This is a "copy & paste" HowTo! The easiest way to follow this tutorial is to use a command line client/SSH client (like PuTTY for Windows) and simply copy and paste the commands (except where you have to provide own information like IP addresses, hostnames, passwords,...). This helps to avoid typos.

Chrooted SSH HowTo

Version 1.0
Author: Falko Timme
Last edited: 01/18/2006

This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

This setup is based on a Debian Sarge (Debian 3.1) system, and the chrooted SSH will be installed in such a way that it will still use the configuration files of the standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your own init script and configuration file.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install The Newest Zlib Version

Because there was a security hole in zlib-1.2.2 about which the chrooted SSH will complain when we try to compile it, we install the newest zlib version right now:

cd /tmp
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make install

2 Install The Chrooted SSH

This is quite easy. We download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make install

Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

5 Comment(s)

Add comment


By: Anonymous

instead of running make install on your debian system try using checkinstall command that way you can uninstall easily.

By: tarvid

I looked for a shared system solution several months ago and gave up on ssh after a few attempts. By the time I added enough programs to be useful, I couldn't convince myself it was secure. lsof returns over 100 files, pipes, etc and I could not imagine a feasible way of assuring that injection in one of those couldn't lead to compromise.

For most environments, ftp is enough (my security is more important to me than user security). For the others, I permit only users I can reach with a baseball bat.

By: Anonymous

The chroot setup script didn't work on my Ubuntu 5.10 since the ldd output for some programs differed from what the script expected so i modified the script a bit. The improved version can be found here: . Otherwise a nice howto. Thanks.

By: Mike Mueller

While doesn't exists anymore a patch for the newer releases of OpenSSH can be found at:

By: tenaka

this wget doesn't work for me, I get a 404 error.