Redhat: Restrict an SSH user session to a specific directory by setting chrooted jail

# create group
groupadd sftpusers

#Setup sftp-server Subsystem in sshd_config
nano /etc/ssh/sshd_config

# comment sftp, add commet to sftp
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

# add new value Subsystem sftp
Subsystem       sftp    internal-sftp

# add this three line to /etc/ssh/sshd_config
    Match Group sftpusers
        ChrootDirectory /home/jails/home
        X11Forwarding no
        AllowTcpForwarding no

# restart sshd
service sshd restart

# enforce SELinux 
setenforce 0

# ser variable

# to emulate the / directory to a bare minimum and home folder
mkdir -p $D/{dev,etc,lib,usr,bin,home}
mkdir -p $D/usr/bin
chown root.root $D

# You also need the /dev/null file:
mknod -m 666 $D/dev/null c 1 3

# we need to fill up the etc directory with a few minimum files:
cd $D/etc
cp /etc/ .
cp /etc/ .
cp /etc/nsswitch.conf .
cp /etc/hosts .

# figure out what commands you want accessible by your limited users. 
# In this example users to be able to get into bash and use the ls command
# So you must copy the binaries to the jail.
$ cd $D/usr/bin
$ cp /usr/bin/ls .
$ cp /usr/bin/bash .

# check binary
ldd /bin/ls =>    (0xb7f2b000) => /lib/ (0xb7f1d000) => /lib/ (0xb7f16000) => /lib/ (0xb7dcf000) => /lib/ (0xb7db7000)
         /lib/ (0xb7f2c000) => /lib/ (0xb7db2000)

# Then you have to manually copy each file to the lib directory in your jail. That is a pain. Especially if there is a lot of shared libraries for a binary you want. I came across a useful script called l2chroot which automatically finds the libraries and copies them to your chroot jail.
cd /sbin
wget -O l2chroot
chmod +x l2chroot

#Edit the l2chroot file and change BASE=”/webroot” to BASE=”/home/jails”. This tells l2chroot where your jail is located so it copies everything to the right place. Now go ahead and run the command on the binaries you want.

# find ls binary
which ls

# copy linked ls 
l2chroot /bin/ls

# find bash binary
which bash

# copy linked bash
l2chroot /bin/bash

# create user denly, to group sftpusers, in home folder /home/jails/denly
adduser -d /home/jails/home/denly -G sftpusers denly
passwd denly

# test login with ssh or putty
#     true if you can login with restricted access

# test login with winscp or filezilla client
#    true if you can login and upload file


Published by


just to remember what i had known :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s