Chrooted SSH/SFTP On Fedora 7
Chrooted SSH/SFTP On Fedora 7
This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they can't break out. They will be able to access their jail via SSH and SFTP.
This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.
This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 First Method (By Hand)
1.1 Install The Chrooted OpenSSH
First we have to install some needed packages:
yum install openssl-devel pam-devel
Afterwards we have to customize the ssh/sshd-configuration:
GSSAPIAuthentication yes GSSAPICleanupCredentials yes
#GSSAPIAuthentication yes #GSSAPICleanupCredentials yes
Next we download the patched OpenSSH sources, configure them to our needs (/usr for the executable files, /etc/ssh for the configuration files and enabled PAM authentication).
1.2 Create The Chroot Environment
We'll create a chroot environment under /home/chroot - the jail for all chrooted SSH-users.
mkdir -p /home/chroot/home/
Now, after we created the necessary directories, we have to copy some binaries and their depending libraries into the chroot environment. The most of this work can be done with a little script that was found by Falko Timme - he also modified it a bit. I adapted it to work with Fedora 7.
Note: You can make more programs available to your chrooted users by adding them to the APPS-line in the script.
Make the script executable and run it:
chmod 700 /usr/local/sbin/create_chroot_env
Afterwards we have to copy a couple of additional files and libraries to the chroot jail:
cp /lib/libnss_compat.so.2 /lib/libcom_err.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 lib/
cp -R /etc/pam.d/ etc/
In the next step we do the following:
echo '#!/bin/bash' > usr/bin/groups
You should also copy the line of the group, which will be used to create new chrooted users from /etc/group to /home/chroot/etc/group. In this tutorial we will create chrooted users with the group users:
grep /etc/group -e "^root" -e "^users" > etc/group
Now it's time to restart the OpenSSH server:
1.3 Create Chrooted Users
Although we installed the chrooted SSH it's still possible to log in without being chrooted (this makes sense if you log in as root, for example). The decision, which user will be chrooted and which not, is depending on a dot. If the user's home directory in /etc/passwd has a dot in it, this user will be chrooted.
This user will be chrooted:
This user will not be chrooted:
We create the user testuser with the homedirectory /home/chroot/./home/testuser/ and the group users:
useradd -s /bin/bash -m -d /home/chroot/./home/testuser/ -c "testuser" -g users testuser
After we created the new useraccount, we have to set a password for it:
At last we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:
grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd
Cause we have already copied the the line for the group users from /etc/group to /home/chroot/etc/group, we don't have to do this again. If you want to create a chrooted user with another group than users, you have to add this group to /home/chroot/etc/group.
grep /etc/group -e "^othergroup" >> /home/chroot/etc/group
Now try to log in to SSH or SFTP as testuser. You should be jailed in /home/chroot.