Running ssh in a chroot'd environment


Copyright 2002, 2003 Andy Barclay
OpenContent License (OPL) 

Running ssh in a chroot'd environment
---------------------------------------------
This is the procedure for automating a download from a Unix system
to an NT system.

The download MUST be initiated from the NT system.

The problem
-----------
On the surface, this seems like a trivial problem to solve using ssh.
Just create an account, create a key-pair, distribute the key to the 
customer, and schedule a batch file to run on the NT box periodically
to grab the file and put another one back.
Unfortunately, this solution has several very nasty security side effects
in it. Giving someone scp access to a system necessitates giving them
ssh access to the system. One can customize the .ssh/authorized_keys to
set the "no-pty" setting, but that really doesn't do much good because
the user could use scp to replace this file.

The solution
------------
Its seems that the best solution is to take a page from the anonymous
ftp world, and actually run an additional copy of sshd (on a different
IP or port) that would run in a chroot'd directory. Testing has proven
that this works quite well.

The procedure on the UNIX box
-----------------------------
1. Decide on a directory to build the chroot'd environment. Each customer
will have a subdirectory under that spot. I suggest /export/home/scp.
The remainder of this document will refer to that directory as SCPDIR

2. As root, create the chroot environment:
cd $SCPDIR
mkdir -p bin dev etc sbin usr/lib
ln -s usr/lib lib
cd bin
cp /usr/local/bin/scp1 .
ln -s scp1 scp
cd $SCPDIR/dev
mknod zero c 13 12
cd $SCPDIR/etc
echo "other::1:" >group
echo "root:x:0:1:Super-User:/:/sbin/sh" >passwd
echo "root:NP:11081::::::" >shadow
chmod 400 shadow
cp /etc/ssh_host_key .
chmod 600 ssh_host_key
cp /etc/ssh_host_key.pub .
cp /etc/sshd_config .
cd $SCPDIR/usr/lib
cp /usr/lib/ld.so.1 .
cp /usr/lib/libc.so.1 .
cp /usr/lib/libdl.so.1 .
cp /usr/lib/libmp.so.2 .
cp /usr/lib/libnsl.so.1 .
cp /usr/lib/libsec.so.1 .
cp /usr/lib/libsocket.so.1 .
cp /usr/lib/nss_files.so.1 .
cd $SCPDIR/sbin
cp /sbin/sh .
cp /usr/local/bin/sshd1 .
ln -s sshd1 sshd

3. Create an account by editing the passwd file IN THE CHROOT'd directory

cd $SCPDIR/etc
echo "webgain:x:60100:1:webgain user - scp only:/webgain:/sbin/sh" >>passwd
echo "webgain:NP:11270::::::" >>shadow
mkdir -p $SCPDIR/webgain/.ssh
chmod 750 $SCPDIR/webgain/.ssh
chown 60100:1 $SCPDIR/webgain/.ssh

NOTE:NOTE:NOTE:NOTE
-------------------
The unix webgain user MUST NOT have "*LK*" as its encrypted password in
the shadow file. Create a real password, or preferably, change the
entry in "NP"

4. Generate a key pair
$ /usr/local/bin/ssh-keygen1 -f webgain.identity

5. setup the auto-login feature
cp webgain.identity $SCPDIR/webgain/.ssh/identity.pub
cp webgain.identity $SCPDIR/webgain/.ssh/authorized_keys
$ chmod 640 $SCPDIR/webgain/.ssh/authorized_keys

6. Create a startup script, /etc/init.d/scponly
----------------------------------
#!/bin/sh

SCPPORT=220

case "$1" in
  start)
        /bin/echo  "Starting up chroot'd sshd: \c"
        chroot /export/home/scp /sbin/sshd -p $SCPPORT
        echo "done"
        ;;
  stop)
        # Stop daemons.
        /bin/echo  "Shutting down sshd: \c"
        kill `cat /export/home/scp/etc/sshd.pid`
        echo "done"
        ;;
  *)
        echo "Usage: $0 {start|stop}"
        exit 1
esac
exit 0
----------------------------------
and link it into the correct directories
ln -s /etc/init.d/scponly /etc/rc3.d/S90scponly
ln -s /etc/init.d/scponly /etc/rc0.d/K10scponly

6. e-mail the private key to the remote person (webgain).

7. If the remote system is NT
7a. unzip the zip file ssh-1.2.14-win32bin.zip, placing the executable
files in c:\ssh
7b. make a directory for the keys (mkdir c:\ssh\.ssh)
7c. create a dos batch file similar to the following:
xxx.bat
---------------------------------
set HOME=c:\ssh
set path=%path%;c:\ssh
set SCPPORT=220

scp -P %SCPPORT% webgain@ushqseng12.eng.corio.com:/etc/hosts /temp/hosts
---------------------------------

NOTE:NOTE:NOTE
--------------
In the scp command line the directory separators MUST be forward slashes
(Unix style) NOT backslashes.

Also, although undocumented, the scp command supports the "-P 220" to override
the default port.