How to automatically chroot jail selected ssh user logins

Posted by Raju Gupta at 2:28 AM – 8 comments

1. Creating basic chroot environment

First we need to create a simple chroot environment. Our chroot environment will consist of a bash shell. To do this, first, we need to create a chroot directory:

# mkdir /var/chroot

In the next step, we need to copy the bash binary and its all shared library dependencies. You can see the bash's shared library dependencies by executing the ldd command:

# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff9a373000)
        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f24d57af000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f24d55ab000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f24d51eb000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f24d59f8000)

Now, we need to manually create all necessary directories and copy /bin/bash and all libraries to the new chroot directory into an appropriate location:

# cd /var/chroot/
# mkdir bin/ lib64/ lib/
# cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/
# cp /lib/x86_64-linux-gnu/libdl.so.2 lib/
# cp /lib/x86_64-linux-gnu/libc.so.6 lib/
# cp /lib64/ld-linux-x86-64.so.2 lib64/
# cp /bin/bash bin/

At this point all is ready and we can chroot

# chroot /vat/chroot
bash-4.2# ls /  
bash: ls: command not found

From the above you can see that bash is ready but there is not much to do as not even ls command is available. Rather then manually copy all commands and required libraries I have created a simple bash script to aid with this purpose. Create a script with the following content:

#!/bin/bash
# This script can be used to create simple chroot environment
# Written by LinuxCareer.com 
# (c) 2013 LinuxCareer under GNU GPL v3.0+

#!/bin/bash

CHROOT='/var/chroot'
mkdir $CHROOT

for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
  do
    cp --parents $i $CHROOT
  done

# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
   cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi

# ARCH i386
if [ -f  /lib/ld-linux.so.2 ]; then
   cp --parents /lib/ld-linux.so.2 /$CHROOT
fi

echo "Chroot jail is ready. To access it execute: chroot $CHROOT"

By default the above script will create chroot in /var/chroot as defined by the $CHROOT variable. Feel free to change this variable according to your needs. When ready, make the script executable and run it with the file full path to your executables and files you wish to include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above chroot.sh script:

# ./chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hosts
Chroot jail is ready. To access it execute: chroot /var/chroot

Now, you can access your new chroot jail with:

# chroot /var/chroot
bash-4.2# echo linuxcareer.com > file
bash-4.2# cat file
linuxcareer.com
bash-4.2# rm file
bash-4.2# vi --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled May  4 2012 04:25:35)

2. Create chroot usergroup

A this point, we need to create a separate usergourp, which will be used by sshd to redirect all users belonging to this usergroup to the chroot jail.

$ sudo groupadd chrootjail

Now, add any existing users to this group. For example, to add user tester we will execute:

$ sudo adduser tester chrootjail
Adding user `tester' to group `chrootjail' ...
Adding user tester to group chrootjail
Done.

3. Configure sshd for chroot jail

All what remains is to configure sshd to automaticaly redirect all users from the chrootjail usergroup to the chroot jail at /var/chroot. This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:

Match group chrootjail
            ChrootDirectory /var/chroot/

and restarting ssh:

$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 17175

4. Login to chroot jail using ssh

At this point you can test your settings by log in to you server with configured sshd:

$ ssh tester@localhost
tester@localhost's password: 
-bash-4.2$ ls
bin  lib  lib64  usr
-bash-4.2$

Unknown says:

September 22, 2017 at 10:58 PM

I read the post and I have really enjoyed your blogs posts.looking for the next post.
Digital Marketing Training In Bangalore.

sathish says:

January 9, 2018 at 3:25 AM

It's very useful and informative too.
Digital Marketing Training In Bangalore

Pavel Co Ebele says:

March 28, 2018 at 5:11 AM

Thanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog. It is very nicely explained. Your article adds best knowledge to our Java Online Training from India. or learn thru Java Online Training from India Students.

April 24, 2018 at 12:21 PM

Hello, I want to subscribe for this web site to obtain most up-to-date updates, therefore where can i do it please assist. aol.com mail login sign

Business says:

March 14, 2019 at 3:49 AM

Thank you so much for posting this. I really appreciate your work. Keep it up. Great work!Best Placement company in Hyderabad

for ict 99 says:

October 10, 2019 at 7:30 PM

Great Article
Cyber Security Projects for CSE Students

JavaScript Training in Chennai

Project Centers in Chennai

JavaScript Training in Chennai

November 19, 2019 at 12:05 AM

BA Revaluation Result 2019
Hey Nice Blog!! Thanks For Sharing!!! Wonderful blog & good post. It is really very helpful to me, waiting for a more new post. Keep Blogging

Theodor says:

December 12, 2020 at 12:33 AM

The array of commercial increasing should be considered typical. canada mortgage calculator You can also study the impact of earning extra payments on any weekly payment date. canada mortgage calculator

Linux Tutorial for Beginners

Pages

How to automatically chroot jail selected ssh user logins

8 Responses so far.

Leave a Reply

Our Blogs

Popular Posts

Archives

Followers

Labels