Setting up pam-chrooted sftp capable scponly shells using a dedicated sshd on lenny

work in progress (remind me if necessary)

Since there seems to be no real alternative, I have finally come to the point of replacing ftp with scponly shells. Its rather obvious how to set thing up, once you know, but there are a hell of a lot of caveats, which you might hang at. Since it took me some time, to figure all out, I better write it all down now. I trust pam-chroot more than I trust scponlyc. Why? because it is simpler, does not involve a setuid scponly program, and might be more secure. And I am running a dedicated sshd process, since the service in question is supposed to be on air, and locked down as much as possible.

Simplest strategy seems to be using one jail for all users. You can set up such a jail using scripts like /usr/share/doc/libpam-chroot/examples/setup-chrootdir-shell.sh and /usr/share/doc/scponly/setup_chroot/setup_chroot.sh shipped with the respective packages. Let's assume your jail is in /jail. Make sure you have a symlink /jail/lib64 -> /jail/libif you are running a 64 bit system. To make logging from inside the jail work, append $AddUnixListenSocket /jail/dev/log to /etc/rsyslog.conf and restart rsyslogd.

To get a second sshd running, link /usr/sbin/sshd-xy to /usr/sbin/sshd, copy /etc/init.d/sshd and /etc/pam.d/sshd to /etc/init.d/sshd-xy and /etc/pam.d/sshd-xy respectively. Also make a copy of your sshd_config. Apply the obvious changes to the cloned init-script, and Customize the config file of the corresponding sshd as you like. Put in or edit one line to read Subsystem sftp /usr/lib/sftp-server. It might make sense to switch off unnecessary features like X-forwarding.

Now the new sshd shall use a different pam profile. sshd, by default, reads /etc/pam.d/$0. For us that is /etc/pam/sshd-xy. This is how such a file may look like:

auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
auth       required     pam_pwdfile.so pwdfile /etc/passwd.scp
#account    required     pam_nologin.so
account required        pam_unix.so
session     required     pam_chroot.so debug

Furthermore we will set up some nsswitch customization, as we want to put scp user accounts apart from the usual passwd, groups and shadow files. /var/lib/extrausers/passwd

user:x:1000:1000:,,,:/home/user:/usr/bin/scponly

in /etc/passwd.scp put the line user:md5hash ...

pam-extra? what is this for?

Makefile to generate jails automatically...

Troubleshooting: LogLevel DEBUG3 in your sshd config. a number > 0 in /etc/scponly/debuglevel, ssh -v -v -v user@host -s sftp, sftp -v user@host, scp -v file user@host,

Caveats:

udev. this might mess up your devices (always use with caution).
when debugging of scponly is activated, you might not be able to log in (using scponly as shell)
Put /usr/lib/sftp-server into the same path in the jail. other paths dont work (maybe this is compiled into sshd).
This might be obvious: some of the .so's need to be set+x.
setting /jail/proc to 751 improves the jail, but also sets /proc to 751. This will break things.

How to make a dropbox: You might want to allow someone (S) to drop data for someone else (E). This can be achieved by configuring a jail the following way:

uid of S equals the uid of E
S is member of H and also member of G
E is member of G and not member of H
jail contains a directory incoming with mode 737+t owned by root:H.
incoming is contained in a directory (most likely ~E) owned by root:H with mode 750.

Update: there's a bug in openssh-server (at least) in version 1:5.1p1-5 (lenny), you will get "fatal: ssh_selinux_getctxbyname: ssh_selinux_getctxbyname: security_getenforce() failed" in /var/log/auth.log. This feature can be worked around by building the openssh packages without selinux support. Questions? Comments? feel free to email felix ate salfelder d0Ht org.