chroot sshd/sftp

The chrootssh project maintains patches for OpenSSH that allow ssh and sftp to be chrooted.

Solaris 9 instructions

1. Download and install the latest openssh-chroot tarball from http://chrootssh.sourceforge.net/download/

2. Create the chroot environment. The following shell script installs all $REQUIRED_CHROOT_FILES, shared library dependencies, and required device files in $CHROOT_DIR.

#!/bin/sh

CHROOT_DIR=/chroot

REQUIRED_CHROOT_FILES="  /bin/cp \
                         /bin/ls \
                         /bin/mkdir \
                         /bin/mv \
                         /bin/rm \
                         /bin/rmdir \
                         /bin/sh \
                         /bin/ldd \
                         /usr/local/libexec/sftp-server"

# Create $CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR

# Copy $REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment

for FILE in $REQUIRED_CHROOT_FILES
do
   DIR=`dirname $FILE | cut -c2-`
   [ ! -d $DIR ] && mkdir -p $DIR
   cp $FILE `echo $FILE | cut -c2-`
   for SHARED_LIBRARY in `ldd $FILE | awk '{print $NF}'`
   do
      DIR=`dirname $SHARED_LIBRARY | cut -c2-`
      [ ! -d $DIR ] && mkdir -p $DIR
      [ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && \
      cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
   done
done

cp /usr/lib/ld.so.1 usr/lib

# Create required character devices
mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/zero c 13 12
mknod $CHROOT_DIR/dev/null c 13 2
chmod 666 $CHROOT_DIR/dev/zero $CHROOT_DIR/dev/null

3. Create the chroot user. The chroot user's home directory should use the following format:
/path_to_chroot/./home_directory

To support chrooted ssh and sftp, use /bin/sh as the chroot user's shell.
To support chrooted sftp-only, use /usr/local/libexec/sftp-server as the chroot user's shell.

ex. $ grep hutch /etc/passwd
hutchib:x:1000:1:Brandon Hutchinson:/chroot/./home/hutch:/bin/sh

When user "hutch" logs in via ssh or sftp, he will be chrooted to /chroot and placed in the /home/hutch directory.

Troubleshooting

Test the chroot jail by executing the following command as root:
# chroot chroot_directory /bin/sh

If this fails, the error messages may indicate which shared libraries or device files you are missing in the chroot.

Test the chroot sftp configuration:
$ sftp
chroot_user@chroot_ssh_server

If this fails, make sure all of the shared libraries referenced in ldd /usr/local/libexec/sftp-server are located in your chroot jail. Example sftp failure message:

Request for subsystem 'sftp' failed on channel 0
Couldn't read packet: Connection reset by peer

Older notes

Fedora Core 1 instructions

1. Remove the vendor-supplied OpenSSH RPMs.
# rpm -e openssh openssh-clients openssh-server

2. Download and install the latest openssh-chroot tarball from http://chrootssh.sourceforge.net/download/

3. Create an sshd startup/shutdown script.

cat << END_FILE > /etc/init.d/sshd
#!/bin/sh

# chkconfig: 2345 55 25
# description: OpenSSH server daemon

case $1 in
'start' )
   /usr/local/sbin/sshd
   ;;
'stop' )
   pkill sshd
   ;;
*)
   echo "usage: `basename $0` {start|stop}"
esac
END_FILE

4. Add the sshd startup/shutdown script to chkconfig.
# /sbin/chkconfig --add sshd

5. Create the chroot environment. The following shell script installs all $REQUIRED_CHROOT_FILES, shared library dependencies, and required device files in $CHROOT_DIR. Note: /lib/libnss_files.so.2 is required for UID-to-username resolution. Otherwise, you may receive "cannot find username for UID" errors.

#!/bin/sh

CHROOT_DIR=/chroot

REQUIRED_CHROOT_FILES="  /bin/cp \
                         /bin/ls \
                         /bin/mkdir \
                         /bin/mv \
                         /bin/rm \
                         /bin/rmdir \
                         /bin/sh \
                         /usr/local/libexec/sftp-server \
                         /lib/libnss_files.so.2"

# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR

# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment

for FILE in $REQUIRED_CHROOT_FILES
do
   DIR=`dirname $FILE | cut -c2-`
   [ ! -d $DIR ] && mkdir -p $DIR
   cp $FILE `echo $FILE | cut -c2-`
   for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
   do
      DIR=`dirname $SHARED_LIBRARY | cut -c2-`
      [ ! -d $DIR ] && mkdir -p $DIR
      [ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
   done
done

