WinSCP chroot

Hi, I'm extremely impressed with WinSCP, as are several others that I see posted in your forums. I'm having some good success chrooting users directories AND letting them use WinSCP. I will report it to you once it's completed. Do you also supply the source code for WinSCP?

I did try the suggested OpenSSL-chroot attempt but ran into some complexity that made me want to attempt it with an original procedure that should be much simpler, and so far it's working out....but too much overhead, so I've got a little more refinement to do.

radnix@hotmail.com

I'm looking forward for your guide.

WinSCP chroot()

Preface : OK, this is sloppy but works. I'll need everyone's input for refinement so email me results and

also I'll need to send you david.tar.gz.

radnix@hotmail.com

This test performed on Linux RedHat 7.2 This procedure is a prototype. Sign in as root.

I._________________________________________________________________________________
SSH2 - download and install SSH Secure Shell 3.2 non-commercial :

<invalid link removed>
note : Observe that new folder has been created /etc/sshd2.

II.________________________________________________________________________________

USER FOLDER - to be SSH2 chrooted : example will assume user paul in /home/paul. He's using a bash shell.

Place david.tar.gz in /home folder, tar -xzpf david.tar.gz. This example presumes that user david does NOT exist.

Now folder /home/david is created. Rename folder to be SSHD2 chrooted to it's name dot bak i.e. paul.bak.

Rename /home/david to /home/name i.e. /home/paul.

Observe ownerships of new user directory are david, so change the folder and internal david user/group to paul,

That is, only the files/folders for renamed folder paul from david to paul.

Edit home/paul/etc/passwd – replace david:x:656:507:david bosshardt:/home/david:/bin/bash with paul's /etc/passwd entry. Delete david's line in /home/paul/etc/passwd, copy paul's line from /etc/passwd and paste it in /home/paul/etc/passwd.

Edit home/paul/etc/group – replace david:x:507: with paul's /etc/group entry. Delete david's line in /home/paul/etc/group, copy paul's line from /etc/group and paste it in /home/paul/etc/group.


III._______________________________________________________________________________

CONFIG SSHD2, KILL SSHD, START SSHD2, RUN WinSCP :

Edit /etc/sshd2/sshd2_config – Find line ChRootUsers. Add paul as

If you have sshd running, kill it. Now, start SSHD2 by simply typing in sshd. Remember, we're NOT running the old sshd, we're going to run the new install sshd2.

Now, from my window xp machine, I run WinSCP :
paul@xxx.xxx.xxx.xxx port 22

supply paul's login name and password and I'm in. Pauls folder is chrooted and I appear to have full functionality of WinSCP.

Thanks for you comprehensive description. I surely would help other users.

HI all,

Where can I get david.tar.gz?

Best Regards
Klaus

@Guest:: Just email me at radnix@hotmail.com and I'll give it to ya' ! :) david.tar.gz simply contains the scp, sftp....etc, shell dependencies necessary for the chroot jail.

Here's a listing of david.tar.gz, if ya' don't want the tar you should be able to figure the dependency listing out here :
good luck! :)

Dear RadNix,

Thank you for taking the time to send me your tar file.

In the hope that my experience will help others and that the WinSCP developers will get some insight into how the product can be improved here is experience.

I tried the david.tar.gz file it but I have the same result WinSCP works but copy times out with error "External exception C000009"

A linux command line scp works and dos pscp works but winSCP does not copy. This is (I think) because WinSCP is doing too much clever stuff on the server with the user account there and in my (and your david.tar.gz) chroot environment it does not work (on my server.)

For information I am using SuSE 8.3 and here is the contents of my ChrootUser.tar
However I got a gui file explorer working using iXplorer from http://www.i-tree.org/ this is not as advanced as winSCP but in my case that is an advantage.

Here is my set up HowTo for a webserver on SUSE 8.3

Log on to webserver as root
Add a new user max using yast.

edit new users line to change the home dir:
tidy up
set up file structure
allow user to write to web
catch the user at log on and chroot them.
set up VirtualHost
All the best,
Doug Culnane

Just thought I'd add my $0.02 on chroot w/WinSCP3 (the best secure file transfer client out there, period!)

Tools necessary to successfully complete this job:

1. SSH, The Secure Shell (O'Reilly and Associates)
   Barrett & Silverman.
   -Buy it and sleep with it under your pillow.
   
2. JailChroot Project Homepage:
   <invalid hyperlink removed by admin>
   
3. WinSCP3
   
4. Your favorite Linux distro (Gentoo, anyone?).
   

I've created an environment that uses RSA SSH2 key exchange for authentication (see prereq. 1) above) and, after successfully authenticating, the user falls into a chrooted environment (shell == /usr/local/bin/jail) where they can safely upload / download files without backticking my server.

Using the JailChroot project will DRAMATICALLY ease your testing/implementation of this _jail_ functionality, but you *may* have to tweak some of it's features in order for it to seamlessly work and be secure (relatively for the moment anyway). A *feature* that I ended up abandoning was the addjailsw (add jail software) program - much easier to do manually for relatively few commands.

If you have to tweak JailChroot, I strongly recommend gaining a thorough understanding of manually creating a chroot environment by looking here:

<invalid hyperlink removed by admin>

Customizing it will be a snap after this tutorial, but it should work ootBox.

Hope this helps someone.... I was able to get it up and running in a day – thanks to @martin for WinSCP!!!

Another option for chroot'ing a user for SFTP/SCP only access is to use rssh, available at <invalid hyperlink removed by admin>. I was able to get working easily (<1 hour from download to operational) on RH9 with WinSCP 3 (also tested with FileZilla 2.2) as the client running SFTP.

Misc notes:

• Use with OpenSSH version > 3.5.
  
• Edit the /etc/rssh.conf file to restrict chroot access per user if desired.
  
• Edit /etc/shells to add /usr/bin/rssh as a valid shell
  
• Read: $man rssh and $man rssh.conf for details on usage.
  
• Details on how to setup the chroot environment for rssh SCP/SFTP are included in the rssh source tarball.