I am not a security professional or expert. I’m an average guy just learning and trying stuff out.

Picking up from last post, we have a couple things setup.

1. Entry user “somebody” with limited capabilities (no file system write access, etc)
2. A user we want to user: “intendeduser”
3. Remote ssh is allowed for “somebody”, but only local ssh is enabled for “intendeduser”

Least Privilege

Why give “somebody” more access than required? The user’s only purpose is to serve as a staging area for access to the intended user. As of now, “somebody” can scan through most of the file system and explore other users’ home directories.

What is the minimum set of capabilities “somebody” requires?

SSH.

Chroot Jail

The plan is to force “somebody” into a modified jail environment using chroot. Chroot is an operation that changes the apparent root directory of a user.

My goal is to create a jail environment that allows nothing but SSH.

Implementation

I followed the steps from: http://allanfeid.com/content/creating-chroot-jail-ssh-access

But added these changes:

• Only copied over the bash and ssh binaries
• Bound /dev/tty and /dev/urandom to their jail equivalents

The final step was crucial. I struggled for almost an hour trying to debug ssh. The key was to copy over strace and use it to slowly determine and satisfy the missing dependencies.

I discovered several missing libraries through strace, but the most difficult step was diagnosing the need for /dev/tty.

When all else seemed to be working, ssh would exit with:

Could not create directory '/nonexistent/.ssh'.
The authenticity of host 'localhost (127.0.0.1)' can't be established.


The program exited without prompting for a password. A smarter man would’ve known that /dev/tty is required for the prompt.

Don’t make the same mistakes I did.