This is a "copy & paste" HowTo! The easiest way to follow this tutorial is to use a command line client/SSH client (like PuTTY for Windows) and simply copy and paste the commands (except where you have to provide own information like IP addresses, hostnames, passwords,...). This helps to avoid typos.

Chrooted SSH HowTo

Version 1.0
Author: Falko Timme
Last edited: 01/18/2006

This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

This setup is based on a Debian Sarge (Debian 3.1) system, and the chrooted SSH will be installed in such a way that it will still use the configuration files of the standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your own init script and configuration file.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install The Newest Zlib Version

Because there was a security hole in zlib-1.2.2 about which the chrooted SSH will complain when we try to compile it, we install the newest zlib version right now:

cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install

2 Install The Chrooted SSH

This is quite easy. We download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install

Share this page:

17 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-01-29 18:18:02


instead of running make install on your debian system try using checkinstall command that way you can uninstall easily.

From: tarvid at: 2006-01-30 00:15:29


I looked for a shared system solution several months ago and gave up on ssh after a few attempts. By the time I added enough programs to be useful, I couldn't convince myself it was secure. lsof returns over 100 files, pipes, etc and I could not imagine a feasible way of assuring that injection in one of those couldn't lead to compromise.

For most environments, ftp is enough (my security is more important to me than user security). For the others, I permit only users I can reach with a baseball bat.


From: Anonymous at: 2006-03-20 22:53:45


The chroot setup script didn't work on my Ubuntu 5.10 since the ldd output for some programs differed from what the script expected so i modified the script a bit. The improved version can be found here: http://hirvinen.dy.fi/chroot-setup.sh . Otherwise a nice howto. Thanks.

From: Mike Mueller at: 2009-03-08 12:06:28

While http://chrootssh.sourceforge.net doesn't exists anymore a patch for the newer releases of OpenSSH can be found at: http://web.cybnet.ch/misc/opensource/openssh-5.2p1-chroot.patch

From: tenaka at: 2009-02-15 11:47:42

this wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz doesn't work for me, I get a 404 error.

From: Anonymous at: 2006-01-31 12:45:18


How do you enable to your users a password change? This is IMO the biggest problem when offering a chrooted shell. The only way i found is to synchronise the chrooted passwd file and the real /etc/passwd file but still, you need to enable really close checks what excactly has been changed in the chroot passwd file...

Another thing is that breaking out of a chrooted shell environment is really easy, in order to prevent that, you'll need to set up the grsecurity kernel which does not allow the chdir() outbreak. So if you need *real* security with chrooted users, you need to do far more than just set up this environment.

From: Anonymous at: 2006-01-30 13:22:41


It seems to be a good idea to put chrooted users in sshd_config file with the "AllowUsers" option. In this
way only chrooted users are allowed to log in via sshd.



Another approach is to utilize systrace[1].
polarizers 2cent


[1] http://www.systrace.org/

From: Anonymous at: 2006-01-29 18:43:43


try using checkinstall instead of make install it makes uninstalling easier, it will walk you through and then pack a deb file and install it. which you can uninstall if anything goes wrong.


From: Anonymous at: 2006-02-22 15:33:27


Any thoughts on how to modify this for sftp usage only for several users and a shared directory (not a subdir of /home/)? And would less binaries be needed?

From: starzinger at: 2006-03-08 15:21:41


Thanks alot, this tutorial was really helpful!

Finally I can setup a free shell access service :)

/starzinger


From: Versatilist at: 2006-08-23 18:36:17

hi how are you doing. my name is fikret it is a turkish name, im new here i did have read the article creating a chroot environment and did have read your comment, did you ever refer to freshmeat.net and look there for ssh sftp as search items passed to the search query on the front page, visit following url and read the faq and everything that might be important http://www.pizzashack.org/rssh/ please tell me if you did had success. have fun

From: at: 2007-01-26 12:03:38

If you're a windows user following the instructions, you have to use Firefox.  If you use Internet Explorer or one of it's derivatives the script will format wrong when you copy it and won't run properly when you paste it into the command line with Putty of whichever program you're using.


For example, the above script comes out like this when copied from IE:


APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"for prog in $APPS;  do        cp $prog ./$prog        # obtain a list of related libraries        ldd $prog > /dev/null        if [ "$?" = 0 ] ; then                LIBS=`ldd $prog | awk '{ print $3 }'`                for l in $LIBS; do                        mkdir -p ./`dirname $l` > /dev/null 2>&1                        cp $l ./$l                done        fidone

From: at: 2007-07-01 08:12:52

 During lib copy script, ldd /bin/bash  | awk '{ print $3 }' misses /lib/ld-linux.so.2


 #  ldd /bin/bash
        linux-gate.so.1 =>  (0xffffe000)
        libncurses.so.5 => /lib/libncurses.so.5 (0xb7f0d000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f0a000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7dda000)
        /lib/ld-linux.so.2 (0xb7f56000)


 Just finish with "cp /lib/ld-linux.so.2 lib/" to correct it.

From: at: 2007-07-21 19:53:13

This worked great! Many thanks.

I have only a few remarks:

i) To be able to use sftp and scp, I had to add "/usr/bin/sftp /usr/bin/scp" to the APPS variable on the chroot env build script AND I had to copy /usr/lib/sftp-server to the chroot environment;

ii) I've also add "/bin/rmdir" to the APPS var. But this is only an option.

From: SOR at: 2009-01-02 19:11:25

Does the proposed solution work together with LDAP authentication? In the server, the user data is in the LDAP database, rather than in /etc/passwd, etc.  Please comment. Thanks.

From: Mike Mueller at: 2009-03-08 12:03:11

While http://chrootssh.sourceforge.net doesn't exists anymore a patch for the newer releases of OpenSSH can be found at: http://web.cybnet.ch/misc/opensource/openssh-5.2p1-chroot.patch

From: Anonymous at: 2009-08-25 23:50:50

Did you get solution for chrooting ssh and sftp for ldap client, please email me at upendra.gandhi@gmail.com


Thanks!