3 # Stub wrapper to be invoked by sshd to trap a user inside of a chroot. Invoke
4 # this script with an absolute path, and the name of the chroot as the first
5 # and only parameter, from the ssh ForceCommand option of openssh.
7 # Configuration and use:
9 # Pick a group that will be used to denote which users should be trapped in
10 # which chroots, to make configuration easier. I chose a scheme of 'ch.<name>';
11 # in this case, the group 'ch.cnuapp' for the chroot 'cnuapp'.
13 # First, patch sudoers to allow the ssh_chrooter to automatically obtain root
14 # so that it can run the chroot control script; the env_keep bit is important
15 # to allow ssh_chrooter to propagate important pieces of informatin up to the
18 # Defaults!/srv/chroot/j/ssh_chrooter env_keep+="ORIG_USER ORIG_SHELL SSH_CLIENT SSH_CONNECTION SSH_ORIGINAL_COMMAND"
19 # %ch.cnuapp ALL=(ALL) NOPASSWD: /srv/chroot/j/ssh_chrooter cnuapp
21 # To trap users in the chroot group when they log in with password auth, add
22 # this to /etc/ssh/sshd_config :
24 # Match group ch.cnuapp
25 # ForceCommand /srv/chroot/j/ssh_chrooter cnuapp
27 # The above will not apply when users use an ssh key to log in; add this to
28 # ~/.ssh/authorized_keys for the user:
30 # command="/srv/chroot/j/ssh_chrooter cnuapp" ssh-rsa AAAAB3...
34 [ "$(id -u)" -eq 0 ] || exec sudo ORIG_USER="${USER}" ORIG_SHELL="${SHELL}" SSH_CLIENT="${SSH_CLIENT}" SSH_CONNECTION="${SSH_CONNECTION}" SSH_ORIGINAL_COMMAND="${SSH_ORIGINAL_COMMAND}" "${0}" "${@}"
38 cd "$(dirname "$(dirname "${0}")")"
39 if [ "${SSH_ORIGINAL_COMMAND}" ]
41 USER="${ORIG_USER}" j/eval "${jname}" "cd; ${SSH_ORIGINAL_COMMAND}"
43 echo "You are now entering the ${jname} chroot" >&2
44 USER="${ORIG_USER}" j/enter "${jname}"