Redhat: Restrict an SSH user session to a specific directory by setting chrooted jail

# create group
groupadd sftpusers

#Setup sftp-server Subsystem in sshd_config
nano /etc/ssh/sshd_config

# comment sftp, add commet to sftp
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

# add new value Subsystem sftp
Subsystem       sftp    internal-sftp

# add this three line to /etc/ssh/sshd_config
    Match Group sftpusers
        ChrootDirectory /home/jails/home
        X11Forwarding no
        AllowTcpForwarding no

# restart sshd
service sshd restart

# enforce SELinux 
setenforce 0

# ser variable
D=/home/jails

# to emulate the / directory to a bare minimum and home folder
mkdir -p $D/{dev,etc,lib,usr,bin,home}
mkdir -p $D/usr/bin
chown root.root $D

# You also need the /dev/null file:
mknod -m 666 $D/dev/null c 1 3

# we need to fill up the etc directory with a few minimum files:
cd $D/etc
cp /etc/ld.so.cache .
cp /etc/ld.so.conf .
cp /etc/nsswitch.conf .
cp /etc/hosts .

# figure out what commands you want accessible by your limited users. 
# In this example users to be able to get into bash and use the ls command
# So you must copy the binaries to the jail.
$ cd $D/usr/bin
$ cp /usr/bin/ls .
$ cp /usr/bin/bash .

# check binary
ldd /bin/ls
         linux-gate.so.1 =>    (0xb7f2b000)
         librt.so.1 => /lib/librt.so.1 (0xb7f1d000)
         libacl.so.1 => /lib/libacl.so.1 (0xb7f16000)
         libc.so.6 => /lib/libc.so.6 (0xb7dcf000)
         libpthread.so.0 => /lib/libpthread.so.0 (0xb7db7000)
         /lib/ld-linux.so.2 (0xb7f2c000)
         libattr.so.1 => /lib/libattr.so.1 (0xb7db2000)

# Then you have to manually copy each file to the lib directory in your jail. That is a pain. Especially if there is a lot of shared libraries for a binary you want. I came across a useful script called l2chroot which automatically finds the libraries and copies them to your chroot jail.
cd /sbin
wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
chmod +x l2chroot

#Edit the l2chroot file and change BASE=”/webroot” to BASE=”/home/jails”. This tells l2chroot where your jail is located so it copies everything to the right place. Now go ahead and run the command on the binaries you want.

# find ls binary
which ls

# copy linked ls 
l2chroot /bin/ls

# find bash binary
which bash

# copy linked bash
l2chroot /bin/bash

# create user denly, to group sftpusers, in home folder /home/jails/denly
adduser -d /home/jails/home/denly -G sftpusers denly
passwd denly

# test login with ssh or putty
#     true if you can login with restricted access

# test login with winscp or filezilla client
#    true if you can login and upload file

ssh-chroot-jail-and-sftp

http://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/

http://allanfeid.com/content/creating-chroot-jail-ssh-access

Published by

G3n1k

just to remember what i had known :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s