Ping a Specific Port

Question

Malfist

Asked: 2009-07-14 09:12:09 +0800 CST2009-07-14 09:12:09 +0800 CST 2009-07-14 09:12:09 +0800 CST

How can I chroot ssh connections?

772

I would like to setup a chroot jail for most (not all) users logging in though SSH. I've heard it's possible with the latest versions of openssh, but I've not been able to find out how to do it. The How To's all talk of patching an old version, and the patch is no longer available.

I'm running debian etch.

5 Answers

Voted

cstamas · Answer 1 · 2009-07-14T09:50:18+08:00

Best Answer

cstamas

2009-07-14T09:50:18+08:002009-07-14T09:50:18+08:00

I am using rssh for this purpose.

You are right there is a new way to do it and it is a built-in feature of recent ssh versions.

Here is an article on Undeadly.

13

Marie Fischer · Answer 2 · 2009-07-18T13:04:32+08:00

Marie Fischer

2009-07-18T13:04:32+08:002009-07-18T13:04:32+08:00

I just had to setup one user who would be able to log in via ssh and the ssh to another server (which is not directly connected to the outside world). The links by cstamas and ericmayo were a good start.

Basically, I added the following to /etc/ssh/sshd_config:

Match User myuser
  ChrootDirectory /chroot/myuser

From there on, I just had to create the chroot environment below /chroot/myuser. I copied /bin/bash and /usr/bin/ssh and the shared libraries they needed (ldd will show those). For a larger environment, it would probably make sense to compile statically linked versions of the needed executables.

Bash worked right away, for ssh to work, I also had to create the .ssh directory, copy /etc/passwd, /etc/nsswitch.conf and /lib/libnss_* and create /dev/null, /dev/tty and /dev/urandom via mknod.

6

Soham Chakraborty · Answer 3 · 2012-10-09T05:26:35+08:00

Soham Chakraborty

2012-10-09T05:26:35+08:002012-10-09T05:26:35+08:00

mkdir /chroot
mkdir -p /chroot/home/<user_name>

mkdir /chroot/home/<user-name>/bin  
cp -pr /bin/bash /chroot/home/<user_name>/bin/.  
cp -pr /bin/ls /chroot/home/<user_name>/bin/.  
cp -pr /lib64 /chroot/home/<user_name>/.

You have to edit the /etc/sshd_config file and addd

ChrootDirectory /chroot/%h

And restart sshd daemon.

All being said, I honestly think that sftp is a better option.

Also, I found this url if it is helpful.

http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

2

UloPe · Answer 4 · 2009-07-14T09:18:26+08:00

UloPe

2009-07-14T09:18:26+08:002009-07-14T09:18:26+08:00

If you are using public-key authentication you could use the "command" option in authorized keys to setup the chroot jail.

~/.ssh/authorized_keys:

command="/path/to/the/chroot/script" ssh-dss keydata.....keydata... user@host

1

hdanniel · Answer 5 · 2009-07-14T09:29:03+08:00

hdanniel

2009-07-14T09:29:03+08:002009-07-14T09:29:03+08:00

As far as I know new versions of OpenSSH only allows chroot for SFTP connections. I tried and it works. But for SSH the solution available is the chrootssh patch. I browse the SourceForge site and there are no files so I think is discontinued.

For Debian Etch there are some files here: http://debian.home-dn.net/etch/ssh/

There are other solutions here: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-ssh-env.en.html , including chrootssh .

0

How can I chroot ssh connections?

Ping a Specific Port

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What's the command-line utility in Windows to do a reverse DNS look-up?

How to check if a port is blocked on a Windows machine?

What port should I open to allow remote desktop?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?