Brandon Hutchinson provides a concise howto for chrooting SSH. For recent distributions of Red Hat Enterprise Linux (like CentOS), the following may also be needed in addition to Hutchinson’s Fedora Core procedures:
$ cp /lib/ld-linux.so.2 /chrootedpath/lib/.
$ chmod 666 /chrootedpath/dev/null
$ chmod 666 /chrootedpath/dev/zero
Running ldd on the sshd binary executable will display the executable’s shared library dependencies. The first item on the list addresses a possible dependency that was omitted in Hutchinson’s howto. The absence of this file is a possible cause for a “/bin/sh: No such file or directory” error message to be displayed when connecting as the chrooted user.
Attempting to SFTP as the chrooted user may result in the connection being immediately closed. After logging in as the chrooted user, executing /usr/local/libexec/sftp-server may also result in a “Couldn’t open /dev/null: Permission denied” error message to be outputted. This is fixed by applying the second item of the preceding list.
Hutchinson’s shell script can be modified to incorporate the additional steps that are presented above.
A personal copy of the howto for future reference is found
here.
I have dealt with multiple dedicated hosting and colocation service providers within the last three years. I maintain the servers at the colo where stevedoria.net is hosted, and I assist clients who do not receive their hosting services from me. Dealing with demanding clients and their always very restrictive budgets gave me experience in configuring software to push available hardware to its limits.
Having managed computers at colocation sites for multiple companies and being humbled multiple times through personal experience, I have never felt so annoyed by the problems that arose with hosting companies. I recently assisted a client transition their site from a third-party hosting company to another. I was naive to believe that there were two basic forms of hosting: dedicated and shared. The client signed up for Verio’s Managed Dedicated Server hosting. First off, they attempted to bilk the client by providing hardware that was inferior to the client’s previous server. Upgrading servers with the hope of gaining improved performance was a key motivator for the transition. I discovered Verio’s “mistake” after careful prodding around the system. The server used a crippled version of FreeBSD, and a lot of the common tools that readily provide information about the server was stripped.
I believed that the handicapped version of FreeBSD was also a mistake and the correct server would provide a version of FreeBSD that is fully functional. I was wrong. Installing server monitoring applications, which would allow independent review of bandwidth usage among other things, could not function on the server. Information regarding the number of bytes and packets being transferred that is usually found in ifconfig was removed. Network diagnostic tools such as Wireshark and tcpdump did not work either. It seemed that the server was missing device nodes that were needed by these tools, and either the recompilation of the kernel or the loading of kernel modules was necessary. Unfortunately, the programs to load kernel modules were removed, so compiling a new kernel seemed like the only feasible option. Lo and behold, the kernel could not be found.
I called up Verio’s technical support line to seek help with recompiling a kernel on their server. I thought I would be able to at least gain information on where the kernel was located in the case that Verio’s operators were unable to provide active assistance. The support line number that was listed on their site connected me to their sales office, which had a recorded message about their office being closed. I was frustrated enough to require technical support, and hearing sales pitches for additional services was the least desirable thing to hear. After digging through my email, I found a technical support number that worked. It took a great deal of constraint to communicate with Paul, the Verio technical support representative who answered my call.
I discovered through Paul that the kernel was totally inaccessible to all users, including root. At this point, I concluded that the supposed dedicated server is nothing more than a virtual machine with a convoluted version of a respectable operating system as a thin facade for an actual dedicated server. Verio Managed Dedicated Server just isn’t. Methods that increase resource usage visibility that would enhance Verio’s accountability are prevented. Security measures like FreeBSD’s firewall cannot be deployed. There is no telling of how the resource demands of other customers hosted on the same physical machine will affect the client’s Internet presence. There is no telling of how Verio’s restricted FreeBSD server will hamper a power administrator’s ability to diagnose and rectify future server problems.
I find myself making the most of what is provided to meet a client’s demanding needs once again.
Although I’ve been busy with a lot of work lately, I have been thinking during my commute to work about what I would like to do if I had more time. Here’s a list of things that I would like to accomplish in the first half of 2007:
- Investigate the use of Logical Volume Manager (LVM) for the Linux operating system to create consistent snapshots of secondary storage volumes that can be readily backed up
- Deploy a backup system that minimizes the loss of personal data that is stored on all computers within my home network
- Read Richard Stevens’ Unix Network Programming to validate the way that I use the sockets API
- Find and help an open source project to practice reading code written by others
- Check out Python or reinforce skills in Javascript
- Learn more about common practice in administering GNU/Linux and Unix-like operating systems
I do not allow people to use Telnet on servers that I manage, because usernames and passwords are transmitted over the network as clear text. As concerned about security as people are, I am surprised at peoples’ insistence on using FTP. FTP, a network protocol that also transmits password information as clear text, continues to be widely used. Problems arise in the use of FTP when firewalls are set up between clients and servers. For example, giving clients the option to use either active or passive modes creates more headaches for network administrators who may already have configured FTP servers to listen on specific ports that firewalls are configured to expose. Even more problems are apparent when trying to use FTP over a tunnel.
FTP is broken. Stop using it and adopt secure file transfers with SFTP. FileZilla is an open source SFTP client for Microsoft Windows. Other graphical SFTP clients that support other operating systems are also available.
My sister received a 25USD Borders gift card that she intended to use for another medical dictionary. I persuaded her to regift it to me, and I have been carrying it for weeks. I’ve been to Borders multiple times, and only the appeal of instant gratification kept me coming back. I have been wanting Richard Stevens’ Unix Network Programming, Volume 1: The Sockets Networking API for awhile. I am pretty familiar with sockets programming, having majored in computer science with a specialization in networks and distributed systems, but I am bothered by not having read such a classical text for its field. A traditional Borders store sells the book at cover price: 74.99USD. Buying the book at cover price was not very appealing. Borders.com, powered by Amazon.com, sells the book for 52.49USD, and after applying the 25USD gift card, I was able to purchase the 75USD book for 27.49USD. Averting instant gratification saved me (74.99 * 1.0825 – 52.49 =) 28.69USD!