Chrooted SSH/SFTP Tutorial (Debian Etch) - Page 2
3 Second Method (Per Script)
There's a script called make_chroot_jail.sh on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/ that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.
3.1 Get The Script
First, we need to install some prerequisites:
apt-get install sudo debianutils coreutils
Then we download make_chroot_jail.sh to /usr/local/sbin and make it executable for the root user:
cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh
3.2 Use make_chroot_jail.sh
Now we can already use the script. Usage is as follows:
make_chroot_jail.sh username [/path/to/chroot-shell [/path/to/chroot]]
It doesn't matter if the user is already existing or not. If he's existing, he will be updated; if not, he will be created. If you don't specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.:
make_chroot_jail.sh testuser
I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well:
make_chroot_jail.sh testuser /bin/chroot-shell /home/chroot
This will create/update the user testuser with the chroot jail /home/chroot.
To update all files/libraries in the chroot jail, run
make_chroot_jail.sh update
or
make_chroot_jail.sh update /bin/chroot-shell /home/chroot
depending on how you created your users.
3.3 ProFTPd
If you use ProFTPd, you should read this:
As mentioned on http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd's standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.
To change this, open /etc/proftpd/proftpd.conf and add:
vi /etc/proftpd/proftpd.conf
[...] RequireValidShell off [...] |
Then restart ProFTPd:
/etc/init.d/proftpd restart
Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.
4 Links
- Chroot Patch For SSH: http://chrootssh.sourceforge.net/index.php
- OpenSSH: http://www.openssh.org
- make_chroot_jail.sh: http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail
- Debian: http://www.debian.org