« Home | How to create IP-IP tunnel between FreeBSD and Lin... » | How can I have two default routes? » | Revealing your routing tables » | Where do the IP addresses come from? » | Just what is routing? » | Mysql Database Backup Script » | Listing files by size » | Where am i always » | Possible to get the administrator password ? » | 11 Unix Tricks » 

Monday, March 20, 2006 

Chrooted SSH HowTo

This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

This setup is based on a Debian Sarge (Debian 3.1) system, and the chrooted SSH will be installed in such a way that it will still use the configuration files of the standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your own init script and configuration file.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install The Newest Zlib Version

Because there was a security hole in zlib-1.2.2 about which the chrooted SSH will complain when we try to compile it, we install the newest zlib version right now:

cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install

2 Install The Chrooted SSH

This is quite easy. We download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install

3 Create The Chroot Environment

Next I create a chroot environment under /home/chroot. This is the directory that all chrooted SSH users will get jailed in, i.e. they will not be able to see any files/directories outside /home/chroot.

I have to create some directories in /home/chroot, and I have to copy a few binaries like /bin/bash, /bin/ls, etc. as well as the libraries on which these binaries depend into the chroot environment so that they are available to any chrooted user.

mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Now that we have created the necessary directories, we are goning to copy some binaries and all the libraries on which they depend into the chroot environment. This is an excerpt of a script that I found on http://mail.incredimail.com/howto/openssh/create_chroot_env that does this. Just copy and paste the following lines into your shell, and hit Return. If you want to make more programs available to your chrooted users, just add these programs to the APPS line:

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS; do
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
done
fi
done

Then we do this:

cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd

You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:

grep /etc/group -e "^root" -e "^users" > etc/group

and restart SSH:

/etc/init.d/ssh restart

4 Create A Chrooted User

Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That's easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user's home directory in /etc/passwd has a . in it, then the user is going to be chrooted.


Example (from /etc/passwd):

user_a:x:2002:100:User A:/home/user_a:/bin/bash

This user will not be chrooted.

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will be chrooted.


Now we create the user testuser with the home directory /home/chroot/./home/testuser and the group users (which is the default group for users on Debian so you do not have to specify it explicitly):

useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c "testuser" -g users testuser

Then we give testuser a password:

passwd testuser

Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd

We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do not have to do this here again. If you create a chrooted user in another group than users, add this group to /home/chroot/etc/group:

grep /etc/group -e "^othergroup" >> /home/chroot/etc/group

Now try to log in to SSH as testuser. You should be chrooted and not be able to browse files/directories outside /home/chroot.

Have fun!


Links to this post

Create a Link