Chrooting SSH
This guide explains how to chroot users that login to the ssh server.
Creating user and ssh group
First, we create the group ssh
that all ssh users must belong to.
# groupadd ssh
If the user account does not already exist, we must create it with adduser or useradd.
# useradd -m -G ssh -s /bin/ksh $USER # passwd $USER
Replace $USER with the actual user. We set the default shell to ksh.
If the user account already exists, make sure the user is a member of the
ssh
group:
# usermod -G ssh $USER
We then append this block to sshd_config:
Match Group ssh PasswordAuthentication yes ChrootDirectory %h DisableForwarding yes PermitTunnel no PermitTTY no
We then reload the configuration:
# pkill -HUP sshd
In sshd_config(5), it states:
ChrootDirectory Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by group or others. After the chroot, sshd(8) changes the working directory to the user's home directory.
sshd(8) requires that the chroot directory be owned by root, and not writeable by group or others. Since the chroot directory is the user's home folder, we run:
# chown root:wheel /home/$USER # ls -ld /home/$USER drwxr-xr-x 4 root wheel 512B Jun 17 12:56 /home/$USER
Inside the home directory, we create the user's home folder, and populate it
with files from /etc/skel
:
# mkdir -p /home/$USER/home/$USER # cp -R /etc/skel/.* /home/$USER/home/$USER/ # chown -R $USER:$USER /home/$USER/home/$USER
The shell requires a few device nodes and the shell itself:
# cd /home/$USER # /dev/MAKEDEV std # rm console klog kmem ksyms mem xf86
Copy the shell inside the chroot:
# mkdir /home/$USER/bin # cp /bin/ksh /home/$USER/bin/
Create the etc folder:
# mkdir -p /home/$USER/etc
Create /home/$USER/etc/passwd and /home/$USER/etc/group:
# cat /home/$USER/etc/passwd root:*:0:0:Charlie &:/root:/bin/ksh $USER:*:1000:1000::/home/$USER:/bin/ksh # cat /home/$USER/etc/group wheel:*:0:root $USER:*:1000:
Next, you'll probably want to add programs that the shell can call. For example, see instructions on how to add openrsync.
Troubleshooting
The default syslog.conf will record
any authentication information messages in /var/log/authlog
:
Jun 17 12:49:01 $USER sshd[60020]: fatal: bad ownership or modes for chroot directory component "/home/$USER/"
This error message indicates an error in file permissions.