Steps for ssh jailing
-
Create a user for jailing environment and set password if user doesn't exist. #useradd -m testuser #passwd testuser
-
Create a Directory Structure for Secure environment. ( In our case we are creating secure environment in /home directory. You can change it according to requirement) #cd /home #mkdir -p secure/home #cd /home/secure/home #mkdir testuser #chown testuser:testuser testuser
-
Enable commands for the user in chrooted environment. #cp -pr /bin /home/secure/ #cp -fr /lib /home/secure/ #cp -fr /lib64 /home/secure/ #mkdir /home/secure/usr #cp -pr /usr/lib /home/secure/usr/ #cp -pr /usr/bin /home/secure/usr/ #mkdir -p /home/secure/etc/ #cp -p /etc/environment /home/secure/etc/
-
Configuration for jailing. Edit the file sshd_config #vi /etc/ssh/sshd_config #SSH JAILING Match User testuser chrootdirectory /home/secure #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and only sftp connections will be allowed )
-
# service sshd reload
-
After logging in from another server /home/secure will become your / partition over ssh connection.
#ssh testuser@<ip>
Chroot Configuration for Group:
-
Suppose there are multiple users which needs to be restricted using chroot. Then create a group chroot and add users to the group #groupadd chroot #usermod -aG chroot testuser
-
change sshd config like given below #SSH JAILING Match Group chroot chrootdirectory /home/secure #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and only sftp connections will be allowed ) # service sshd reload
-
# service sshd reload
Things to remember:
-
The chroot directory should alway have root ownership and permission 755 otherwise you will get below error packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
-
Don't forget to copy /etc/environment otherwise you will get below error while changing shell to bash bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)