skip to main | skip to sidebar

Linux Tutorial for Beginners

Pages

  • Home
 
  • RSS
  • Twitter
Friday, February 15, 2013

How to automatically chroot jail selected ssh user logins

Posted by Raju Gupta at 2:28 AM – 8 comments
 

1. Creating basic chroot environment

First we need to create a simple chroot environment. Our chroot environment will consist of a bash shell. To do this, first, we need to create a chroot directory:


# mkdir /var/chroot

In the next step, we need to copy the bash binary and its all shared library dependencies. You can see the bash's shared library dependencies by executing the ldd command:


# ldd /bin/bash
        linux-vdso.so.1 =>  (0x00007fff9a373000)
        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f24d57af000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f24d55ab000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f24d51eb000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f24d59f8000)

Now, we need to manually create all necessary directories and copy /bin/bash and all libraries to the new chroot directory into an appropriate location:


# cd /var/chroot/
# mkdir bin/ lib64/ lib/
# cp /lib/x86_64-linux-gnu/libtinfo.so.5 lib/
# cp /lib/x86_64-linux-gnu/libdl.so.2 lib/
# cp /lib/x86_64-linux-gnu/libc.so.6 lib/
# cp /lib64/ld-linux-x86-64.so.2 lib64/
# cp /bin/bash bin/

At this point all is ready and we can chroot


# chroot /vat/chroot
bash-4.2# ls /  
bash: ls: command not found

From the above you can see that bash is ready but there is not much to do as not even ls command is available. Rather then manually copy all commands and required libraries I have created a simple bash script to aid with this purpose. Create a script with the following content:

#!/bin/bash
# This script can be used to create simple chroot environment
# Written by LinuxCareer.com 
# (c) 2013 LinuxCareer under GNU GPL v3.0+

#!/bin/bash

CHROOT='/var/chroot'
mkdir $CHROOT

for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
  do
    cp --parents $i $CHROOT
  done

# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
   cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi

# ARCH i386
if [ -f  /lib/ld-linux.so.2 ]; then
   cp --parents /lib/ld-linux.so.2 /$CHROOT
fi

echo "Chroot jail is ready. To access it execute: chroot $CHROOT"

By default the above script will create chroot in /var/chroot as defined by the $CHROOT variable. Feel free to change this variable according to your needs. When ready, make the script executable and run it with the file full path to your executables and files you wish to include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above chroot.sh script:

# ./chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hosts
Chroot jail is ready. To access it execute: chroot /var/chroot

Now, you can access your new chroot jail with:

# chroot /var/chroot
bash-4.2# echo linuxcareer.com > file
bash-4.2# cat file
linuxcareer.com
bash-4.2# rm file
bash-4.2# vi --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled May  4 2012 04:25:35)

2. Create chroot usergroup

A this point, we need to create a separate usergourp, which will be used by sshd to redirect all users belonging to this usergroup to the chroot jail.

$ sudo groupadd chrootjail

Now, add any existing users to this group. For example, to add user tester we will execute:

$ sudo adduser tester chrootjail
Adding user `tester' to group `chrootjail' ...
Adding user tester to group chrootjail
Done.

3. Configure sshd for chroot jail

All what remains is to configure sshd to automaticaly redirect all users from the chrootjail usergroup to the chroot jail at /var/chroot. This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:

Match group chrootjail
            ChrootDirectory /var/chroot/

and restarting ssh:

$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 17175

4. Login to chroot jail using ssh

At this point you can test your settings by log in to you server with configured sshd:

$ ssh tester@localhost
tester@localhost's password: 
-bash-4.2$ ls
bin  lib  lib64  usr
-bash-4.2$



Labels: ssh Email This BlogThis! Share to Twitter Share to Facebook

8 Responses so far.

  1. Unknown says:
    September 22, 2017 at 10:58 PM

    I read the post and I have really enjoyed your blogs posts.looking for the next post.
    Digital Marketing Training In Bangalore.

  2. sathish says:
    January 9, 2018 at 3:25 AM

    It's very useful and informative too.
    Digital Marketing Training In Bangalore

  3. Pavel Co Ebele says:
    March 28, 2018 at 5:11 AM

    Thanks for the post, I am techno savvy. I believe you hit the nail right on the head. I am highly impressed with your blog. It is very nicely explained. Your article adds best knowledge to our Java Online Training from India. or learn thru Java Online Training from India Students.

