Reese Knowledgebase

Create a chroot jail with openssh

View Kristian Reese's profile on LinkedIn


If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 21
by: Reese K.
Posted: 25 Oct, 2011
Last updated: 25 Oct, 2011
Views: 3175

How to create a chroot jail with openssh (sftp only)

This write up describes how to utilize openssh to setup a chroot jail for sftp connections within the CentOS family.  I tried & tried to install and configure rssh to no avail.  I was continually met with "Connection closed" messages which has been documented in the rssh FAQ, and the provided solution did not work.  I therefore sought out an alternative solution and was pleased to find a simpler solution using openssh.

Check current version of openssh

If you're not running openssh version 4.9p1 or higher, you must upgrade openssh in order to take advantage of the chroot feature and avoid having to setup an elaborate chroot with libraries and install third-party shells.

Start by installing some development tools

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

Download openssh 5.2p1

# wget ftp://mirror.planetunix.net/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz

Build RPM based off the source

# tar xvfz openssh-5.2p1.tar.gz
# cp ./openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp  ./openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
# cd /usr/src/redhat/SPECS/
# perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/`uname -i`
# ls -l

-rw-r--r-- 1 root root 275215 Oct 25 16:31 openssh-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 437468 Oct 25 16:31 openssh-clients-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 275724 Oct 25 16:31 openssh-server-5.2p1-1.x86_64.rpm


# rpm -Uvh openssh*rpm
Preparing...                ########################################### [100%]
   1:openssh                ########################################### [ 33%]
   2:openssh-clients        ########################################### [ 67%]
   3:openssh-server        
########################################### [100%]

warning: /etc/pam.d/sshd created as /etc/pam.d/sshd.rpmnew
warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew

# mv /etc/pam.d/sshd /etc/pam.d/sshd.orig
# cp /etc/pam.d/sshd.rpmnew /etc/pam.d/sshd
# mv /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
# cp /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config

Restart sshd and verify version

# service sshd restart
# ssh -V
OpenSSH_5.2p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
After restarting, it may say initlog is obsolete, but, you can ignore as that option is deprecated.

Configure sshd_config and restart sshd

# vi /etc/ssh/sshd_config

Set the following options at the very end of the file.  Note you may have to comment out the sftp-server Subsystem.  Also ensure the "Match" directive is at the end of the config file.
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
Don't forget to restart sshd after saving the sshd_config file.

Add chroot group/user and set permissions

# groupadd sftp
# useradd -d /chroot -u 555 -G sftp -m -s /bin/false sftpuser
# chown root:root /chroot
# chmod 0755 /chroot
# mkdir /chroot/sftpuser
# chown sftpuser:sftp /chroot/sftpuser

Seting the users shell to /bin/false ensures they will never, ever get shell access.  You may set the permisisons for your given scenario.  The above example would be the proper setup if more than one user is given access, which would not allow any files or directories to be created in the root of the jail (/chroot).  Only uploading of files/directories will be allowed within the users "personal" directory (sftpuser).

That's it.  sftp to the host and the user will not be able to traverse file systems.

This article was:   Helpful | Not Helpful
Prev   Next
Redirecting standard output and standard error     Defining static and default gateway in route-eth file

RSS