Jailed SSH

Levi

Recently I received few requests for SSH access in shared hosting environment. Since I don't use any commercial web panel I need to create jailed SSH manually.

Before I dive in that pile of crap, does anyone knows script for setting up Jailed SSH for existing users?

sgno1

https://github.com/dannysheehan/linux-chroot-jail

Not sure if there is something better out there, edit as you wish

yoursunny

Put each user in an unprivileged LXC container with its own HTTP daemon, shared IPv4 and dedicated IPv6.
Give user root SSH access inside the container.
Run domain forwarder on shared IPv4 port 80 443.
This is how we roll.

Levi

@sgno1 said: Not sure if there is something better out there, edit as you wish

https://github.com/McSim85/make_chroot_jail it is newer but needs fixing to modern Debian.

LXC is not an option, to much overhead.

Wondering, how cPanel and DA do this...

PulsedMedia

Doing proper SSH chroot jail, so that things still work as expected is quite an task, and not that trivial.

Easiest way is to have a copy of the system/distro inside the user's account, so they still have access all to the bins, libs etc.
You can have hardlinks etc. to do this as well tho, bind mounts etc.
But then you are poking holes into the chroot.

There's Firejail tho: https://firejail.wordpress.com/
Which is a bit different than just SSH chroot jail. Have no experience with this.

By far easiest is the LXC container option, and any solution you do will inevitable go towards the container direction, no easy way around that.

Doing manual grsec/sellinux/apparmor rules might get you there, but again tons of work.
I have maintained grsec rules in the late 90s, early 00s, and it was a PITA. But yeah 2 decades of tooling will have probably made things easier.

jfreak53

If you're on centos cloudlinux, works even for non-cpanel. Their support said they are working on Ubuntu version but no ETA.

Otherwise nothing truly exists, we've looked. Your solution is to manually lock down SSH, and install lshell and lock it down as well. There is only one version of lshell that currently works, the original is defunct. Link below.

https://github.com/Applenice/lshell

Levi

The best option for limited shell is GNU RUSH, but it is very hard to interpret documentation as there is no examples on the net. Does anyone knows how DA does jailed ssh?

rsk

@LTniger said:
The best option for limited shell is GNU RUSH, but it is very hard to interpret documentation as there is no examples on the net. Does anyone knows how DA does jailed ssh?

DA uses bubblewrap

babywhale

Give them full access to root then change the password / keys when they done

rincewind

@LTniger said:
https://github.com/McSim85/make_chroot_jail it is newer but needs fixing to modern Debian.

That seems like a pretty decent script. A useful tip is to copy strace into your jail. If a program fails to run in your jail, then strace it to see what files it needs.

I run some webservers within a bubblewrap and created a similar script for minimal files in the jail.

If users need access to a lot of common programs you can considering bind mounting (mount -o rbind) or overlay filesystems (docker does this).

rincewind

@LTniger said:
The best option for limited shell is GNU RUSH, but it is very hard to interpret documentation as there is no examples on the net. Does anyone knows how DA does jailed ssh?

If you are already using sshd to chroot (through ChrootDirectory in sshd_config) then why do you need rush to chroot again?

emgh

I think the easiest solution is to tell them to get a VPS

BasToTheMax

Why not use something like docker?

emgh

@BasToTheMax said:
Why not use something like docker?

I have a feeling if LXC is too much overhead, Docker would be too, they're in a way quite similar