Thursday, April 26, 2012

rssh chroot jail setup on CentOS 6 64bit

It took me hours to make rssh chroot jail work. There are some steps missing in the document of rssh. Here is how I made it work. I want to set up an account called "deployer" on host "chroot_host" to allow some of users remotely copy files under a directory under /app/platform using passwordless scp. I don't want any user log on the host using "deployer".
  1. Install rssh
    2. sudo yum install rssh

rssh.x86_64                 2.3.3-2.el6.rf                  @rpmforge-el6-x86_64
  2. Edit /etc/rssh.conf
    3. # /etc/rssh.conf
logfacility = LOG_USER 

allowscp
#allowsftp
#allowcvs
#allowrdist
#allowrsync

umask = 022

chrootpath = /app/platform/chroot

user=deployer:011:00001:/app/platform/chroot
  3. Create the user deployer
    4. sudo /bin/groupadd builder
sudo /sbin/useradd -g builder -s /usr/bin/rssh -d /app/platform deployer
  4. Create .ssh folder for deployer and add public keys to /app/platform/.ssh/authorized_keys
    5. sudo mkdir /app/platform/.ssh
sudo cp id_rsa.pub /app/platform/.ssh/authorized_keys
  5. Create chroot jail
    6. sudo /usr/share/doc/rssh-2.3.3/mkchroot.sh /app/platform/chroot/
    NOTE: Must have "/", otherwise the script will create a folder "/app/platform/chroot."
  6. Create /dev/null
    7. sudo mknod -m 666 dev/null c 1 3
  7. Create bin and copy /bin/sh
    8. sudo mkdir /app/platform/chroot/bin
sudo cp /bin/sh /app/platform/chroot/bin
  8. Copy all files in /lib64 to /app/platform/chroot/lib64
    9. sudo cp /lib64/* /app/platform/chroot/lib64
    NOTE: Some of lib files must not be used, but I don't know which files should be kept.
  9. Create home directory in chroot jail
    10. sudo mkdir /app/platform/chroot/home/deployer
sudo chown deployer:builder /app/platform/chroot/home/deployer
  10. Edit jailed {{etc/password}} to change the home directory of deployer
    11. deployer:x:501:34075::/home/deployer:/usr/bin/rssh
  11. Then you can successfully scp a file to the repository
    12. scp a_file.xml deployer@chroot_host:/repository
    NOTE: Because we use chroot, the folder is /repository.
Here are the problems I encountered during the setup. Unfortunately, I don't know which step fix the problem.
  1. "lost connection" Anything is wrong you will get this error.
  2. "Couldn't open /dev/null: No such file or directory" After copying /bin/sh, got this error. mknod resolved this issue.
  3. "unknown user 501" After copying all files in /lib64/, it is gone
  4. "Could not chdir to home directory : No such file or directory" chroot/home/deployer is not created
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)