Chrooted SSH/SFTP Tutorial (Debian Etch) - Page 2

3 Second Method (Per Script)

There's a script called on that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.


3.1 Get The Script

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
chmod 700 /usr/local/sbin/


3.2 Use

Now we can already use the script. Usage is as follows: username [/path/to/chroot-shell [/path/to/chroot]]   

It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created. If you don't specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.: testuser 

I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well: testuser /bin/chroot-shell /home/chroot

This will create/update the user testuser with the chroot jail /home/chroot.

To update all files/libraries in the chroot jail, run update

or update  /bin/chroot-shell /home/chroot

depending on how you created your users.


3.3 ProFTPd

If you use ProFTPd, you should read this:

As mentioned on, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.

To change this, open /etc/proftpd/proftpd.conf and add:

vi /etc/proftpd/proftpd.conf
RequireValidShell               off

Then restart ProFTPd:

/etc/init.d/proftpd restart

Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.


Share this page:

3 Comment(s)