- First adapt the APPS variable to your needs and choose which commands will be available to your jailed users.
- Adapt the JAIL_PATH too.
- ./ssh-chroot-jail.sh
- ./add-user.sh prisoner
- tada !
-
-
Save askz/0d8d201bdc780b54a1e2e3523ac252b4 to your computer and use it in GitHub Desktop.
Chroot Jail for SSH/SFTP Access toolkit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # add "prisoner" in the jail you created before !! | |
| # USAGE : ./add-user.sh <username> <password> <type> | |
| # Type 1 : sftp jailed user ; Type 2 ssh jailed user | |
| # A password will be auto-generated with pwgen (sudo apt install pwgen) | |
| # Set your jail path wherever you want. | |
| JAIL_PATH=/home/www/ | |
| USER=$1 | |
| # You can use any password generator you want, or set it manually (e.g PASS=$2) | |
| # PASS=$(pwgen -Bsv 16 1) | |
| PASS=$2 | |
| TYPE=$3 | |
| if [[ "x$USER" == "x" ]]; then | |
| echo "you have to provide a user name" | |
| exit; | |
| fi | |
| if [[ "x$PASS" == "x" ]]; then | |
| echo "Password is missing" | |
| exit; | |
| fi | |
| if [[ $TYPE == 1 ]]; then | |
| GROUP=sftpjailed; | |
| elif [[ $TYPE == 2 ]]; then | |
| GROUP=sshjailed; | |
| else | |
| echo "You have to select jail type" | |
| echo "1 : sftp jailed user | 2 : ssh jailed user" | |
| exit; | |
| fi | |
| getent passwd $USER > /dev/null | |
| if [ $? -eq 0 ]; then | |
| echo "user already exists"; | |
| exit; | |
| fi | |
| # All the steps below will have to be done for all users we want to chroot | |
| # Create new user and add it to the sftp/sshjailed group | |
| # We tell useradd the home directory is /home/$USER because, at login, | |
| # the user will already be in the jail and this will be the right path at this moment ;) | |
| useradd -G $GROUP -d /home/$USER -s /bin/bash -p $(openssl passwd -1 $PASS) $USER && \ | |
| echo "Password : ${PASS}" | |
| mkdir -p $JAIL_PATH/home/$USER | |
| # create or update minimal '/etc/passwd' file for our chrooted environment | |
| cat /etc/passwd | grep $USER >> $JAIL_PATH/etc/passwd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Use this script to copy shared (libs) files to Apache/Lighttpd chrooted | |
| # jail server. | |
| # ---------------------------------------------------------------------------- | |
| # Written by nixCraft <http://www.cyberciti.biz/tips/> | |
| # (c) 2006 nixCraft under GNU GPL v2.0+ | |
| # + Added ld-linux support | |
| # + Added error checking support | |
| # ------------------------------------------------------------------------------ | |
| # See url for usage: | |
| # http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html | |
| # ------------------------------------------------------------------------------- | |
| # Set CHROOT directory name | |
| BASE="/home/www" | |
| if [ $# -eq 0 ]; then | |
| echo "Syntax : $0 /path/to/executable" | |
| echo "Example: $0 /usr/bin/php5-cgi" | |
| exit 1 | |
| fi | |
| [ ! -d $BASE ] && mkdir -p $BASE || : | |
| # iggy ld-linux* file as it is not shared one | |
| FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')" | |
| echo "Copying shared files/libs to $BASE..." | |
| for i in $FILES | |
| do | |
| d="$(dirname $i)" | |
| [ ! -d $BASE$d ] && mkdir -p $BASE$d || : | |
| /bin/cp $i $BASE$d | |
| done | |
| # copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir | |
| # get ld-linux full file location | |
| sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')" | |
| # now get sub-dir | |
| sldlsubdir="$(dirname $sldl)" | |
| if [ ! -f $BASE$sldl ]; | |
| then | |
| echo "Copying $sldl $BASE$sldlsubdir..." | |
| /bin/cp $sldl $BASE$sldlsubdir | |
| else | |
| : | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Chroot Jail for SSH & SFTP Access | |
