Chrooted SSH/SFTP On Fedora 7

Version 1.0
Author: Oliver Meyer <o [dot] meyer [at] projektfarm [dot] de>
Last edited 10/08/2007

This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they can't break out. They will be able to access their jail via SSH and SFTP.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 First Method (By Hand)

1.1 Install The Chrooted OpenSSH

First we have to install some needed packages:

yum install openssl-devel pam-devel
yum groupinstall 'Development Tools'

Afterwards we have to customize the ssh/sshd-configuration:

vi /etc/ssh/sshd_config

change

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

to

#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

vi /etc/ssh/ssh_config

change

GSSAPIAuthentication yes

to

#GSSAPIAuthentication yes

Next we download the patched OpenSSH sources, configure them to our needs (/usr for the executable files, /etc/ssh for the configuration files and enabled PAM authentication).

cd /tmp/
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install

1.2 Create The Chroot Environment

We'll create a chroot environment under /home/chroot - the jail for all chrooted SSH-users.

mkdir -p /home/chroot/home/
cd /home/chroot
mkdir -p usr/lib/openssh/
mkdir bin lib usr/bin dev etc
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 666 dev/null dev/zero

Now, after we created the necessary directories, we have to copy some binaries and their depending libraries into the chroot environment. The most of this work can be done with a little script that was found by Falko Timme - he also modified it a bit. I adapted it to work with Fedora 7.

vi /usr/local/sbin/create_chroot_env

#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd
/bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping
/usr/bin/dircolors /bin/vi /usr/bin/sftp
/usr/libexec/openssh/sftp-server"

for prog in $APPS; do

mkdir -p ./`dirname $prog` > /dev/null 2>&1
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/nullq
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`

for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l  > /dev/null 2>&1
done

fi
done

Note: You can make more programs available to your chrooted users by adding them to the APPS-line in the script.

Make the script executable and run it:

chmod 700 /usr/local/sbin/create_chroot_env
create_chroot_env

Afterwards we have to copy a couple of additional files and libraries to the chroot jail:

cp /lib/libnss_compat.so.2 /lib/libcom_err.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 lib/

cp -R /etc/pam.d/ etc/
cp -R /lib/security/ lib/
cp -R /etc/security/ etc/
cp /etc/login.defs /etc/hosts /etc/resolv.conf etc/
cp /usr/lib/libgssapi_krb5.so.2 /usr/lib/libkrb5.so.3 /usr/lib/libk5crypto.so.3 /usr/lib/libkrb5support.so.0 usr/lib/

In the next step we do the following:

echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd

You should also copy the line of the group, which will be used to create new chrooted users from /etc/group to /home/chroot/etc/group. In this tutorial we will create chrooted users with the group users:

grep /etc/group -e "^root" -e "^users" > etc/group

Now it's time to restart the OpenSSH server:

/etc/init.d/sshd restart

1.3 Create Chrooted Users

Although we installed the chrooted SSH it's still possible to log in without being chrooted (this makes sense if you log in as root, for example). The decision, which user will be chrooted and which not, is depending on a dot. If the user's home directory in /etc/passwd has a dot in it, this user will be chrooted.

This user will be chrooted:

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will not be chrooted:

user_a:x:2002:100:User A:/home/user_a:/bin/bash

We create the user testuser with the homedirectory /home/chroot/./home/testuser/ and the group users:

useradd -s /bin/bash -m -d /home/chroot/./home/testuser/ -c "testuser" -g users testuser

After we created the new useraccount, we have to set a password for it:

passwd testuser

At last we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd

Cause we have already copied the the line for the group users from /etc/group to /home/chroot/etc/group, we don't have to do this again. If you want to create a chrooted user with another group than users, you have to add this group to /home/chroot/etc/group.

e.g.:

grep /etc/group -e "^othergroup" >> /home/chroot/etc/group

Now try to log in to SSH or SFTP as testuser. You should be jailed in /home/chroot.