/usr/share/doc/makejail/examples/sshd.py is in makejail 0.0.5-10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | # Makejail configuration file for sshd
#
# Created by Javier Fernandez-sanguino <jfs@computer.org>
# Thu, 29 Aug 2002 23:44:51 +0200
#
chroot="/var/chroot/sshd"
forceCopy=["/etc/ssh/ssh_host*","/etc/ssh/sshd*","/etc/ssh/moduli",
"/etc/pam.conf","/etc/security/*","/etc/pam.d/ssh","/etc/pam.d/other",
"/etc/pam.d/common*",
"/etc/hosts","/etc/nsswitch.conf",
"/var/run/sshd","/lib/security/*",
"/etc/shells", "/etc/nologin","/etc/environment","/etc/motd",
"/etc/shadow","/etc/hosts*",
"/bin/*sh", "/lib/libnss*",
"/dev/pt*","/dev/ttyp[0-9]*"]
# Remove this if you want to make configuration changes *outside* of the
# chroot environment
# preserve=["/etc/","/home/","/dev/"]
# otherwise just do this:
preserve=["/dev/","/home"]
# Besides the sshd user (needed after 3.4p1) any user which is going to
# be granted access to the ssh daemon should be added to 'users' and
# 'groups'.
userFiles=["/etc/passwd","/etc/shadow"]
groupFiles=["/etc/group","/etc/gshadow"]
users=["sshd"]
groups=["sshd"]
testCommandsInsideJail=["start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd"]
testCommandsOutsideJail=["ssh localhost"]
processNames=["sshd"]
# Changes to do to jail sshd:
# 1.- start makejail with this configuration file
# it might not be able to start the daemon since the daemon tries to
# access /dev/log (handled by syslogd)
#
# 2.- In init.d's startup script (/etc/init.d/sshd):
# replace "start-stop-daemon ..." with "chroot /var/chroot/sshd start-stop-daemon ..."
#
# 3.- configure syslog to also listen to the socket /var/chroot/sshd/dev/log,
# restart sysklogd.
# (for Debian) This can be done by changing the SYSLOGD option in
# /etc/init.d/syslogd to
# SYSLOGD="-p /dev/log -p /var/chroot/sshd/dev/log"
#
# 4.- Create the user directories under /home and copy their files there
#
# 5.- Users will not be able to do a single thing in the restricted environment
# besides running their shell. You will have to add some utilities
# to the chrooted environement. Try adding this to the configuration
# packages=["coreutils"]
# You can add any other Debian packages you want users to have access
# to.
#
# WARNING: this configuration file has only been slightly tested.
# It has not been thoroughly tested yet.
|