Chrooted SSH/SFTP Tutorial (Debian Etch) - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2007-09-06 16:53. ::

3 Second Method (Per Script)

There's a script called make_chroot_jail.sh on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.

 

3.1 Get The Script

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh

 

3.2 Use make_chroot_jail.sh

Now we can already use the script. Usage is as follows:

make_chroot_jail.sh username [/path/to/chroot-shell [/path/to/chroot]]

It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created. If you don't specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.:

make_chroot_jail.sh testuser

I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

This will create/update the user testuser with the chroot jail /home/chroot.

To update all files/libraries in the chroot jail, run

make_chroot_jail.sh update

or

make_chroot_jail.sh update /bin/chroot-shell /home/chroot

depending on how you created your users.

 

3.3 ProFTPd

If you use ProFTPd, you should read this:

As mentioned on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.

To change this, open /etc/proftpd/proftpd.conf and add:

vi /etc/proftpd/proftpd.conf

[...]
RequireValidShell               off
[...]

Then restart ProFTPd:

/etc/init.d/proftpd restart

Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.

 

4 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sat, 2009-02-21 13:29.

thanks for the tutorial, got it up and running in about 5 minutes as advertised. Planning on using it with apache to allow users to upload content for their website without having to give them access to /var/www/

should be fun. 

Submitted by noexpert (registered user) on Thu, 2007-12-13 03:36.
On http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ there is this statement: "There is a possible exploit, as somebody told me some days ago. If a local user outside the chroot knows the password of a chroot'ed user, he can get root. This exploit needs only one little program in C. " If this is true, then this whole chroot approach isn't good at all (password stealing is very easy sometimes). Can it be fixed somehow?
Submitted by nerdman (registered user) on Sat, 2007-09-08 07:14.

Hi All,

You can also use MySecureShell to chroot your SFTP connections, it's really simpler !

With MySecureShell you have a control of what your users do (like on FTP). And even you have a graphical interface to configure and manage SFTP connections.

http://mysecureshell.sourceforge.net