How to chroot to secure ssh/scp backups.

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
ciscodlink
DD-WRT User


Joined: 13 May 2014
Posts: 266

PostPosted: Sat Jul 17, 2021 16:46    Post subject: How to chroot to secure ssh/scp backups. Reply with quote
After some effort I was able to setup a chroot environment to limit where WinSCP (in my case) can access and what commands it can execute. This allows it to access only an attached USB hard drive mounted through the GUI on my ddwrt router.

To accomplish this I use a forced command to run a script in the "Authorized keys" section of "Services"
Code:
command="/jffs/chroot.sh" ssh-rsa.....


This runs the script

Code:
                                                                                            #!/bin/sh
touch /tmp/mnt/sda1/PC\ Backup/dev/null
chroot /tmp/mnt/sda1/PC\ Backup/ /bin/ash
rm /tmp/mnt/sda1/PC\ Backup/dev/null



To setup the chroot

Code:

mkdir /tmp/mnt/sda1/PC\ Backup
mkdir /tmp/mnt/sda1/PC\ Backup/bin
cd /bin
cp ash chattr chmod cp ln mkdir pwd  rmdir busybox chgrp chown echo ls mv rm sh /tmp/mnt/sda1/PC\ Backup/bin

mkdir /tmp/mnt/sda1/PC\ Backup/lib
cp /lib mkdir /tmp/mnt/sda1/PC\ Backup/lib
#this is probably more files than actually needed

mkdir /tmp/mnt/sda1/PC\ Backup/usr
mkdir /tmp/mnt/sda1/PC\ Backup/usr/bin
cp /usr/bin/scp /tmp/mnt/sda1/PC\ Backup/usr/bin

mkdir /tmp/mnt/sda1/PC\ Backup/usr/lib
cp /usr/lib/libshutils.so /tmp/mnt/sda1/PC\ Backup/usr/lib
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum