SSH with chroot Jail

February 6, 2012   Linux Tips & Tutorials, Security

There are numerous times when we sysadmins are asked to configure SSH access for restricted users in chroot jail environment. In this tutorial I have tried to explain the configuration of SSH in chrooted environment.

1. First upgrade openssh 4.xx to openssh 5.xx

rpm -qa | grep -e openssl -e krb -e openssh

Output:
openssh-clients-4.3p2
openssh-server-4.3p2
krb5-devel-1.6.1
openssl-0.9.8e
openssl-devel-0.9.8e
openssh-4.3p2
krb5-libs-1.6.1

yum install pam pam-devel krb5-devel

2. Download latest OpenSSH package

wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz

tar zxf openssh-5.4p1.tar.gz

cd openssh-5.4p1

./configure –prefix=/usr/local/ssh –with-md5-passwords –with-pam –with-tcp-wrappers –with-kerberos5 –with-ssl-engine

make

make install

3. Open the file “/usr/local/ssh/etc/sshd_config”.

Change the default port to a non-standard ssh port, say 2222.

Save and quit.

Run the following command to run SSH Daemon:

/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

===================== OpenSSH upgrade is complete =====================

4. Testing

ssh [email protected] -p 2222

You should login without any problem if the installation part went fine. Now, change the port to default port i.e. 22 in /usr/local/ssh/etc/sshd_config

Save and quit

Kill or terminate all the instances of sshd running on the server.

Start the sshd server using the command

“/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config”

5. Configure chroot environment

Create chroot jail directory with required sub directories

mkdir /webroot
mkdir /webroot/home/
cd /webroot
mkdir etc
mkdir sbin
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Copy required directories & files at chroot jail location

 cp -avr /etc/* etc/
 cp -avr /usr/* usr/
 cp -avr /bin/* bin/
 cp -avr /sbin/* sbin/
 cp -avr /lib/* lib/
 grep /etc/passwd -e "^root" > etc/passwd
 grep /etc/passwd -e "^testuser" > etc/passwd
 grep /etc/group -e "^root" -e "^users" > etc/group
 grep /etc/group -e "^testuser" -e "^users" > etc/group

NOTE: HERE CHECK with ldd /bin/bash to make sure it requires libraries from either /lib or /lib64 & then copy the directories accordingly.

6. Chrooting a User

Match User testuser
ChrootDirectory /webroot

Terminate the SSH server and start it again using the command

/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

NOTE: If you want to allow both SSH & SFTP connections, then you need to copy /usr/local/ssh folder as well.

Leave a Reply

Your email address will not be published. Required fields are marked *