| English | Japanese |

Chroot sftp/scp user on MacOS X 10.3.x (Panther)

Chroot ssh user account

The standard OpenSSH included in Mac OS X Panther does not support chroot. Largely, two ways are known as chroot solution. The one is scponly (http://www.sublimation.org/scponly/) and the other is chrootssh patch (http://chrootssh.sourceforge.net/). I mention the way applying the chrootssh patch here.

OpenSSH applied the chrootssh patch classifies users to be chrooted or not by '/./' trick like classical wu-ftpd. Additionally, it is able to be defined where to chroot. If home directory of user godzilla is defined as /Users/godzilla/./, godzilla will be chrooted to /Users/godzilla. If /Users/./godzilla, chrooted to /Users. And if /Users/godzilla, godzilla won't be chrooted.

About this document

I wrote this page just from curiousity. I don't use this in real life. So I don't know this page's sshd will do it or not in commercial use. And I don't have Panther Server. Panther Server users might find some potential difference.

By the way, this page is wrote by funny engrish. ;)

Compile and install

Download source code from OpenDarwin project's cvs server.


$ cvs -d :pserver:anonymous@anoncvs.opendarwin.org:/Volumes/src/cvs/od login
(Logging in to anonymous@anoncvs.opendarwin.org)
CVS password:
(note: just press enter key)
$ cvs -d :pserver:anonymous@anoncvs.opendarwin.org:/Volumes/src/cvs/od co src/OpenSSH

Apply the chrootssh patch


$ curl -O http://chrootssh.sourceforge.net/download/osshChroot-3.6.1.diff
$ cd src/OpenSSH/openssh
$ patch -p1 < ../../../osshChroot-3.6.1.diff

Compile and install


$ cd ..
(note: You can edit Makefile to customize build option. However usualy it's not necessary.)
$ make
$ cd /tmp/OpenSSH/Build
$ strip sshd
$ sudo cp sshd /usr/local/sbin/sshd-chroot
$ sudo chown root:wheel /usr/local/sbin/sshd-chroot
$ sudo chmod 755 /usr/local/sbin/sshd-chroot

pam configuratoion


$ cd /etc/pam.d
$ sudo cp sshd sshd-chroot

Test sshd-chroot before replace.

Append following line to /etc/services:


testssh              10022/tcp     # SSH Remote Login Protocol

Conriguration

Create /etc/xinetd.d/testssh file and configure xinetd for temporary sshd service.

/etc/xinetd.d/testssh:


service testssh
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        #server         = /usr/libexec/sshd-keygen-wrapper
        server          = /usr/local/sbin/sshd-chroot
        server_args     = -i
        groups          = yes
        flags           = REUSE IPv6
        session_create  = yes
}

Reload xinetd


$ sudo killall -HUP xinetd

Test

Connect port 10022 and check whether new sshd-chroot works as well as original ssh service.


$ ssh -p 10022 localhost

Take back the changes for this test if your sshd-chroot works successfully.


$ sudo rm /etc/xinetd.d/testssh
$ sudo killall -HUP xinetd
$ sudo vi /etc/services

Replace your ssh service.

Your ssh service does not chroot your user yet after this step.

Edit /usr/libexec/sshd-keygen-wrapper and change path to sshd.

/usr/libexec/sshd-keygen-wrapper:


#!/bin/ssh

[ ! -f /etc/ssh_host_key ]     && ssh-keygen -q -t rsa1 -f /etc/ssh_host_key     -N "" -C ""
[ ! -f /etc/ssh_host_rsa_key ] && ssh-keygen -q -t rsa  -f /etc/ssh_host_rsa_key -N "" -C ""
[ ! -f /etc/ssh_host_dsa_key ] && ssh-keygen -q -t dsa  -f /etc/ssh_host_dsa_key -N "" -C ""

#exec /usr/sbin/sshd $@
exec /usr/local/sbin/sshd-chroot $@

That's all. Replace is done.

Create your chroot environment.

Copy files ssh service depends on.

Following example is for chrooting to /Users . It's considered using winscp and rsync. However any files might be missing. You have two commands (otool -L and ktrace) are very helpful to create chroot environment.


$ cd /Users
$ sudo mkdir -p bin etc usr/lib/system usr/libexec

$ sudo cp /bin/sh         bin
$ sudo cp /bin/bash       bin
$ sudo cp /bin/ls         bin
$ sudo cp /bin/mkdir      bin
$ sudo cp /bin/mv         bin
$ sudo cp /bin/rm         bin
$ sudo cp /bin/rmdir      bin
$ sudo cp /bin/chmod      bin
$ sudo cp /usr/bin/groups bin
$ sudo cp /usr/bin/rsync  bin
$ cat /bin/cp > /tmp/cp
$ sudo cp /tmp/cp bin
$ sudo chmod 555 bin/cp

$ sudo cp /usr/lib/dyld usr/lib

$ sudo cp /usr/lib/libncurses.5.dylib           usr/lib
$ sudo cp /usr/lib/libSystem.B.dylib            usr/lib
$ sudo cp /usr/lib/libresolv.9.dylib            usr/lib
$ sudo cp /usr/lib/libz.1.dylib                 usr/lib
$ sudo cp /usr/lib/libcrypto.0.9.7.dylib        usr/lib
$ sudo cp /usr/lib/system/libmathCommon.A.dylib usr/lib/system

/etc/localtime is not essential, but it is necessary to display file timestamp in localtime when 'ls'.


$ ls -l /etc/localtime
lrwxr-xr-x  1 root  wheel  30 20 Nov  2003 /etc/localtime -> /usr/share/zoneinfo/Asia/Tokyo
$ sudo cp /usr/share/zoneinfo/Asia/Tokyo etc/localtime
(note: If your host lives in any country other than Japan, the file you should copy is differ from me.)

Compling scp and sftp-server to use in chroot jail.

Standard scp and sftp-server on Panther depend on too many files to use in chroot jail. So build new ones.


$ cd /your/favarite/place/
$ curl -O ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.9p1.tar.gz
$ tar zxvf openssh-3.9p1.tar.gz
$ cd openssh-3.9p1
$ ./configure; make
$ strip scp sftp-server
$ sudo cp scp /Users/bin
$ sudo cp sftp-server /Users/usr/libexec

Create test user account

The difference chroot or not is '/./' string in home directory. Create an account and change his home directory to /Users/./*. For example, /Users/./godzilla.

Start chroot sftp service

Change the home directory of your user you want to chroot.

Created:2004.4.15 / Last-Modified:2004.10.27 (yyyy/mm/dd)
homepage: http://homepage.mac.com/proc/
email: proc at mac.com