Setting up chrooted ssh jails for Linux


In one in all our earlier articles we demonstrated easy methods to configure chrooted sftp consumer accounts.  Together with the configuration of chrooted sftp accounts you’ll be able to truly configure a mechanism for chrooted ssh entry as properly. The sort of chrooted ssh setup is often known as a chroot jail and we will probably be explaining it’s configuration step-by-step on this article. Chrooted jails are a way of separating particular consumer operations from the remainder of the Linux system.  This configuration modifications the obvious root listing for the present operating consumer course of and its youngster course of with new root listing known as a chrooted jail.

Step 1: Create chroot residence listing.

[[email protected] ~]# mkdir -p /chroot/residence/sahil
[[email protected] ~]# ls -ld /chroot/residence/sahil
drwxr-xr-x. 2 root root 4096 Jul 22 22:34 /chroot/residence/sahil
[[email protected] ~]#
[[email protected] ~]# chmod 700 /chroot/residence/sahil

We have to disable SELinux for this setup to work.

[[email protected] ~]# setenforce 0

We will probably be copying sure binaries and library information into this listing. So, let’s create the sub-directories wherein we are going to place these binaries and library information.

[[email protected] ~]# cd /chroot
[[email protected] chroot]# mkdir bin/ lib64/ lib/ dev/
[[email protected] chroot]# ls
bin lib lib64 dev
[[email protected] chroot]#

Now beneath the dev/ listing we will probably be creating sure required character gadget information utilizing the mknod command. Within the command under, the -m flag is used to specify the file permissions bits, c means character file and the 2 numbers are main and minor numbers that the information level to.

[[email protected] ~]# mknod /chroot/dev/null c 1 3
[[email protected] ~]# mknod /chroot/dev/zero c 1 5
[[email protected] ~]# mknod -m 666 /chroot/dev/tty c 5 0
[[email protected] ~]# mknod -m 666 /chroot/dev/ptmx c 5 2

Step 2: Copy bash binary to chrooted residence listing
Since a jailed surroundings is remoted from the remainder of the system, we won’t have entry to any consumer instructions not even the bash shell whereas we’re within the chroted jailed surroundings. So, to be able to have entry to the bash shell we are going to copy the bash binary to our chrooted residence listing together with the shared libraries required by bash. To know which shared libraries are required by a binary we run the ldd command adopted by the total path of the binary.

[[email protected] chroot]# ldd /bin/bash => (0x00007fff4f19a000) => /lib64/ (0x0000003dfc200000) => /lib64/ (0x0000003deee00000) => /lib64/ (0x0000003dee600000)
/lib64/ (0x0000003dede00000)

Now we might want to copy the above talked about library information together with the /bin/bash binary file to the suitable directories within the /chroot/residence listing.

[[email protected] chroot]# cp -v /lib64/ /chroot/residence/lib64/
`/lib64/′ -> `/chroot/residence/lib64/′
[[email protected] chroot]# cp -v /lib64/ /chroot/residence/lib64/
`/lib64/′ -> `/chroot/residence/lib64/′
[[email protected] chroot]# cp -v /lib64/ /chroot/residence/lib64/
`/lib64/′ -> `/chroot/residence/lib64/′
[[email protected] chroot]# cp -v /lib64/ /chroot/residence/lib64/
`/lib64/′ -> `/chroot/residence/lib64/′
[[email protected] chroot]#
[[email protected] chroot]# cp -v /bin/bash /chroot/residence/bin/
`/bin/bash’ -> `/chroot/residence/bin/bash’
[[email protected] chroot]#

We now have to execute the chroot command adopted by the chrooted residence listing title to comlplete the chroot surroundings setup.

Setting up chrooted ssh jails for Linux

[[email protected] chroot]# chroot /chroot/residence
bash-4.1# ls /
bash: ls: command not discovered

As it’s possible you’ll observe as soon as we entered the chrooted surroundings even the ls command didn’t work for the reason that required binary information and libraries information will not be obtainable. Nevertheless since we had copied the bash shell binary and related library information, we’ve got entry to the bash shell together with it’s constructed ins.

bash-4.1# pwd
bash-4.1# cd
bash: cd: /root: No such file or listing
bash-4.1# historical past
1 ls /
2 pwd
Three cd
Four historical past

Step 3: Copy required binary information and related library information.
To repeat the required library information we’ve written a small script utilizing which you solely must specify the total path of the binary and the script will copy the required library information.

[[email protected] ~]# cat chroot_library_copy.bash


#create chroot listing if it doesn’t exist already##

mkdir $CHROOT

##copy library
for lib in $( ldd $* | awk ‘/lib/ {print $3}’ | sed ‘s/://’ | kind | uniq )
cp ${lib} ${CHROOT}/lib64

if [ -f /lib64/ ]; then
cp /lib64/ ${CHROOT}/lib64
[[email protected] ~]#

Let’s execute this script now.

