Solved

Unable to Log In Via SSH

Posted on 2014-02-13
13
379 Views
Last Modified: 2014-02-21
Hello Experts:

Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue.

The parameters have changed to the original question.  I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/somesite.

Thank you.
0
Comment
Question by:OmniUnlimited
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39858132
It should have been clear from the other question that SSH is not made for what you want to do.  It is essentially a secure replacement for 'telnet' with some additional features.  

What do you want the user to be able to do once they get access?
0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39858188
Hi Dave,

Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me.  He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.

The fact is we have already acheived a "jailed" environment for the SSH user.  My current problem is simply that the jailed directory is not the one I want.
0
 
LVL 3

Expert Comment

by:cristiantm
ID: 39858654
I think what Dave means is that whay you want now has nothing to do with ssh. The question is about jailing. I suggest you change the title so you get more experts to help; I suggest "Create a jailing directory that do not contains the username"
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39859021
Hi cristiantm,

Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH.  As reported on the previous question, I cannot SSH into the proper directory in a jailed environment.  This is why my question states in the beginning: "Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue."
0
 
LVL 29

Expert Comment

by:serialband
ID: 39861562
What exactly do you want the directory to be?  You could set the user's home directory to just / (slash), or whatever else you want.  Maybe you can create a hardlink to the user's actual home directory and make it some innocuous name and jail the user to that.

ln /home/account/public_html/somesite  /MY_SITE

Then set up the chroot to /MY_SITE
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39862226
Did you follow the instructions to create the jail environment? You can set the desire home directory for any particular user.

http://www.experts-exchange.com/OS/Linux/Q_28358891.html#a39857444

ssh tom@rhel6
Last login: Sat Feb 15 22:51:30 2014 from 192.168.10.5
$ pwd
/public_html/siteA
$ cd ../../
$ pwd
/

Open in new window

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
#id tom
uid=506(tom) gid=508(tom) groups=508(tom),506(biz),512(sshonly)

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39864893
@serialband: I want the home directory to be /home/account/public_html/somesite

@Mazdajai: Thanks for your participation again.  So are you saying that in step two of your instructions, I can do this?

Match Group sshonly
ChrootDirectory /home/account/public_html/somesite
AllowTcpForwarding no
X11Forwarding no 

Open in new window


or would it be more like setting up step two like this:

Match Group sshonly
ChrootDirectory /home/account/public_html
AllowTcpForwarding no
X11Forwarding no 

Open in new window


and step three like this?

mkdir -p /home/account/public_html/somesite
chown ruser1.ruser1 /home/account/public_html/somesite
chmod 700 /home/account/public_html/somesite
setenforce 0
mkdir /home/account/public_html/{dev,bin,lib64}
cp -p /bin/bash /home/account/public_html/bin 

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39872333
No, you did not need change the ChrootDirectory directive in sshd_config.

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39872392
Hi Mazdajai!

Boy, did you have me worried.  I thought you left me. :P

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

Do I do this in the /etc/passwd file?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
ID: 39872398
Sure, or with a better method - usermod:
usermod -d '/public_html/siteA' ruser1

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39872403
Ah, ok.  Will do that and get back to you.  Thanks!
0
 
LVL 29

Expert Comment

by:serialband
ID: 39872457
ln means link so you will still have /home/account/public_html/somesite, but you will also have /MY_SITE .  They are linked and refer to the same directory.
0
 
LVL 17

Author Closing Comment

by:OmniUnlimited
ID: 39878471
Thanks Mazdajai!  Man, you really know your servers!  It was quite a battle for me, there were a few glitches in setting this up (one was that you supplied me with the following commands:
groupadd sshonly
useradd -G sshonly -c "Restricted User 1" -M ruser1
echo ruser123|passwd --stdin ruser123

Open in new window

and I got a "passwd: Unknown user name 'ruser123'" error.)

Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash.  I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)

But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files.  Nice job.  Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.

Thanks a million!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question