SSH jailed or not?

S

spirit

Verified User
Joined
Nov 27, 2004
Messages
177
Location
Germany - Bremen
Hi,

We want to configure a SSH user account.

It is very important that this SSH account does not have any rights other than it's own account.

However, this account must have the possibility to use certain commants like 'wget, unzip, chmod, chown' etcetera.

Is this possible when using the 'jail account' option? Are the certain things to keep in mind or to make sure are set?

As to now, we have never created such an account. All advice and comments are welcome. Thanks.
 
You can Jail SSH using custombuild, but its very restrictive and doesnt include a lot of commands you need. We offer jailed ssh to everyone on our servers because we no longer offer FTP.

There are plenty of tutorials on the net about restricting users and applications etc... in SSH.
 
thanks guys!

I already installed jailed ssh with custombuild and put some more binaries in the files.list - it works great!

When i loggin with the user i only see "bash-3.2$" and nnot in wich directory i am, can i change that?

Thanks!
 
Yes. Find the main bash configuration files (are they in /etc ?) and copy them into your jailed /etc configuration file, or into the local .bash configuration file, both per user.

Jeff
 
jlasman said:
Yes. Find the main bash configuration files (are they in /etc ?) and copy them into your jailed /etc configuration file, or into the local .bash configuration file, both per user.
Click to expand...

I tried and it doesn't seem to work :(
 
Put the following line in /etc/profile

export PS1="[\u@\h:\w]# "

You might need to put it in /home/user/.profile or /home/user/.bashrc
 
scsi said:
Put the following line in /etc/profile

export PS1="[\u@\h:\w]# "

You might need to put it in /home/user/.profile or /home/user/.bashrc
Click to expand...

I tried everywhere:

/etc/profile
/etc/bashrc
/home/jailed_user/etc/profile
/home/jailed_user/etc/bashrc
/home/jailed_user/.profile
/home/jailed_user/.bashrc

It does not work for jailed users! It seems that /bin/jail doesn't load any of these files...
 
What if you just type:

PS1="[\u@\h:\w]# "

Does that change it?
 
I dont know it probably doesnt even look at those files lol.
 
Does anyone have a solution for this problem? How can I change the prompt for jailed users?
 
Well if the shell isnt told to read bashrc or profiles then you are out of luck. You can edit the C code before compiling maybe so that it will read one of those files. Good luck.
 
I guess there is bug... The script jail_user.sh from DA creates explicitly .bash_profile. Why would they do so if the file is not loaded? Any developer would care to comment this?
 
I believe was assumed that the shell would find it, since it does for non-jailed cases. Basically, we just copied a regular home environment as explicitly as we could into the jailed home. I'm not overly farmiliar with the shell inner workings on this so if anyone knows what needs to be set/called, let me know and I can make the changes to the c code or jail_user.sh script.

John
 
After install of the jailed SSH I created a user and tested it.

Question 1:
I get this error when executing jail_user.sh:
cp: cannot stat `/usr/local/directadmin/custombuild/jail/su': No such file or direct

When I create the su directory in the jail directory this error is gone but then it says something about omitting an empty su directory.

Am I doing something wrong ?

Question 2:
I want to add some commands. For example wget. When I add it to files.list what do I have to run then so that it comes to the user jailshell ?
 
wget could be dangerous, as could scp. Be careful on what you add - and test it before you release to the client.

We've successfully added programs, by copying them from their respective /bin directory to the /username/bin directory. After that's done, it needs to be added to the files.list in /usr/local/directadmin/custombuild/jail. Then, the jail_user.sh script needs to be re-run for that user.

Hope that helps.
 
You must log in or register to reply here.
Back
Top