Chrooted SSH/SFTP On Fedora 7

Want to support HowtoForge? Become a subscriber!
Submitted by o.meyer (Contact Author) (Forums) on Mon, 2007-10-22 16:12. :: Fedora | Security

Chrooted SSH/SFTP On Fedora 7

Version 1.0
Author: Oliver Meyer <o [dot] meyer [at] projektfarm [dot] de>
Last edited 10/08/2007

This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they can't break out. They will be able to access their jail via SSH and SFTP.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!


1 First Method (By Hand)

1.1 Install The Chrooted OpenSSH

First we have to install some needed packages:

yum install openssl-devel pam-devel
yum groupinstall 'Development Tools'

Afterwards we have to customize the ssh/sshd-configuration:

vi /etc/ssh/sshd_config


GSSAPIAuthentication yes
GSSAPICleanupCredentials yes


#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

vi /etc/ssh/ssh_config


GSSAPIAuthentication yes


#GSSAPIAuthentication yes

Next we download the patched OpenSSH sources, configure them to our needs (/usr for the executable files, /etc/ssh for the configuration files and enabled PAM authentication).

cd /tmp/
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make install


1.2 Create The Chroot Environment

We'll create a chroot environment under /home/chroot - the jail for all chrooted SSH-users.

mkdir -p /home/chroot/home/
cd /home/chroot
mkdir -p usr/lib/openssh/
mkdir bin lib usr/bin dev etc
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null dev/zero

Now, after we created the necessary directories, we have to copy some binaries and their depending libraries into the chroot environment. The most of this work can be done with a little script that was found by Falko Timme - he also modified it a bit. I adapted it to work with Fedora 7.

vi /usr/local/sbin/create_chroot_env

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-server" for prog in $APPS; do mkdir -p ./`dirname $prog` > /dev/null 2>&1 cp $prog ./$prog # obtain a list of related libraries ldd $prog > /dev/nullq if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir -p ./`dirname $l` > /dev/null 2>&1 cp $l ./$l  > /dev/null 2>&1 done fi done

Note: You can make more programs available to your chrooted users by adding them to the APPS-line in the script.

Make the script executable and run it:

chmod 700 /usr/local/sbin/create_chroot_env

Afterwards we have to copy a couple of additional files and libraries to the chroot jail:

cp /lib/ /lib/ /lib/ /lib/ /lib/ /lib/ /lib/ lib/

cp -R /etc/pam.d/ etc/
cp -R /lib/security/ lib/
cp -R /etc/security/ etc/
cp /etc/login.defs /etc/hosts /etc/resolv.conf etc/
cp /usr/lib/ /usr/lib/ /usr/lib/ /usr/lib/ usr/lib/

In the next step we do the following:

echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd

You should also copy the line of the group, which will be used to create new chrooted users from /etc/group to /home/chroot/etc/group. In this tutorial we will create chrooted users with the group users:

grep /etc/group -e "^root" -e "^users" > etc/group

Now it's time to restart the OpenSSH server:

/etc/init.d/sshd restart


1.3 Create Chrooted Users

Although we installed the chrooted SSH it's still possible to log in without being chrooted (this makes sense if you log in as root, for example). The decision, which user will be chrooted and which not, is depending on a dot. If the user's home directory in /etc/passwd has a dot in it, this user will be chrooted.

This user will be chrooted:

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will not be chrooted:

user_a:x:2002:100:User A:/home/user_a:/bin/bash

We create the user testuser with the homedirectory /home/chroot/./home/testuser/ and the group users:

useradd -s /bin/bash -m -d /home/chroot/./home/testuser/ -c "testuser" -g users testuser

After we created the new useraccount, we have to set a password for it:

passwd testuser

At last we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd

Cause we have already copied the the line for the group users from /etc/group to /home/chroot/etc/group, we don't have to do this again. If you want to create a chrooted user with another group than users, you have to add this group to /home/chroot/etc/group.


grep /etc/group -e "^othergroup" >> /home/chroot/etc/group

Now try to log in to SSH or SFTP as testuser. You should be jailed in /home/chroot.

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Kurt (not registered) on Tue, 2011-11-01 17:43.

Doesn't exist anymore.

Submitted by Lukas (not registered) on Thu, 2010-06-17 17:24.
Thanks for this really helpful tutorial! It's a bit old but also works under newer versions of Fedora.
Submitted by vitaminme (registered user) on Sat, 2007-12-22 12:31.

I tried dot to dot on fedora 8. but still user is able to browse everything.


[geek@amd sbin]$ sftp
Connecting to's password:
sftp> pwd
Remote working directory: /home/chroot/home/testuser
sftp> cd /
sftp> ls -l
drwxr-xr-x    2 root     root         4096 Dec 21 23:07 bin
drwxr-xr-x    3 root     root         4096 Dec 22 02:40 boot
drwxr-xr-x    6 geek     geek         4096 Dec 22 02:47 data
drwxr-xr-x   13 root     root         4360 Dec 22 16:21 dev
drwxr-xr-x  104 root     root        12288 Dec 22 16:58 etc
drwxr-xr-x    4 root     root         4096 Dec 22 16:19 home
drwxr-xr-x   15 root     root         4096 Dec 21 23:07 lib
drwx------    2 root     root        16384 Dec 22 02:30 lost+found
drwxr-xr-x    5 root     root         4096 Dec 22 16:07 media
drwxr-xr-x    2 root     root            0 Dec 22 15:03 misc
drwxr-xr-x    2 root     root         4096 Aug 13 20:17 mnt
drwxr-xr-x    2 root     root            0 Dec 22 15:03 net
drwxr-xr-x    2 root     root         4096 Aug 13 20:17 opt
dr-xr-xr-x  160 root     root            0 Dec 22 20:33 proc
drwxr-x---   30 root     root         4096 Dec 22 16:07 root
drwxr-xr-x    2 root     root        12288 Dec 21 23:07 sbin
drwxr-xr-x    2 root     root         4096 Dec 22 02:31 selinux
drwxr-xr-x    3 root     root         4096 Dec 22 02:41 srv
drwxr-xr-x   12 root     root            0 Dec 22 20:33 sys
drwxrwxrwt   12 root     root         4096 Dec 22 16:41 tmp
drwxr-xr-x   13 root     root         4096 Dec 22 02:34 usr
drwxr-xr-x   22 root     root         4096 Dec 22 02:43 var

Submitted by newgee (not registered) on Mon, 2009-02-16 08:55.
I added the script and all this and now it is giving me "access denied" everywhere I go.. why is this?
Submitted by Feras.B (not registered) on Sun, 2009-06-14 07:58.

Think need to updated ..