Create chroot jailed SSH User
This will setup a user which, on ssh login, gets redirected to a chroot jail (requires OpenSSH >= 4.9).
1. Create user:
# useradd -G users -s /bin/bash jail # passwd jail
2. Create chroot jail:
# mkdir -p /var/jail/{bin,home/jail,lib}
# cp -aL /bin/{bash,cat,cp,echo,grep,gzip,less,ln,ls,mkdir,more,mv,nano,pwd,rm,sh,tar,vi} /var/jail/bin/
# cp /etc/skel/* /var/jail/home/jail/
# chown -R jail:users /var/jail/home/jail/Copy the required libraries, check if there’s a /lib64 link to /lib and add one if so.
# ldd /var/jail/bin/* | grep -Eo '/lib[^ ]*' | sort | uniq | xargs -I{} cp -aL '{}' /var/jail/lib/This creates a minimal enviroment for the ssh user.
You can add more functionality f.e. device nodes, /etc-files or /usr/bin-programms (incl. dependent libraries).
3. Configure sshd:
Add the following to /etc/ssh/sshd_config
Match User jail ChrootDirectory /var/jail/
Restart sshd
# /etc/init.d/sshd restart
#1 — Comment by rofl — 27 May 2010 - 10:07
Wow – its that easy? I always thougth that its verry difficult to setup a chroot jail… Thanks for the howto, wag!
Plus, it seems to be even more simple when you only want to use sftp:
http://www.debian-administration.org/articles/590