9Zhv)) #12

Honestly after 6 hrs of messing around with this not to mention the 4 hrs before i posted this mess… I have officially given up on this and will just create a seperate VM server for users to log in and chroot them to their prospective folders… Thanks again… ~ Loren


(Eddie Atherton) #13

Isn’t updating /etc/ssh/sshd_config only half the battle. Don’t you have to prepare the chroot’d directory structure for a shell user.

Cheers.


(Filippo Carletti) #14

NethServer 6 and 7 are almost identical regarding network configuration. The only difference it’s that in 7 we no longer store the MAC address of the board. But this change can’t break things.
Would you like to help us to solve the problem you have with network in 7?


(Loren Tedford (Kc9Zhv)) #15

I might have missed a few steps then…
My memory is not the best on some of this stuff been awhile since i have had to put some thing together like this…


(Loren Tedford (Kc9Zhv)) #16

Ah now your talking so exactly what did they change regarding the MAC address assignments?

In our case we have to use custom MAC addressing because of security purposes…