Chrooted SSH/SFTP Tutorial (Debian Etch) - Page 2

3 Second Method (Per Script)

There's a script called make_chroot_jail.sh on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.

3.1 Get The Script

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh

3.2 Use make_chroot_jail.sh

Now we can already use the script. Usage is as follows:

make_chroot_jail.sh username [/path/to/chroot-shell [/path/to/chroot]]

It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created. If you don't specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.:

make_chroot_jail.sh testuser

I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well:

make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot

This will create/update the user testuser with the chroot jail /home/chroot.

To update all files/libraries in the chroot jail, run

make_chroot_jail.sh update

 make_chroot_jail.sh update  /bin/chroot-shell /home/chroot

depending on how you created your users.

3.3 ProFTPd

If you use ProFTPd, you should read this:

As mentioned on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.

To change this, open /etc/proftpd/proftpd.conf and add:

vi /etc/proftpd/proftpd.conf

[...]
RequireValidShell               off
[...]

Then restart ProFTPd:

/etc/init.d/proftpd restart

Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.

4 Links

Chroot Patch For SSH: http://chrootssh.sourceforge.net/index.php
OpenSSH: http://www.openssh.org
make_chroot_jail.sh: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail
Debian: http://www.debian.org

3 Comment(s)

Add comment

Comments

By:

Hi All,

You can also use MySecureShell to chroot your SFTP connections, it's really simpler !

With MySecureShell you have a control of what your users do (like on FTP). And even you have a graphical interface to configure and manage SFTP connections.

http://mysecureshell.sourceforge.net

By:

On http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ there is this statement: "There is a possible exploit, as somebody told me some days ago. If a local user outside the chroot knows the password of a chroot'ed user, he can get root. This exploit needs only one little program in C. " If this is true, then this whole chroot approach isn't good at all (password stealing is very easy sometimes). Can it be fixed somehow?

By: Anonymous

thanks for the tutorial, got it up and running in about 5 minutes as advertised. Planning on using it with apache to allow users to upload content for their website without having to give them access to /var/www/

should be fun.

Log in or Sign up