How can I chroot ssh connections?

Solution 1:

I am using rssh for this purpose.

You are right there is a new way to do it and it is a built-in feature of recent ssh versions.

Here is an article on Undeadly.

Solution 2:

I just had to setup one user who would be able to log in via ssh and the ssh to another server (which is not directly connected to the outside world). The links by cstamas and ericmayo were a good start.

Basically, I added the following to /etc/ssh/sshd_config:

Match User myuser
  ChrootDirectory /chroot/myuser

From there on, I just had to create the chroot environment below /chroot/myuser. I copied /bin/bash and /usr/bin/ssh and the shared libraries they needed (ldd will show those). For a larger environment, it would probably make sense to compile statically linked versions of the needed executables.

Bash worked right away, for ssh to work, I also had to create the .ssh directory, copy /etc/passwd, /etc/nsswitch.conf and /lib/libnss_* and create /dev/null, /dev/tty and /dev/urandom via mknod.

Solution 3:

mkdir /chroot
mkdir -p /chroot/home/<user_name>

mkdir /chroot/home/<user-name>/bin  
cp -pr /bin/bash /chroot/home/<user_name>/bin/.  
cp -pr /bin/ls /chroot/home/<user_name>/bin/.  
cp -pr /lib64 /chroot/home/<user_name>/.

You have to edit the /etc/sshd_config file and addd

ChrootDirectory /chroot/%h

And restart sshd daemon.

All being said, I honestly think that sftp is a better option.

Also, I found this url if it is helpful.

http://www.techrepublic.com/blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229

Solution 4:

If you are using public-key authentication you could use the "command" option in authorized keys to setup the chroot jail.

~/.ssh/authorized_keys:

command="/path/to/the/chroot/script" ssh-dss keydata.....keydata... user@host