Link to home
Start Free TrialLog in
Avatar of OmniUnlimited
OmniUnlimitedFlag for United States of America

asked on

Unable to Log In Via SSH

Hello Experts:

Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue.

The parameters have changed to the original question.  I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/somesite.

Thank you.
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image

It should have been clear from the other question that SSH is not made for what you want to do.  It is essentially a secure replacement for 'telnet' with some additional features.  

What do you want the user to be able to do once they get access?
Avatar of OmniUnlimited

ASKER

Hi Dave,

Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me.  He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.

The fact is we have already acheived a "jailed" environment for the SSH user.  My current problem is simply that the jailed directory is not the one I want.
I think what Dave means is that whay you want now has nothing to do with ssh. The question is about jailing. I suggest you change the title so you get more experts to help; I suggest "Create a jailing directory that do not contains the username"
Hi cristiantm,

Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH.  As reported on the previous question, I cannot SSH into the proper directory in a jailed environment.  This is why my question states in the beginning: "Please see https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html for background on this issue."
What exactly do you want the directory to be?  You could set the user's home directory to just / (slash), or whatever else you want.  Maybe you can create a hardlink to the user's actual home directory and make it some innocuous name and jail the user to that.

ln /home/account/public_html/somesite  /MY_SITE

Then set up the chroot to /MY_SITE
Did you follow the instructions to create the jail environment? You can set the desire home directory for any particular user.

https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html?anchorAnswerId=39857444#a39857444

ssh tom@rhel6
Last login: Sat Feb 15 22:51:30 2014 from 192.168.10.5
$ pwd
/public_html/siteA
$ cd ../../
$ pwd
/

Open in new window

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
#id tom
uid=506(tom) gid=508(tom) groups=508(tom),506(biz),512(sshonly)

Open in new window

@serialband: I want the home directory to be /home/account/public_html/somesite

@Mazdajai: Thanks for your participation again.  So are you saying that in step two of your instructions, I can do this?

Match Group sshonly
ChrootDirectory /home/account/public_html/somesite
AllowTcpForwarding no
X11Forwarding no 

Open in new window


or would it be more like setting up step two like this:

Match Group sshonly
ChrootDirectory /home/account/public_html
AllowTcpForwarding no
X11Forwarding no 

Open in new window


and step three like this?

mkdir -p /home/account/public_html/somesite
chown ruser1.ruser1 /home/account/public_html/somesite
chmod 700 /home/account/public_html/somesite
setenforce 0
mkdir /home/account/public_html/{dev,bin,lib64}
cp -p /bin/bash /home/account/public_html/bin 

Open in new window

No, you did not need change the ChrootDirectory directive in sshd_config.

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash

Open in new window

Hi Mazdajai!

Boy, did you have me worried.  I thought you left me. :P

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

Do I do this in the /etc/passwd file?
ASKER CERTIFIED SOLUTION
Avatar of Mazdajai
Mazdajai
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ah, ok.  Will do that and get back to you.  Thanks!
ln means link so you will still have /home/account/public_html/somesite, but you will also have /MY_SITE .  They are linked and refer to the same directory.
Thanks Mazdajai!  Man, you really know your servers!  It was quite a battle for me, there were a few glitches in setting this up (one was that you supplied me with the following commands:
groupadd sshonly
useradd -G sshonly -c "Restricted User 1" -M ruser1
echo ruser123|passwd --stdin ruser123

Open in new window

and I got a "passwd: Unknown user name 'ruser123'" error.)

Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash.  I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)

But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files.  Nice job.  Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.

Thanks a million!