[[email protected] ~]# bash -x ./chroot_library_copy.bash /bin/{ls,cat,echo,rm,date,bash,uname,vi}
+ CHROOT=/chroot/residence
+ mkdir /chroot/residence
mkdir: can’t create listing `/chroot/residence’: File exists
++ kind
++ uniq
++ awk ‘/lib/ {print $3}’
++ sed s/://
++ ldd /bin/ls /bin/cat /bin/echo /bin/rm /bin/date /bin/bash /bin/uname /bin/vi
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ for lib in ‘$( ldd $* | awk ”’/lib/ {print $3}”’ | sed ”’s/://”’ | kind | uniq )’
+ cp /lib64/ /chroot/residence/lib64
+ ‘[‘ -f /lib64/ ‘]’
+ cp /lib64/ /chroot/residence/lib64
[[email protected] ~]#

[[email protected] ~]# cp -v /bin/{ls,cat,echo,rm,date,bash,uname,vi} /chroot/residence/bin
`/bin/ls’ -> `/chroot/residence/bin/ls’
`/bin/cat’ -> `/chroot/residence/bin/cat’
`/bin/echo’ -> `/chroot/residence/bin/echo’
`/bin/rm’ -> `/chroot/residence/bin/rm’
`/bin/date’ -> `/chroot/residence/bin/date’
cp: overwrite `/chroot/residence/bin/bash’? y
`/bin/bash’ -> `/chroot/residence/bin/bash’
`/bin/uname’ -> `/chroot/residence/bin/uname’
`/bin/vi’ -> `/chroot/residence/bin/vi’
[[email protected] ~]#

Step 4: Add consumer that’s to be jailed.
Whereas including the consumer account to be jailed we will even be creating a gaggle named sshonly and add it as a secondary group to the consumer that we’re going to create.

[[email protected] ~]# groupadd sshonly
[[email protected] ~]# seradd -G sshonly -c “Restricted Consumer” sahil
-bash: seradd: command not discovered
[[email protected] ~]# useradd -G sshonly -c “Restricted Consumer” sahil
[[email protected] ~]# passwd sahil
Altering password for consumer sahil.
New password:
BAD PASSWORD: it’s WAY too brief
BAD PASSWORD: is simply too easy
Retype new password:
passwd: all authentication tokens up to date efficiently.

We are going to make use of the group sshonly within the sshd_config file such that any member of this group will probably be given a jailed ssh surroundings.

Step 5: Modify /and so forth/ssh/sshd_config file and restart sshd service
Add the next strains to the /and so forth/ssh/sshd_config file after which restart the sshd service.

[[email protected] ~]# tail -n 5 /and so forth/ssh/sshd_config
# Use Match Group and ChrootDirectory choices to Chroot members of ‘sshonly` after authentication
Match Group sshonly
ChrootDirectory /chroot
AllowTcpForwarding no
X11Forwarding no
[[email protected] ~]# service sshd restart
Stopping sshd: [ OK ]
Beginning sshd: [ OK ]

Step 6: Take a look at and validate the setup
Now that we’ve got accomplished the configuration let’s attempt to login because the consumer sahil and take a look at it.

[[email protected] ~]# ssh [email protected]
The authenticity of host ‘ (’ cannot be established.
RSA key fingerprint is 60:d4:8e:1a:4d:f8:f4:a8:9e:d5:b7:3b:second:c7:f2:90.
Are you positive you need to proceed connecting (sure/no)? sure
Warning: Completely added ‘’ (RSA) to the listing of identified hosts.
[email protected]’s password:
-bash-4.1$ ls
-bash-4.1$ pwd


On this article we demonstrated step-by-step how you’ll setup a chroot jailed ssh account. We hope that you just discovered this put up to be helpful and we glance ahead in the direction of your ideas and suggestions.

Put up Views:

The next two tabs change content material under.

Setting up chrooted ssh jails for Linux

He began his profession in IT in 2011 as a system administrator. He has since labored with HP-UX, Solaris and Linux working techniques together with publicity to excessive availability and virtualization options.
He has a eager curiosity in shell, Python and Perl scripting and is studying the ropes on AWS cloud, DevOps instruments, and methodologies. He enjoys sharing the information he is gained over time with the remainder of the group.

Setting up chrooted ssh jails for Linux

restrict ssh user to specific directory,chrootdirectory,chroot jail centos 7,ssh chroot,sftp chroot jail,linux restrict user access to one folder,linux restrict user to home directory only,jail ssh user to home directory ubuntu