How can I chroot ssh connections?

Question

I would like to setup a chroot jail for most (not all) users logging in though SSH. I've heard it's possible with the latest versions of openssh, but I've not been able to find out how to do it. The How To's all talk of patching an old version, and the patch is no longer available.

I'm running debian etch.

score 13 · Accepted Answer · answered Jul 13 '09 at 17:50

13

I am using rssh for this purpose.

You are right there is a new way to do it and it is a built-in feature of recent ssh versions.

Here is an article on Undeadly.

answered Jul 13 '09 at 17:50

cstamas

6,607
24
42

score 6 · Answer 2 · answered Jul 17 '09 at 21:04

I just had to setup one user who would be able to log in via ssh and the ssh to another server (which is not directly connected to the outside world). The links by cstamas and ericmayo were a good start.

Basically, I added the following to /etc/ssh/sshd_config:

Match User myuser
  ChrootDirectory /chroot/myuser

From there on, I just had to create the chroot environment below /chroot/myuser. I copied /bin/bash and /usr/bin/ssh and the shared libraries they needed (ldd will show those). For a larger environment, it would probably make sense to compile statically linked versions of the needed executables.

Bash worked right away, for ssh to work, I also had to create the .ssh directory, copy /etc/passwd, /etc/nsswitch.conf and /lib/libnss_* and create /dev/null, /dev/tty and /dev/urandom via mknod.

score 2 · Answer 3 · answered Oct 08 '12 at 13:26

mkdir /chroot
mkdir -p /chroot/home/<user_name>

mkdir /chroot/home/<user-name>/bin  
cp -pr /bin/bash /chroot/home/<user_name>/bin/.  
cp -pr /bin/ls /chroot/home/<user_name>/bin/.  
cp -pr /lib64 /chroot/home/<user_name>/.

You have to edit the /etc/sshd_config file and addd

ChrootDirectory /chroot/%h

And restart sshd daemon.

All being said, I honestly think that sftp is a better option.

Also, I found this url if it is helpful.

http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

score 1 · Answer 4 · answered Jul 13 '09 at 17:18

1

If you are using public-key authentication you could use the "command" option in authorized keys to setup the chroot jail.

~/.ssh/authorized_keys:

command="/path/to/the/chroot/script" ssh-dss keydata.....keydata... user@host

answered Jul 13 '09 at 17:18

UloPe

175
5

I am not using Public key authentication, authentication is done by a password and username – Malfist Jul 13 '09 at 17:19

hdanniel · Answer 5 · 2009-07-13T17:35:36.020

0

As far as I know new versions of OpenSSH only allows chroot for SFTP connections. I tried and it works. But for SSH the solution available is the chrootssh patch. I browse the SourceForge site and there are no files so I think is discontinued.

For Debian Etch there are some files here: http://debian.home-dn.net/etch/ssh/

There are other solutions here: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html , including chrootssh .

edited Jul 13 '09 at 17:35

answered Jul 13 '09 at 17:29

hdanniel

4,253
22
25

-1 Sorry, your Answer was correct years ago when you wrote it, but no longer is. – Chris S Oct 08 '12 at 15:13

How can I chroot ssh connections?

5 Answers5

Linked

Related