Secure SSH+CVS server (chrooted) with OpenBSD 4.1

Autor: Ricard Forniol
Fecha: 5 de agosto de 2007

This document is based on eldemonio.org manual for netbsd and adapted to run with openbsd.

It has been tested with OpenBSD 4.1 and using OSX as a client.

This document can be copied, modified and redistributed if the original source link and the author are mentioned.

Previous configurations

This step is useful if you have an OpenBSD 4.1 clean installation and you prefer visual editor such as nano. But if you like vi, just omit it.

      # echo "export PKG_PATH=ftp://ftp.rediris.es/pub/OpenBSD/4.1/packages/`machine -a`/" \
        >> /root/.profile
      # export PKG_PATH=ftp://ftp.rediris.es/pub/OpenBSD/4.1/packages/`machine -a`/
      # pkg_add -v nano-2.0.3.tgz
    

First of all we change fstab file to enable /home partition to create devices in the chroot enviroment. To achieve it we must delete nodev to the partition line.

      # nano /etc/fstab

        /dev/wd0a / ffs rw 1 1
        /dev/wd0h /home ffs rw,nosuid 1 2
        /dev/wd0d /tmp ffs rw,nodev,nosuid 1 2
        /dev/wd0g /usr ffs rw,nodev 1 2
        /dev/wd0e /var ffs rw,nodev,nosuid 1 2
    

Aplying partition changes

      # umount /home
      # mount /home
    

Building the chroot

      # mkdir -p /home/chroot/cvs
      # cd /home/chroot/cvs
      # mkdir -p bin dev etc home/ricard lib libexec/auth sbin tmp var/empty
      # mkdir -p var/run var/chroot/sshd
      # ln -s . usr
      # chmod -R 555 home
      # chmod 1777 tmp
    

We've create a link usr that points to root directory of the chroot. We do it to simplify the structure. We also set 1777 permisions to the temp directory and 555 for the home directory.

Now it's time to copy commands and their depending libraries.

      # cd /home/chroot/cvs
      # cp /bin/ksh /bin/ls /bin/rm /bin/mkdir /bin/cp /bin/mv /bin/echo \
        /usr/bin/cvs /usr/bin/passwd /usr/bin/login bin
      # cp /sbin/nologin /usr/sbin/pwd_mkdb /usr/sbin/sshd sbin
      # cp /etc/master.passwd /etc/group etc
      # cp /usr/libexec/ld.so libexec
      # cp -rf /etc/ssh etc
      # cp /etc/login.conf etc
      # cp /usr/libexec/auth/login_passwd libexec/auth
      # cp `ldd bin/passwd sbin/sshd libexec/auth/login_passwd  | \
        grep -v -e 'libexec' -e 'bin' -e 'sbin'  -e 'Start' | awk '{print $7}'` lib
    

Making needed devices

      # cd /home/chroot/cvs/dev
      # /dev/MAKEDEV std pty0 random
    

Configuring users

At this point we edit users and groups files and we leave only the ones needed.

      # cd /home/chroot/cvs
      # nano etc/group
      
        wheel:*:0:root
        sshd:*:27:
        _shadow:*:65:
        nogroup:*:32766:
        nobody:*:32767:
        cvs:*:500:ricard

      # nano etc/master.passwd
      
        root:*:0:0::0:0:Administrador,,,:/root:/bin/ksh
        sshd:*:16:16::0:0:& pseudo-user:/var/chroot/sshd:/sbin/nologin
        nobody:*:32767:39::0:0:Unprivileged user:/nonexistent:/sbin/nologin
        ricard:*:1000:500::0:0:Ricard Forniol,,,:/home/ricard:/bin/ksh
    

Making users database

      # cd /home/chroot/cvs
      # /usr/sbin/pwd_mkdb -d /home/chroot/cvs/etc etc/master.passwd
      # /usr/sbin/pwd_mkdb -d /home/chroot/cvs/etc -p etc/master.passwd
    

Making the repository directory.

      # cd /home/chroot/cvs
      # mkdir -p cvsroot
      # chown 1000:500 cvsroot
      # chmod 775 cvsroot
    

Trying chroot enviroment

      # chroot /home/chroot/cvs
      # passwd ricard
         Changing local password for ricard
         New password:
         Retype new password:
      # exit
    

If there's no error everything go well. Unless ensure that chroot partition is mounted without nodev option.

Configuring the server

Now we it's time to setup the secure shell server to run well and don't colide with another server installed in the same machine. Now we generate server keys unless they already exists.

      # cd /home/chroot/cvs/etc/ssh
      # /usr/bin/ssh-keygen -t rsa1 -b 1024 -f ssh_host_key -N ''
      # /usr/bin/ssh-keygen -t dsa -f ssh_host_dsa_key -N ''
      # /usr/bin/ssh-keygen -t rsa -f ssh_host_rsa_key -N ''
    

Change default ssh jailed port. We set 11750 port for example by discomenting (leave #) Port 22 and we set 11750.

      # nano sshd_config

        Port 11750
        ...
    

Executing jailed server

# chroot /home/chroot/cvs /sbin/sshd

Setting up clients

To let client accessing server easier edit file ~/.ssh/config in the client and add the following lines at the end of the file.

      $ nano sshd_config

        Host myserver.cvs.org
        Port 11750
    

Save and try to connect

      $ ssh ricard@myserver.cvs.org
    

NOTE: we have to configure a password before trying to access. Once connected you can change it.

Inicializing repository

When everything is configured in the ssh chroot, we only have to configure two variables and inizialize the repository from the client.

      $ export CVSROOT=:ext:ricard@miservidor.cvs.org:/cvsroot
      $ export CVS_RSH=ssh
      $ cvs init
    

NOTA: we can add the two first lines at ~/.profile or equivalent in our user because CVSROOT and CVS_RSH alwais get that value when we start session.

Ensure that privilages are well: direcotories 775, files 664, the owner ricard and group cvs.

      # cd /home/chroot/cvs/cvsroot
      # find . -type d -exec chown ricard:cvs {} \;
      # find . -type d -exec chmod 775 {} \;
      # find . -type f -exec chown ricard:cvs {} \;
      # find . -type f -exec chmod 664 {} \;
    

Finally

To start the jailed ssh server automaticaly add the following line to /etc/rc.local.

      # echo "/usr/sbin/fchroot /home/chroot/cvs /sbin/sshd" >> /etc/rc.local
    

With this we have the cvs server ready to run jailed. I recommend to use authetification key to avoid using password at every operation.