The goal of this is to create an OpenSSH installation on Windows (using Cygwin) that forces each user into their own chroot "jail" where all they see is their own stuff. For an added bonus you can put this limit on select logins based on their group.
First cut is short on some details so I can get it out of my head and start the documentation.
- Install Cygwin being sure to select the OpenSSH package
- Create passwd and group with mkpasswd and mkgroup
- Manually add a root user and group as follows:
- Root User
- Edit /etc/passwd and copy the "Administrator" user line.
- change "Administrator" to "root"
- change the uid and gid (usually 500 and 513 respectively) to 0 and 0
- Edit /etc/passwd and copy the "Administrator" user line.
- Root Group
- Edit /etc/group and copy the "Administrators" group line
- change "Administrators" to "root"
- change the group id (usually 544) to 0, be sure to leave the second field alone
- move the "root" group above the "Administrators" group if it is not already
- Edit /etc/group and copy the "Administrators" group line
- Root User
- Create a chroot directory
mkdir /jail
- Change ownership of chroot to root:root
chown root:root /jail
- for each user to be chrooted
- create /jail/%user/home/%user
- make sure ownership of each directory in /jail/%user/home is root:root
- make sure ownership of /jail/%user/home/%user directory is %user:Users
- create /jail/%user/home/%user
- Edit /etc/sshd_config and
- go to the bottom of the file
- Find Subsystem sftp and change it from "/usr/...." to "internal-sftp" (no path)
Subsystem sftp internal-sftp
- Add (or edit existing) block at the bottom to look like
# Example of overriding settings on a per-user basis
Match Group your_sftp_only_group
ChrootDirectory /jail/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
- go to the bottom of the file
References:
To end up in writable directory
More windows setup help
Setting up pubkey auth
I include this reference but the ssh-host-config script that installs with Cygwin's OpenSSH should handle all this now.
http://www.blogger.com/img/blank.gif
3 comments:
Followed this example exactly but client session terminates immediately after login. Event Viewer->Windows Logs->Applications on Win7 server has error: sshd: PID xxxx: fatal: bad ownership or modes for chroot directory component "/". Confirmed ownership of "/" is root:root and triple-checked other ownerships and config items. Any update on this technique?
Well I haven't touched it in about as long ago as I wrote the post. I'll give it a go with current Cygwin in a VM and see how it goes. Back in 2008 I would have been doing this with XP and Server2003 most likely so I expect the technique needs some polish given the Win7/2008R2 increased security.
Is there a chance updated instructions are posted for windows 7 and server 2008 and current cygwin versions? (Not sure if this is going to work at all)
I have been trying hard to make ChrootDirectory option work, but I always get "Received unexpected end-of-file from SFTP server" as soon as I enable it.
I get that error regardless of where in sshd_config I specify it either as a global option or as a part of Match User/Group directive.
Post a Comment