Chroot/Jail SFTP/SCP/SSH on Ubuntu

Skrevet av Kjell Arne Brudvik den 03.02.2011 | 4 kommentarer | 2 283 visninger

Tweet

Sometimes you find yourself in a situation where you would need to make sure that the users can’t reach more of the server than you require them to. Often this can be handled by installing some FTP software with SSL/TLS abilities – and that is also what I would do if it would be an option. Your main goal should ALWAYS be to aim for that kind of setup before doing this.

Anyhow, I needed to give user access to SFTP/SCP/SSH, but without giving them access to the entire server, and even more so, no access to other users files either. To me, the logical step would be to make sure they are jailed to their home directories. But how can you achieve this? Sure, you have Restricted Shell (RSSH) but I usually do not like to install more than absolutely necessary, and my paranoia keeps me from installing 3rd-party solutions for SSH access. Yes I know for most part it would probably work out just fine. But let me have my paranoia.

Basically what I needed was a way to setup a CHROOT jail for SFTP/SCP/SSH.

After browsing the internet a bit I found a variety of solutions. Some that didn’t work at all, some that worked to some extent but where you also had to sacrifice your soul to make it work – and when I finally was about to give in, and let RSSH overcome my paranoia, I found a script originally written by Wolfgang Fuschlberger – and the original is available from this article “How to setup a CHROOT jail for SSH / SCP / SFTP with Linux”.

The script didn’t work straight out of the box, but it didn’t need much tweaks to have it running properly. So without further due, here is how you can get this to work as well.

Note that these instructions are for Ubuntu 10.10 (32bit), but any newer version of Ubuntu should work – at least in theory.

• An up-to-date version of Ubuntu 10.10 installed.
• Do the command: sudo apt-get install mktemp openssh-server
• Then download script: Jailed User (1706)
• Unpack the script.
• Place it where you’d like and make it runnable with chmod u+x jaileduser.sh.
• Add a new jailed user by doing: ./jaileduser.sh <username>.
• Voilá, your new user now have a jailed environment.

By default new users will then be chrooted and jailed to the /home/jail/home/<username> directory and will only see the contents of /home/jail.

So what did I actually change in the original script? Well not much actually, and while the original script can work on a variety of distributions I only did the changes I needed to have it working on Ubuntu 10.10.

TMPFILE1=`mktemp` &> /dev/null ||  TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv ${TMPFILE1} ${TMPFILE1}.bak;fi
TMPFILE2=`mktemp` &> /dev/null ||  TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv ${TMPFILE2} ${TMPFILE2}.bak;fi

Changed to:

TMPFILE1=`mktemp`
TMPFILE2=`mktemp`

And since Ubuntu 10.10 has a new version of libcap, I changed libcap.so.1 to libcap.so.2. That’s all it took for the script to work on Ubuntu 10.10. Again, this script wasn’t coded by me; I only did the needed changes to get it to work for me. Since there probably are a lot of other users out there looking for a similar solution I figured I might as well share it.

Enjoy, and feel free to leave me feedback on this approach.

Flickr fotografier for: chroot, jailed