ssh jailing with all commands

Steps for ssh jailing

  1. Create a user for jailing environment and set password if user doesn't exist.
    
    #useradd -m testuser
    #passwd testuser 
  2. Create a Directory Structure for Secure environment.
    
    ( In our case we are creating secure environment in /home directory. You can change it according to requirement)
    #cd /home
    #mkdir -p secure/home
    #cd /home/secure/home
    #mkdir testuser
    #chown testuser:testuser testuser
    
    
  3. Enable commands for the user in chrooted environment.
    
    #cp -pr /bin /home/secure/
    #cp -fr /lib /home/secure/
    #cp -fr /lib64 /home/secure/
    #mkdir /home/secure/usr
    #cp -pr /usr/lib /home/secure/usr/
    #cp -pr /usr/bin /home/secure/usr/
    #mkdir -p /home/secure/etc/
    #cp -p /etc/environment /home/secure/etc/ 
  4. Configuration for jailing.
    
    Edit the file sshd_config
    #vi /etc/ssh/sshd_config
    
      #SSH JAILING                     
      Match User testuser
      chrootdirectory /home/secure
      #ForceCommand internal-sftp   (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed )
    
    
  5. # service sshd reload 
    
    
  6. After logging in from another server /home/secure will become your / partition over ssh connection.
           #ssh testuser@<ip>
Chroot Configuration for Group:
  1. Suppose there are multiple users which needs to be restricted using chroot. 
    Then create a group chroot and add users to the group
     #groupadd chroot
     #usermod -aG chroot testuser
    
  2. change sshd config like given below
     #SSH JAILING                     
     Match Group chroot 
     chrootdirectory /home/secure 
       #ForceCommand internal-sftp (If you uncomment this line it will restrict ssh connection and  only sftp connections will be allowed ) # service sshd reload 
  3. # service sshd reload 

Things to remember:
  1. The chroot directory should alway have root ownership and permission 755 
    otherwise you will get below error
    packet_write_wait: Connection to x.x.x.x port 22: Broken pipe
     
  2. Don't forget to copy /etc/environment
    otherwise you will get below error while changing shell to bash
    bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

			

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

2,550 Spam Comments Blocked so far by Spam Free Wordpress

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>