Solved

Unable to Log In Via SSH

Posted on 2014-02-13
13
373 Views
Last Modified: 2014-02-21
Hello Experts:

Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue.

The parameters have changed to the original question.  I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/somesite.

Thank you.
0
Comment
Question by:OmniUnlimited
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
It should have been clear from the other question that SSH is not made for what you want to do.  It is essentially a secure replacement for 'telnet' with some additional features.  

What do you want the user to be able to do once they get access?
0
 
LVL 17

Author Comment

by:OmniUnlimited
Comment Utility
Hi Dave,

Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me.  He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.

The fact is we have already acheived a "jailed" environment for the SSH user.  My current problem is simply that the jailed directory is not the one I want.
0
 
LVL 3

Expert Comment

by:cristiantm
Comment Utility
I think what Dave means is that whay you want now has nothing to do with ssh. The question is about jailing. I suggest you change the title so you get more experts to help; I suggest "Create a jailing directory that do not contains the username"
0
 
LVL 17

Author Comment

by:OmniUnlimited
Comment Utility
Hi cristiantm,

Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH.  As reported on the previous question, I cannot SSH into the proper directory in a jailed environment.  This is why my question states in the beginning: "Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue."
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
What exactly do you want the directory to be?  You could set the user's home directory to just / (slash), or whatever else you want.  Maybe you can create a hardlink to the user's actual home directory and make it some innocuous name and jail the user to that.

ln /home/account/public_html/somesite  /MY_SITE

Then set up the chroot to /MY_SITE
0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
Did you follow the instructions to create the jail environment? You can set the desire home directory for any particular user.

http://www.experts-exchange.com/OS/Linux/Q_28358891.html#a39857444

ssh tom@rhel6
Last login: Sat Feb 15 22:51:30 2014 from 192.168.10.5
$ pwd
/public_html/siteA
$ cd ../../
$ pwd
/

Open in new window

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
#id tom
uid=506(tom) gid=508(tom) groups=508(tom),506(biz),512(sshonly)

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 17

Author Comment

by:OmniUnlimited
Comment Utility
@serialband: I want the home directory to be /home/account/public_html/somesite

@Mazdajai: Thanks for your participation again.  So are you saying that in step two of your instructions, I can do this?

Match Group sshonly
ChrootDirectory /home/account/public_html/somesite
AllowTcpForwarding no
X11Forwarding no 

Open in new window


or would it be more like setting up step two like this:

Match Group sshonly
ChrootDirectory /home/account/public_html
AllowTcpForwarding no
X11Forwarding no 

Open in new window


and step three like this?

mkdir -p /home/account/public_html/somesite
chown ruser1.ruser1 /home/account/public_html/somesite
chmod 700 /home/account/public_html/somesite
setenforce 0
mkdir /home/account/public_html/{dev,bin,lib64}
cp -p /bin/bash /home/account/public_html/bin 

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
Comment Utility
No, you did not need change the ChrootDirectory directive in sshd_config.

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
Comment Utility
Hi Mazdajai!

Boy, did you have me worried.  I thought you left me. :P

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

Do I do this in the /etc/passwd file?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
Comment Utility
Sure, or with a better method - usermod:
usermod -d '/public_html/siteA' ruser1

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
Comment Utility
Ah, ok.  Will do that and get back to you.  Thanks!
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
ln means link so you will still have /home/account/public_html/somesite, but you will also have /MY_SITE .  They are linked and refer to the same directory.
0
 
LVL 17

Author Closing Comment

by:OmniUnlimited
Comment Utility
Thanks Mazdajai!  Man, you really know your servers!  It was quite a battle for me, there were a few glitches in setting this up (one was that you supplied me with the following commands:
groupadd sshonly
useradd -G sshonly -c "Restricted User 1" -M ruser1
echo ruser123|passwd --stdin ruser123

Open in new window

and I got a "passwd: Unknown user name 'ruser123'" error.)

Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash.  I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)

But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files.  Nice job.  Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.

Thanks a million!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now