Solved

Unable to Log In Via SSH

Posted on 2014-02-13
13
381 Views
Last Modified: 2014-02-21
Hello Experts:

Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue.

The parameters have changed to the original question.  I need to know how to create a jailed environment for a user in a directory which makes no mention of the user name, such as /home/account/public_html/somesite.

Thank you.
0
Comment
Question by:OmniUnlimited
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
13 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39858132
It should have been clear from the other question that SSH is not made for what you want to do.  It is essentially a secure replacement for 'telnet' with some additional features.  

What do you want the user to be able to do once they get access?
0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39858188
Hi Dave,

Unfortunately, your statement contradicts the statement made at the the end of the previous question by the expert that was helping me.  He seems to think that this is entirely possible, but since the parameters of my original question changed, he asked me to open a new one.

The fact is we have already acheived a "jailed" environment for the SSH user.  My current problem is simply that the jailed directory is not the one I want.
0
 
LVL 3

Expert Comment

by:cristiantm
ID: 39858654
I think what Dave means is that whay you want now has nothing to do with ssh. The question is about jailing. I suggest you change the title so you get more experts to help; I suggest "Create a jailing directory that do not contains the username"
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39859021
Hi cristiantm,

Not to be contrary as well, but if you review the last question carefully, this has everything to do with SSH.  As reported on the previous question, I cannot SSH into the proper directory in a jailed environment.  This is why my question states in the beginning: "Please see http://www.experts-exchange.com/OS/Linux/Q_28358891.html for background on this issue."
0
 
LVL 29

Expert Comment

by:serialband
ID: 39861562
What exactly do you want the directory to be?  You could set the user's home directory to just / (slash), or whatever else you want.  Maybe you can create a hardlink to the user's actual home directory and make it some innocuous name and jail the user to that.

ln /home/account/public_html/somesite  /MY_SITE

Then set up the chroot to /MY_SITE
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39862226
Did you follow the instructions to create the jail environment? You can set the desire home directory for any particular user.

http://www.experts-exchange.com/OS/Linux/Q_28358891.html#a39857444

ssh tom@rhel6
Last login: Sat Feb 15 22:51:30 2014 from 192.168.10.5
$ pwd
/public_html/siteA
$ cd ../../
$ pwd
/

Open in new window

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash
#id tom
uid=506(tom) gid=508(tom) groups=508(tom),506(biz),512(sshonly)

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39864893
@serialband: I want the home directory to be /home/account/public_html/somesite

@Mazdajai: Thanks for your participation again.  So are you saying that in step two of your instructions, I can do this?

Match Group sshonly
ChrootDirectory /home/account/public_html/somesite
AllowTcpForwarding no
X11Forwarding no 

Open in new window


or would it be more like setting up step two like this:

Match Group sshonly
ChrootDirectory /home/account/public_html
AllowTcpForwarding no
X11Forwarding no 

Open in new window


and step three like this?

mkdir -p /home/account/public_html/somesite
chown ruser1.ruser1 /home/account/public_html/somesite
chmod 700 /home/account/public_html/somesite
setenforce 0
mkdir /home/account/public_html/{dev,bin,lib64}
cp -p /bin/bash /home/account/public_html/bin 

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39872333
No, you did not need change the ChrootDirectory directive in sshd_config.

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

#grep tom /etc/passwd
tom:x:506:508::/public_html/siteA:/bin/bash

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39872392
Hi Mazdajai!

Boy, did you have me worried.  I thought you left me. :P

Follow my previous insturctions and modify the user home directory to /public_html/siteA.

Do I do this in the /etc/passwd file?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
ID: 39872398
Sure, or with a better method - usermod:
usermod -d '/public_html/siteA' ruser1

Open in new window

0
 
LVL 17

Author Comment

by:OmniUnlimited
ID: 39872403
Ah, ok.  Will do that and get back to you.  Thanks!
0
 
LVL 29

Expert Comment

by:serialband
ID: 39872457
ln means link so you will still have /home/account/public_html/somesite, but you will also have /MY_SITE .  They are linked and refer to the same directory.
0
 
LVL 17

Author Closing Comment

by:OmniUnlimited
ID: 39878471
Thanks Mazdajai!  Man, you really know your servers!  It was quite a battle for me, there were a few glitches in setting this up (one was that you supplied me with the following commands:
groupadd sshonly
useradd -G sshonly -c "Restricted User 1" -M ruser1
echo ruser123|passwd --stdin ruser123

Open in new window

and I got a "passwd: Unknown user name 'ruser123'" error.)

Another was that when I successfully logged in under the new user, I couldn't even execute an "ls" command in bash.  I had to transfer some binary files over to the new shell (and that turned out to be a bit of fun as I kept getting "error while loading shared libraries" errors as I tried to copy some basic binary files like "ls" and "vi" over.)

But, the end result is a shell that my new user can log into and has no access to the rest of the server via SSH, but with access to some useful binary files.  Nice job.  Oh, and just to give you the head's up: I may post to this question again to see if I can get your attention on the next server question I have.

Thanks a million!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question