From 9171fa6d1db11b4ab05386f856cb5f44278d1070 Mon Sep 17 00:00:00 2001 From: CyberLeo Date: Thu, 23 Aug 2012 06:55:52 -0500 Subject: [PATCH] j/ssh_chrooter: more documentation --- ssh_chrooter | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/ssh_chrooter b/ssh_chrooter index 527347e..66ff3ba 100755 --- a/ssh_chrooter +++ b/ssh_chrooter @@ -1,6 +1,35 @@ #!/bin/sh -e -# Stub wrapper to be invoked by sshd ForceCommand, to trap a user inside a chroot +# Stub wrapper to be invoked by sshd to trap a user inside of a chroot. Invoke +# this script with an absolute path, and the name of the chroot as the first +# and only parameter, from the ssh ForceCommand option of openssh. +# +# Configuration and use: +# +# Pick a group that will be used to denote which users should be trapped in +# which chroots, to make configuration easier. I chose a scheme of 'ch.'; +# in this case, the group 'ch.cnuapp' for the chroot 'cnuapp'. +# +# First, patch sudoers to allow the ssh_chrooter to automatically obtain root +# so that it can run the chroot control script; the env_keep bit is important +# to allow ssh_chrooter to propagate important pieces of informatin up to the +# control script: +# +# Defaults!/srv/chroot/j/ssh_chrooter env_keep+="ORIG_USER ORIG_SHELL SSH_CLIENT SSH_CONNECTION SSH_ORIGINAL_COMMAND" +# %ch.cnuapp ALL=(ALL) NOPASSWD: /srv/chroot/j/ssh_chrooter cnuapp +# +# To trap users in the chroot group when they log in with password auth, add +# this to /etc/ssh/sshd_config : +# +# Match group ch.cnuapp +# ForceCommand /srv/chroot/j/ssh_chrooter cnuapp +# +# The above will not apply when users use an ssh key to log in; add this to +# ~/.ssh/authorized_keys for the user: +# +# command="/srv/chroot/j/ssh_chrooter cnuapp" ssh-rsa AAAAB3... +# + [ "$(id -u)" -eq 0 ] || exec sudo ORIG_USER="${USER}" ORIG_SHELL="${SHELL}" SSH_CLIENT="${SSH_CLIENT}" SSH_CONNECTION="${SSH_CONNECTION}" SSH_ORIGINAL_COMMAND="${SSH_ORIGINAL_COMMAND}" "${0}" "${@}" -- 2.42.0