Ssh Chroot



You may have seen the recent commit message from djm@ about the new feature in OpenSSH: ChrootDirectory

Damien Miller (djm@), who worked on this new feature with Markus Friedl (markus@), offers more details about ChrootDirectory:

This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option 'ChrootDirectory'. This can be used to 'jail' users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.

Ssh Chroot Jail

More from Damien follows.

As far as I know new versions of OpenSSH only allows chroot for SFTP connections. I tried and it works. But for SSH the solution available is the chrootssh patch. I browse the SourceForge site and there are no files so I think is discontinued. I wanted to setup a way to allow SSH access to my machine but limit their abilities heavily. To do that I figured a chroot jail was the best way. In this example I'm using ArchLinux and OpenSSH 5.1p1. It should be a very similar process on any.nix operating system. Setup your test user.

Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.

In a previous commit, markus@ implemented an 'in-process' sftp server in sshd, basically linking sftp-server(8) into sshd(8). When the in-process sftp server is used, sshd does not need any special chroot configuration (no /dev nodes, no libraries, no statically-linked sftp-server) so the chroot setup and maintenance burden is eliminated. The chroot support does work for login and command-execution sessions too, but administrators will need to configure the chroot environment manually.

Ssh Chroot Authorized_keys

To set up a restricted sftp server one should use the 'ForceCommand' and 'ChrootDirectory' directives in sshd_config. Presumably most people will not want to restrict every user, so they should also use the 'Match' directive to select a user or group to apply the restrictions to. For example:

This will cause the user 'djm' to be chrooted to the '/chroot' directory at login, and the use of the in-process sftp server will be forced for all connections. I.e. the user will not be able to login interactively, or run arbitrary commands - the login will only be useful for sftp transfers. Note that the user's home directory may exist under the '/chroot' directory above (e.g. '/chroot/home/djm') and sshd will try to chdir to it before starting to serve files, but it doesn't matter if it does not exist.

Setting up a safe chroot jail is somewhat tricky, and it is quite easy to make to compromise one's security. To reduce this risk, sshd ensures the ChrootDirectory and each of its components is root-owned and not writable by other users, but it is still possible for administrators to break their own setups by doing dumb things (e.g. leaving /dev nodes for the physical drives in a chroot, executing scripts inside the chroot from cron(8) or elsewhere, etc.).

A limitation of the chroot support is that the in-process sftp server does not support scp(1) transfers. scp is a really busted protocol and it would be a fair bit more work to build it in in the way we have built in sftp. It is still possible to support chrooted scp, but administrators will need to populate the chroot environment manually. Please use sftp instead.

To make the internal-sftp chroot work for me, I made the following changes to /etc/ssh/sshd_config:

The full commit message:

Thanks to Damien Miller for taking the time to explain the ChrootDirectory feature.

Introduction

In one of our previous articles we demonstrated how to configure chrooted sftp user accounts. Along with the configuration of chrooted sftp accounts you can actually configure a mechanism for chrooted ssh access as well. This type of chrooted ssh setup is commonly referred to as a chroot jail and we will be explaining it’s configuration step by step in this article. Chrooted jails are a means of separating specific user operations from the rest of the Linux system. This configuration changes the apparent root directory for the current running user process and its child process with new root directory called a chrooted jail.

Step 1: Create chroot home directory.

We need to disable SELinux for this setup to work.

Ssh

We will be copying certain binaries and library files into this directory. So, let’s create the sub-directories in which we will place these binaries and library files.

Now under the dev/ directory we will be creating certain required character device files using the mknod command. In the command below, the -m flag is used to specify the file permissions bits, c means character file and the two numbers are major and minor numbers that the files point to.

SshSsh Chroot

Step 2: Copy bash binary to chrooted home directory
Since a jailed environment is isolated from the rest of the system, we will not have access to any user commands not even the bash shell while we are in the chroted jailed environment. So, in order to have access to the bash shell we will copy the bash binary to our chrooted home directory along with the shared libraries required by bash. To know which shared libraries are required by a binary we run the ldd command followed by the full path of the binary.

Now we will need to copy the above mentioned library files along with the /bin/bash binary file to the appropriate directories in the /chroot/home directory.

We now need to execute the chroot command followed by the chrooted home directory name to comlplete the chroot environment setup.

As you may observe once we entered the chrooted environment even the ls command did not work since the required binary files and libraries files are not available. However since we had copied the bash shell binary and associated library files, we have access to the bash shell along with it’s built ins.

Step 3: Copy required binary files and associated library files.
To copy the required library files we’ve written a small script using which you only have to specify the full path of the binary and the script will copy the required library files.

Let’s execute this script now.

Step 4: Add user that is to be jailed.
While adding the user account to be jailed we will also be creating a group named sshonly and add it as a secondary group to the user that we are going to create.

We will make use of the group sshonly in the sshd_config file such that any member of this group will be given a jailed ssh environment.

Step 5: Modify /etc/ssh/sshd_config file and restart sshd service
Add the following lines to the /etc/ssh/sshd_config file and then restart the sshd service.

Step 6: Test and validate the setup
Now that we have completed the configuration let’s try to login as the user sahil and test it.

Conclusion

In this article we demonstrated step by step how you would setup a chroot jailed ssh account. We hope that you found this post to be useful and we look forward towards your suggestions and feedback.

The following two tabs change content below.
He started his career in IT in 2011 as a system administrator. He has since worked with HP-UX, Solaris and Linux operating systems along with exposure to high availability and virtualization solutions. He has a keen interest in shell, Python and Perl scripting and is learning the ropes on AWS cloud, DevOps tools, and methodologies. He enjoys sharing the knowledge he's gained over the years with the rest of the community.
  • Introduction to the aptitude package manager for Ubuntu - March 26, 2021
  • zypper package management tool examples for managing packages on SUSE Linux - March 26, 2021
  • APT-CACHE and APT-GET commands for package management in Ubuntu - March 25, 2021
  • 12 DPKG command examples - March 25, 2021
  • Monitoring a Remote Centos 6 server with Nagios core - February 24, 2021