Tuesday, November 10, 2009

How to setup a chroot enviroment with ssh/ scp for Linux ...

"Research Time...."

 We need to create user accounts in a server with limited access to the file system. Quick answer create a chroot environment. The user should be able to ssh or scp to the server without having access to others user home directory or root file system.

After a little research, you probably can find different way to do this. One approach is using a restricted shell however this is not a real chroot environment because if the user can change the shell he can access the root file system.Second approach is modifying sshd so the user can only see he is own home dir however this require to change the standard sshd configuration and binary. Finally approach , and this is a very clever solution is creating a chroot enviroment usign chroot command and modifying the user shell...http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/

Basically you can download the script  http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh . Make sure is enable to be executed then you can use as follow:

make_chroot_jail.sh /path/to/chroot-shell /path/to/jail

The script allows you to create a new user with a shell on the path defined and under a jail path.

chroot-shell is stored by default on /bin/chroot-shell. However you should specify /bin directory when you require to use a path for the jail. 

Path to the jail is by default /home/jail. The script will create a chroot environment under this directory. User directory will be on /home/jail/home/user.

This chroot environment allows the user to ssh , scp or sftp.

Other way to do but more complex is using the JAILKIT from http://olivier.sessink.nl/jailkit/index.html

Enjoy it !

1 comment:

  1. In cent os 5.5 server created the chroot user using this script

    grep sakthi /etc/passwd

    But after creating unable to open the ssh or sftp connections

    [root@test ~]# sftp sakthi@localhost
    Connecting to localhost...
    sakthi@localhost's password:
    Connection closed