Create chroot jailed SSH User

Posted on 14 May 2010 - 11:11 in GNU/Linux - Comments (1)

This will setup a user which, on ssh login, gets redirected to a chroot jail (requires OpenSSH >= 4.9).

1. Create user:

# useradd -G users -s /bin/bash jail
# passwd jail

2. Create chroot jail:

# mkdir -p /var/jail/{bin,home/jail,lib}
# cp -aL /bin/{bash,cat,cp,echo,grep,gzip,less,ln,ls,mkdir,more,mv,nano,pwd,rm,sh,tar,vi} /var/jail/bin/
# cp /etc/skel/* /var/jail/home/jail/
# chown -R jail:users /var/jail/home/jail/

Copy the required libraries, check if there’s a /lib64 link to /lib and add one if so.

# ldd /var/jail/bin/* | grep -Eo '/lib[^ ]*' | sort | uniq | xargs -I{} cp -aL '{}' /var/jail/lib/

This creates a minimal enviroment for the ssh user.
You can add more functionality f.e. device nodes, /etc-files or /usr/bin-programms (incl. dependent libraries).

3. Configure sshd:
Add the following to /etc/ssh/sshd_config

Match User jail
  ChrootDirectory /var/jail/

Restart sshd

# /etc/init.d/sshd restart

This work is licensed under a Creative Commons Attribution 2.5 Switzerland License
Powered by WordPress