OmniUnlimited
asked on
Unable to Log In Via SSH
Hello Experts:
Please see http://www.experts-exchang e.com/OS/L inux/Q_283 58891.html for background on this issue.
The parameters have changed to the original question. I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/ somesite.
Thank you.
Please see http://www.experts-exchang
The parameters have changed to the original question. I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/
Thank you.
ASKER
Hi Dave,
Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me. He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.
The fact is we have already acheived a "jailed" environment for the SSH user. My current problem is simply that the jailed directory is not the one I want.
Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me. He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.
The fact is we have already acheived a "jailed" environment for the SSH user. My current problem is simply that the jailed directory is not the one I want.
I think what Dave means is that whay you want now has nothing to do with ssh. The question is about jailing. I suggest you change the title so you get more experts to help; I suggest "Create a jailing directory that do not contains the username"
ASKER
Hi cristiantm,
Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH. As reported on the previous question, I cannot SSH into the proper directory in a jailed environment. This is why my question states in the beginning: "Please see https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html for background on this issue."
Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH. As reported on the previous question, I cannot SSH into the proper directory in a jailed environment. This is why my question states in the beginning: "Please see https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html for background on this issue."
What exactly do you want the directory to be? You could set the user's home directory to just / (slash), or whatever else you want. Maybe you can create a hardlink to the user's actual home directory and make it some innocuous name and jail the user to that.
ln /home/account/public_html/ somesite /MY_SITE
Then set up the chroot to /MY_SITE
ln /home/account/public_html/
Then set up the chroot to /MY_SITE
Did you follow the instructions to create the jail environment? You can set the desire home directory for any particular user.
https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html?anchorAnswerId=39857444#a39857444
https://www.experts-exchange.com/questions/28358891/Unable-to-Log-In-Via-SSH.html?anchorAnswerId=39857444#a39857444
ssh tom@rhel6
Last login: Sat Feb 15 22:51:30 2014 from 192.168.10.5
$ pwd
/public_html/siteA
$ cd ../../
$ pwd
/
#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
#id tom
uid=506(tom) gid=508(tom) groups=508(tom),506(biz),512(sshonly)
ASKER
@serialband: I want the home directory to be /home/account/public_html/ somesite
@Mazdajai: Thanks for your participation again. So are you saying that in step two of your instructions, I can do this?
or would it be more like setting up step two like this:
and step three like this?
@Mazdajai: Thanks for your participation again. So are you saying that in step two of your instructions, I can do this?
Match Group sshonly
ChrootDirectory /home/account/public_html/somesite
AllowTcpForwarding no
X11Forwarding no
or would it be more like setting up step two like this:
Match Group sshonly
ChrootDirectory /home/account/public_html
AllowTcpForwarding no
X11Forwarding no
and step three like this?
mkdir -p /home/account/public_html/somesite
chown ruser1.ruser1 /home/account/public_html/somesite
chmod 700 /home/account/public_html/somesite
setenforce 0
mkdir /home/account/public_html/{dev,bin,lib64}
cp -p /bin/bash /home/account/public_html/bin
No, you did not need change the ChrootDirectory directive in sshd_config.
Follow my previous insturctions and modify the user home directory to /public_html/siteA.
Follow my previous insturctions and modify the user home directory to /public_html/siteA.
#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
ASKER
Hi Mazdajai!
Boy, did you have me worried. I thought you left me. :P
Do I do this in the /etc/passwd file?
Boy, did you have me worried. I thought you left me. :P
Follow my previous insturctions and modify the user home directory to /public_html/siteA.
Do I do this in the /etc/passwd file?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, ok. Will do that and get back to you. Thanks!
ln means link so you will still have /home/account/public_html/ somesite, but you will also have /MY_SITE . They are linked and refer to the same directory.
ASKER
Thanks Mazdajai! Man, you really know your servers! It was quite a battle for me, there were a few glitches in setting this up (one was that you supplied me with the following commands:
Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash. I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)
But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files. Nice job. Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.
Thanks a million!
groupadd sshonly
useradd -G sshonly -c "Restricted User 1" -M ruser1
echo ruser123|passwd --stdin ruser123
and I got a "passwd: Unknown user name 'ruser123'" error.)Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash. I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)
But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files. Nice job. Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.
Thanks a million!
What do you want the user to be able to do once they get access?