Create chroot jail with openssh

How to create a chroot jail with openssh (sftp only)

This write up describes how to utilize openssh to setup a chroot jail for sftp connections within the CentOS family. I tried & tried to install and configure rssh to no avail. I was continually met with “Connection closed” messages which has been documented in the rssh FAQ, and the provided solution did not work. I therefore sought out an alternative solution and was pleased to find a simpler solution using openssh.

Check current version of openssh

If you’re not running openssh version 4.9p1 or higher, you must upgrade openssh in order to take advantage of the chroot feature and avoid having to setup an elaborate chroot with libraries and install third-party shells.

Start by installing some development tools
yum install -y gcc openssl-devel pam-devel rpm-build
Download openssh 5.2p1
wget ftp://mirror.planetunix.net/pub/OpenBSD/OpenSSH/portable/openssh-5.2p1.tar.gz
Build RPM based off the source
tar xvfz openssh-5.2p1.tar.gz
cp ./openssh-5.2p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
cp ./openssh-5.2p1.tar.gz /usr/src/redhat/SOURCES/
cd /usr/src/redhat/SPECS/
perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec
rpmbuild -bb openssh.spec
cd /usr/src/redhat/RPMS/`uname -i`
# ls -l
-rw-r--r-- 1 root root 275215 Oct 25 16:31 openssh-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 437468 Oct 25 16:31 openssh-clients-5.2p1-1.x86_64.rpm
-rw-r--r-- 1 root root 275724 Oct 25 16:31 openssh-server-5.2p1-1.x86_64.rpm
# rpm -Uvh openssh*rpm
Preparing... ########################################### [100%]
1:openssh ########################################### [ 33%]
2:openssh-clients ########################################### [ 67%]
3:openssh-server ########################################### [100%]

warning: /etc/pam.d/sshd created as /etc/pam.d/sshd.rpmnew
warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
mv /etc/pam.d/sshd /etc/pam.d/sshd.orig
cp /etc/pam.d/sshd.rpmnew /etc/pam.d/sshd
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
cp /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config
Restart sshd and verify version

service sshd restart

# ssh -V
OpenSSH_5.2p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

!!! info “”
After restarting, it may say initlog is obsolete, but, you can ignore as that option is deprecated.

Configure sshd_config and restart sshd

!!! note “Configure sshd_config and restart sshd”
vi /etc/ssh/sshd_config

Set the following options at the very end of the file.  Note you may have to comment out the sftp-server Subsystem.  Also ensure the `Match` directive is at the end of the config file.

# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

!!! important
Don’t forget to restart sshd after saving the sshd_config file.

Add chroot group/user and set permissions
groupadd sftp
useradd -d /chroot -u 555 -G sftp -m -s /bin/false sftpuser
chown root:root /chroot
chmod 0755 /chroot
mkdir /chroot/sftpuser
chown sftpuser:sftp /chroot/sftpuser

Seting the users shell to /bin/false ensures they will never, ever get shell access. You may set the permisisons for your given scenario. The above example would be the proper setup if more than one user is given access, which would not allow any files or directories to be created in the root of the jail (/chroot). Only uploading of files/directories will be allowed within the users “personal” directory (sftpuser).

That’s it. sftp to the host and the user will not be able to traverse file systems.

Share