03.02.2011 , , , , , , , 4 kommentarer

Chroot/Jail SFTP/SCP/SSH on Ubuntu

Sometimes you find yourself in a situation where you would need to make sure that the users can’t reach more of the server than you require them to. Often this can be handled by installing some FTP software with SSL/TLS abilities – and that is also what I would do if it would be an option. Your main goal should ALWAYS be to aim for that kind of setup before doing this.

Anyhow, I needed to give user access to SFTP/SCP/SSH, but without giving them access to the entire server, and even more so, no access to other users files either. To me, the logical step would be to make sure they are jailed to their home directories. But how can you achieve this? Sure, you have Restricted Shell (RSSH) but I usually do not like to install more than absolutely necessary, and my paranoia keeps me from installing 3rd-party solutions for SSH access. Yes I know for most part it would probably work out just fine. But let me have my paranoia.

Basically what I needed was a way to setup a CHROOT jail for SFTP/SCP/SSH.

After browsing the internet a bit I found a variety of solutions. Some that didn’t work at all, some that worked to some extent but where you also had to sacrifice your soul to make it work – and when I finally was about to give in, and let RSSH overcome my paranoia, I found a script originally written by Wolfgang Fuschlberger – and the original is available from this article “How to setup a CHROOT jail for SSH / SCP / SFTP with Linux”.

The script didn’t work straight out of the box, but it didn’t need much tweaks to have it running properly. So without further due, here is how you can get this to work as well.

Note that these instructions are for Ubuntu 10.10 (32bit), but any newer version of Ubuntu should work – at least in theory.

  • An up-to-date version of Ubuntu 10.10 installed.
  • Do the command: sudo apt-get install mktemp openssh-server
  • Then download script:


  • Unpack the script.
  • Place it where you’d like and make it runnable with chmod u+x jaileduser.sh.
  • Add a new jailed user by doing: ./jaileduser.sh <username>.
  • Voilá, your new user now have a jailed environment.

By default new users will then be chrooted and jailed to the /home/jail/home/<username> directory and will only see the contents of /home/jail.

So what did I actually change in the original script? Well not much actually, and while the original script can work on a variety of distributions I only did the changes I needed to have it working on Ubuntu 10.10.

TMPFILE1=`mktemp` &> /dev/null ||  TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv ${TMPFILE1} ${TMPFILE1}.bak;fi
TMPFILE2=`mktemp` &> /dev/null ||  TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv ${TMPFILE2} ${TMPFILE2}.bak;fi

Changed to:


And since Ubuntu 10.10 has a new version of libcap, I changed libcap.so.1 to libcap.so.2. That’s all it took for the script to work on Ubuntu 10.10. Again, this script wasn’t coded by me; I only did the needed changes to get it to work for me. Since there probably are a lot of other users out there looking for a similar solution I figured I might as well share it.

Enjoy, and feel free to leave me feedback on this approach.

Del artikkelen
Aenean mattis venenatis
Over gjennomsnittet interessert i politikk, samfunnsspørsmål og teknologiske felt. Trang til å formidle, enda større trang til å involvere meg selv i det jeg også har en formening om. Jobber som utvikler og designer – og ikke minst, er jeg en pappa. Når jeg ikke har mine kritiske øyne fiksert på lokalpolitikk eller utvikling, døyver jeg min historiske og analytiske sans i historie og slektsforskning.
  • Leaderone

    Hey. Thanks for guide. Trying it out now. First problem is the fileformat of your script. You need to convert it from dos to unix. Tofrodos for Linux did the trick for me.

  • http://twitter.com/mascasa Justin Morehouse

    I found that once I do this I can no longer use SSH to forward TCP traffic (SSH Proxy). It does not work for chrooted and non-chrooted accounts. Any ideas?

  • http://www.brudvik.org/ Kjell Arne Brudvik

    Hmm, can’t say I have any ideas from the top of my head – I’ll test it during the weekend and see if I can come up with any solutions to your issues. If you do however find a solution, feel free to share it here, so I can update the post with the information – afterall, this is a popular post as I see daily search hits on it :-)

  • http://www.brudvik.org/ Kjell Arne Brudvik

    Sorry, I couldn’t figure out a working solution, perhaps one of the readers here can shed some light on this topic?