  4. Unknown says:
    April 24, 2018 at 12:21 PM

    Hello, I want to subscribe for this web site to obtain most up-to-date updates, therefore where can i do it please assist. aol.com mail login sign

  5. Business says:
    March 14, 2019 at 3:49 AM

    Thank you so much for posting this. I really appreciate your work. Keep it up. Great work!Best Placement company in Hyderabad

  6. for ict 99 says:
    October 10, 2019 at 7:30 PM

    Great Article
    Cyber Security Projects for CSE Students


    JavaScript Training in Chennai



    Project Centers in Chennai




    JavaScript Training in Chennai

  7. Unknown says:
    November 19, 2019 at 12:05 AM

    BA Revaluation Result 2019
    Hey Nice Blog!! Thanks For Sharing!!! Wonderful blog & good post. It is really very helpful to me, waiting for a more new post. Keep Blogging

  8. Theodor says:
    December 12, 2020 at 12:33 AM

    The array of commercial increasing should be considered typical. canada mortgage calculator You can also study the impact of earning extra payments on any weekly payment date. canada mortgage calculator

Leave a Reply

Newer Post Older Post
Subscribe to: Post Comments (Atom)

Our Blogs

  • Java Programs with Output
  • C Programming Tutorial
  • Language Tutorial
  • Android Development Tutorial
  • Web Development Tutorial
  • Popular
  • Recent
  • Archives

Popular Posts

  • How to create limited shell
    We want to limit the activities or command to run for specific user then, how to limit a shell? here are the steps to create limited shel...
  • Apache and SELinux File Labels
    Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into tw...
  • Advantages & Disadvantages of Kerberos
    Advantages of Kerberos Most conventional network services use password-based authentication schemes. Such schemes require a user to au...
  • Apache Configuration File Security Option
    you’ll examine the security options available in the main Apache configuration file, httpd.conf. That file can be modified to secure the e...
  • AWS VPC Overview
    What is VPC ? A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other vir...
  • SSH login without password
    The following steps can be used to ssh from one system to another without specifying a password: 1. On the client run the following com...
  • How to automatically chroot jail selected ssh user logins
    1. Creating basic chroot environment First we need to create a simple chroot environment. Our chroot environment will consist of a bash she...
  • Apache Installation and Configuration through source code
    In this example we extract the source code to a directory under /usr/local/src/ cp httpd-2.0.46.tar.gz /usr/local/src cd /usr/local/src...
  • Tcpdump command with some examples
    To print all packets arriving at or departing from sundown: tcpdump host sundown To print traffic between helios and either hot or ace: ...
  • How to Create the Kerberos database
    Create the database with the following command.  [root@coma ~] kdb5_util create -s This will prompt you for a password. You will ...
Powered by Blogger.

Archives

  • ►  2014 (1)
    • ►  May (1)
  • ▼  2013 (4)
    • ▼  February (4)
      • SSH login without password
      • How to automatically chroot jail selected ssh user...
      • Apache Installation and Configuration through sour...
      • Tcpdump command with some examples
  • ►  2012 (89)
    • ►  November (1)
    • ►  March (4)
    • ►  February (36)
    • ►  January (48)
 

Followers

Labels

  • Apache (8)
  • aws (1)
  • Bridge (1)
  • cloud computing (1)
  • Configuration (1)
  • dhcp server (7)
  • DNS (8)
  • File system (11)
  • Fping (1)
  • Iptable basic (3)
  • KDC slave server (1)
  • Kerberos (14)
  • kerberos configuration (5)
  • kerberos database (1)
  • LaTeX (1)
  • Ldap basic (2)
  • Linux aliases (1)
  • Linux Commands (4)
  • Linux History (2)
  • Linux Installation (3)
  • Linux kernel (3)
  • Linux shell (2)
  • Linux software (2)
  • Lvm (1)
  • Mail Server (3)
  • Network Script (1)
  • PHP (1)
  • Raid (6)
  • SELinux (1)
  • Sendmail (3)
  • ssh (2)
  • Tcpdump example (1)
  • Virtualization (5)
  • Webmin (1)
  • Yum (2)
 
 
© 2011 Linux Tutorial for Beginners | Designs by Web2feel & Fab Themes

Bloggerized by DheTemplate.com - Main Blogger