Friday, February 25, 2011

Chrooting user in SSH (OpenSSH_5.8p1-hpn13v10)

OpenSSH has this feature (on the server side) of chrooting users to a specific directory after they log in, that way you can ensure the users dont have access to your data. Useful when reverse tunneling.

First, you need to make a directory in which you can chroot using chroot... i.e you need the bear miminal, usually mount binding /bin and /lib64 (x64) or /lib (on x86) readonly will do so (I'm not sure about x86). Assuming /home/chroot is this directory -

mount --bind /bin /home/chroot/bin

Same for /lib(64)


Try chrooting into /home/chroot, it should work. Since you're using the libraries and executables in /home/chroot/* will be used for the by, even by SSH.


Next you need to create/modify a user which ssh will chroot to; notice that the files in /home/chroot needs to be used for this, not those in /. While creating/modifying the user, you need to take a note that the paths will be relative to /home/chroot NOT the usual way. i.e. if you're specifying bash as the default shell for the user, it will not be /home/chroot/bin/bash, but /bin/bash, thus when ssh chroots the user, it will use /home/chroot/bin/bash and not /bin/bash. Sounds confusing.

Now let's make a home directory for the user (optional, i.e you can specify / as the home directory)

mkdir /home/chroot/ch_root

Make or modify a user (I'll modify here) -

usermod -s /bin/bash --home /ch_root ch_root

Notice -- in the server /ch_root does not exist, but in /home/chroot, it does; this is what I meant to say -- paths are relative to /home/chroot and not /.

Now add the following directive to /etc/ssh/sshd_config -

ChrootDirectory /home/chroot

Restart ssh, ssh using ch_root, and the user will be logged in to a chrooted jail in /home/chroot.

No comments:

Post a Comment