# Create device files
mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/null c 1 3
mknod $CHROOT_DIR/dev/zero c 1 5

# Create chroot /etc/passwd placeholder
mkdir $CHROOT_DIR/etc
touch $CHROOT_DIR/etc/passwd

6. Create the chroot user. The chroot user's home directory should use the following format:
/path_to_chroot/./home_directory

To support chrooted ssh and sftp, use /bin/sh as the chroot user's shell.
To support chrooted sftp-only, use /usr/local/libexec/sftp-server as the chroot user's shell.

ex. $ grep hutch /etc/passwd
hutchib:x:1000:1:Brandon Hutchinson:/home/chroot/./home/hutch:/bin/sh

7. Add each chroot user's /etc/passwd entry to /etc/passwd within the chroot directory. Note: if /etc/passwd does not exist in the chroot directory, chrooted sftp will work, but chrooted ssh will not.

ex. # grep hutch /etc/passwd >> /home/chroot/etc/passwd

When user "hutch" logs in via ssh or sftp, he will be chrooted to /home/chroot and placed in the /home/hutch directory.


Solaris 7 instructions

1. Download and install the latest openssh-chroot tarball from http://chrootssh.sourceforge.net/download/

2. Create the chroot environment.

Note: the file system containing the chroot jail must be mounted suid. Attempting to use a chroot jail in a nosuid-mounted file system may result in the following error message:

ld.so.1: /bin/sh: fatal: /dev/zero: open failed: No such file or directory
Killed

Remounting the nosuid file system with mount -o remount,suid file_system will not fix the problem. You must unmount the file system, remove nosuid from /etc/vfstab (if applicable), and remount the file system.

The following shell script builds a chroot environment for OpenSSH 3.7.1p2 on a Solaris 7 Sparc system.

#!/bin/sh

CHROOT_DIRECTORY=chroot_directory

mkdir $CHROOT_DIRECTORY
cd $CHROOT_DIRECTORY

# Create directories
mkdir -m 755 -p bin dev usr/local/ssl/lib usr/local/lib usr/local/libexec usr/lib usr/bin usr/platform/`uname -i`/lib

# Copy files
cp -p /bin/sh $CHROOT_DIRECTORY/bin/sh

cp -p /usr/bin/cp /usr/bin/ls /usr/bin/mkdir /usr/bin/mv /usr/bin/rm /usr/bin/rmdir $CHROOT_DIRECTORY/usr/bin

cp -p /usr/lib/ld.so.1 /usr/lib/libc.so.1 /usr/lib/libdl.so.1 /usr/lib/libgen.so.1 /usr/lib/libmp.so.2 /usr/lib/libnsl.so.1 /usr/lib/libsocket.so.1 /usr/lib/librt.so.1 /usr/lib/libaio.so.1 $CHROOT_DIRECTORY/usr/lib

cp -p /usr/local/lib/libz.so $CHROOT_DIRECTORY/usr/local/lib

cp -p /usr/local/libexec/sftp-server $CHROOT_DIRECTORY/usr/local/libexec

cp -p /usr/local/ssl/lib/libcrypto.so.0.9.6 $CHROOT_DIRECTORY/usr/local/ssl/lib

cp -p /usr/platform/`uname -i`/lib/libc_psr.so.1 $CHROOT_DIRECTORY/usr/platform/`uname -i`/lib

# Create required character devices
mknod $CHROOT_DIRECTORY/dev/zero c 13 12
mknod $CHROOT_DIRECTORY/dev/null c 13 2
chmod 666 $CHROOT_DIRECTORY/dev/zero $CHROOT_DIRECTORY/dev/null

3. Create the chroot user. The chroot user's home directory should use the following format:
/path_to_chroot/./home_directory

To support chrooted ssh and sftp, choose /bin/sh as the chroot user's shell.
To support chrooted sftp-only, choose /usr/local/libexec/sftp-server as the chroot user's shell.

ex. $ grep hutch /etc/passwd

hutchib:x:1000:1:Brandon Hutchinson:/home/chroot/./home/hutch:/bin/sh

When user "hutch" logs in via ssh or sftp, he will be chrooted to /home/chroot and placed in the /home/hutch directory.

Back to brandonhutchinson.com.
Last modified: 2008/01/14