| # Tested on Debian GNU/Linux 8 (jessie) | |
| # But should work for Ubuntu 14.04 please check here : https://gist.github.com/floudet/17c44b5c4d3ea916b39d7a132ec0575a | |
| # Reference : http://allanfeid.com/content/creating-chroot-jail-ssh-access | |
| # | |
| # Had to add/change several things to make it work, including: | |
| # - create lib64 folder | |
| # - copy whoami dependencies that ldd doesn't show to fix 'I have no name!' | |
| # in the customized prompt + create passwd file | |
| # | |
| # EDIT 11/04/17 by @askz : | |
| # - Check if the current copied binary have library dependencies | |
| # - Add some variables to make the jail more flexible and customizable | |
| # - Separate prisoner creation in another script | |
| # - Auto add config for sshjailed group in sshd_config | |
| # | |
| # /!\ All the commands below are typed as root | |
| if [[ $1 == "debug" ]]; then | |
| echo "Entering debugging mode (set -x)" | |
| set -x | |
| fi | |
| APPS="bash cat cp touch grep ls mkdir ping ps rm sed tar env find git htop nano php rsync scp sftp top unzip vi whoami zip" | |
| JAIL_PATH=/home/www | |
| # Setup the jail directories | |
| mkdir $JAIL_PATH | |
| mkdir -p $JAIL_PATH/{dev,etc,lib,lib64,usr/bin,bin,usr/share} | |
| # Create null device node | |
| mknod -m 666 $JAIL_PATH/dev/null c 1 3 | |
| # Copy minimum files | |
| cp /etc/ld.so.{cache,conf} $JAIL_PATH/etc/ | |
| cp /etc/nsswitch.conf $JAIL_PATH/etc/ | |
| cp /etc/hosts $JAIL_PATH/etc/ | |
| # here we just want 'ls' and 'bash' in our chrooted environment | |
| for ii in $APPS; do which $ii && cp $(which $ii) $JAIL_PATH$(which $ii); done | |
| # FHS requires that /bin/sh exists | |
| pushd $JAIL_PATH/bin/ | |
| ln -s bash sh | |
| popd | |
| # copy library dependencies for the binaries we just copied | |
| # to find out what we need, 'ldd' can be used | |
| # ex: ldd $(which bash) | |
| # linux-vdso.so.1 => (0x00007ffd4c735000) | |
| # libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe0cce9c000) | |
| # libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe0ccc98000) | |
| # libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe0cc8d3000) | |
| # /lib64/ld-linux-x86-64.so.2 (0x00007fe0cd0c5000) | |
| # to avoid manual copy, the l2chroot script can be used: | |
| # wget -O /usr/local/sbin/l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt | |
| cp ./l2chroot /usr/local/sbin/ | |
| chmod 744 /usr/local/sbin/l2chroot | |
| # Edit l2chroot script and change the BASE="/webroot" variable to BASE="$JAIL_PATH" | |
| sed -i "s@/webroot@${JAIL_PATH}@" /usr/local/sbin/l2chroot | |
| # copy library dependencies (with l2chroot) | |
| for ii in $APPS; do which $ii && l2chroot $(which $ii); done | |
| # Additional dependencies for displaying the name of our user in its prompt | |
| cp /lib/x86_64-linux-gnu/libnsl.so.1 $JAIL_PATH/lib/x86_64-linux-gnu/ | |
| cp /lib/x86_64-linux-gnu/libnss_* $JAIL_PATH/lib/x86_64-linux-gnu/ | |
| # Configure sshd to chroot the users | |
| # Add the followind lines in '/etc/ssh/sshd_config' | |
| sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config | |
| cat <<- EOF >> /etc/ssh/sshd_config | |
| Match group sshjailed | |
| ChrootDirectory ${JAIL_PATH}/ | |
| X11Forwarding no | |
| AllowTcpForwarding no | |
| Match group sftpjailed | |
| ChrootDirectory ${JAIL_PATH}/home/%u | |
| X11Forwarding no | |
| AllowTcpForwarding no | |
| ForceCommand internal-sftp | |
| EOF | |
| # Don't forget to restart ssh | |
| service ssh restart | |
| # Setup group for SSH & SFTP jailed users | |
| groupadd sshjailed | |
| groupadd sftpjailed | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
to
and
to