Professional Documents
Culture Documents
1 Preliminary Note: 2.1 Install The Chrooted Openssh
1 Preliminary Note: 2.1 Install The Chrooted Openssh
0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/03/2007
This tutorial describes two ways how to give users chrooted SSH access. With this setup, you
can give your users shell access without having to fear that they can see your whole system.
Your users will be jailed in a specific directory which they will not be able to break out of. The
users will also be able to use SFTP in their chroot jails.
This document comes without warranty of any kind! I want to say that this is not the only way of
setting up such a system. There are many ways of achieving this goal but this is the way I take. I
do not issue any guarantee that this will work for you!
1 Preliminary Note
The first way to set up chrooted SSH is by hand and very similar to the method shown in this
tutorial for Debian Sarge: http://www.howtoforge.com/chrooted_ssh_howto_debian. The
chrooted SSH will be installed in such a way that it will still use the configuration files of the
standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the
standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your
own init script and configuration file.
You should decide for one way - please don't use both ways at the same time!
Then we download the patched OpenSSH sources, and we configure them with /usr as directory
for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for
configuration files, and we also allow PAM authentication:
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install
Next I create a chroot environment under /home/chroot. This is the directory that all chrooted
SSH users will get jailed in, i.e. they will not be able to see any files/directories outside
/home/chroot.
I have to create some directories in /home/chroot, and I have to copy a few binaries like
/bin/bash, /bin/ls, etc. as well as the libraries on which these binaries depend into the chroot
environment so that they are available to any chrooted user.
mkdir -p /home/chroot/home/
cd /home/chroot
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
Now that we have created the necessary directories, we are going to copy some binaries and all
the libraries on which they depend into the chroot environment. This is an excerpt of a script that
I found on http://mail.incredimail.com/howto/openssh/create_chroot_env that does this. I've
modified it a little bit:
vi /usr/local/sbin/create_chroot_env
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
(If you want to make more programs available to your chrooted users, just add these programs to
the APPS line.)
Next we have to copy a few additional files and libraries to the chroot jail:
cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp /usr/lib/libkrb5.so.3 usr/lib/
cp /usr/lib/libk5crypto.so.3 usr/lib/
cp /lib/libcom_err.so.2 lib/
cp /usr/lib/libkrb5support.so.0 usr/lib/
Then we do this:
You should also copy the line of the group in which you will create new users from /etc/group to
/home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:
/etc/init.d/ssh restart
Even with the chrooted SSH that we have just installed you can log in without being chrooted
(which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide
whom to chroot and whom not? That's easy: the chrooted SSH looks up the user who is trying to
log in in /etc/passwd. If the user's home directory in /etc/passwd has a . (dot) in it, then the user is
going to be chrooted.
user_a:x:2002:100:User A:/home/user_a:/bin/bash
user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash
Now we create the user testuser with the home directory /home/chroot/./home/testuser and the
group users (which is the default group for users on Debian so you do not have to specify it
explicitly):
passwd testuser
We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do
not have to do this here again. If you create a chrooted user in another group than users, add this
group to /home/chroot/etc/group:
Now try to log in to SSH or SFTP as testuser. You should be chrooted and not be able to browse
files/directories outside /home/chroot.
Langkah 2
Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root
user:
cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh
make_chroot_jail.sh testuser
I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell
as well:
This will create/update the user testuser with the chroot jail /home/chroot.
make_chroot_jail.sh update
or
3.3 ProFTPd
vi /etc/proftpd/proftpd.conf
[...]
RequireValidShell off
[...]
/etc/init.d/proftpd restart
Now all users can use ProFTPd, regardless of what shell they have, which again might not be
something you want. But the best solution would be to simply use SFTP and drop normal FTP.