I searched for a good tutorial on this and ended up cobbling together a few different ones. The article I worked the most from is Chrooted SSH HowTo which shows a general Debian Setup. In fact almost all of the article is applicable to a semi up to date Ubuntu distro. A lot of the commands are either directly from the article cited above or variations of it.
To start with we install the necessary libraries and then download and compile chroot.
cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
wget http://chrootssh.sourceforge.net/downloa…
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure –exec-prefix=/usr –sysconfdir=/etc/ssh –with-pam
make
make install
Next create your jail directory. This will be the place your users live in. Remember that the directory must contain all the executables they will need including rudimentary tools like cp, mv, etc. From here on out you are inside of the jail creating and mirroring files.
mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5
The howto article had a really great script for automating most of the library copying.
APPS=”/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors”
for prog in $APPS; do
cp $prog ./$prog
# obtain a list of related libraries
ldd $prog > /dev/null
if [ “$?” = 0 ] ; then
LIBS=`ldd $prog | awk ‘{ print $3 }’`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
done
fi
done
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
You will see an error message about not being able to stat a file (0xffffe000). I will deal with this at the end.
The next step involves copying the passwords of jailed users into the jailed directory along with the root user. The last command will work for any user by simply substituting “root” for the new jailed user (s/root/$user/;)
echo ‘#!/bin/bash’ > usr/bin/groups
echo “id -Gn” >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e “^root” > etc/passwd
You can also create a special jailed group and then use this:
grep /etc/group -e “^root” -e “^users” > etc/group
Once this is done you need to restart the SSH server to make all the changes take effect. If you have remoted into the box to do this make sure you check over everything at LEAST once more. If for some reason you have a bad configuration and your SSH server doesn’t come back up you will be really unhappy.
/etc/init.d/ssh restart
Next we create our chrooted user. The article cited works really well so I’m literally pasting this section (and linking) to it. There is an issue with a bash library and I’ll also show how to get SCP working for the jailed user. Currently SFTP isn’t working for me so I won’t show that.
Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That’s easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user’s home directory in /etc/passwd has a . in it, then the user is going to be chrooted.
Example (from /etc/passwd):
user_a:x:2002:100:User A:/home/user_a:/bin/bash
This user will not be chrooted.
user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash
This user will be chrooted.
Now we create the user testuser with the home directory /home/chroot/./home/testuser and the group users (which is the default group for users on Debian so you do not have to specify it explicitly):
useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c “testuser” -g users testuser
Then we give testuser a password:
passwd testuser
Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:
grep /etc/passwd -e “^testuser” >> /home/chroot/etc/passwd
We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do not have to do this here again. If you create a chrooted user in another group than users, add this group to /home/chroot/etc/group:
grep /etc/group -e “^othergroup” >> /home/chroot/etc/group
Now try to log in to SSH as testuser. You should be chrooted and not be able to browse files/directories outside /home/chroot.
Initially this won’t work because of the bash issue I mentioned. So to fix this simply run ldd against bash and find the missing library.
ldd /bin/bash
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7ee8000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7ee5000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7db6000)
/lib/ld-linux.so.2 (0xb7f31000)
I forget which library it was now (maybe libncurses?) but don’t worry about linux-gate.so.1. The next step is getting SCP to work. So first copy scp to the chrooted bin directory and then make sure the following are in the chrooted lib directory.
ldd /usr/bin/scp
linux-gate.so.1 => (0xffffe000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7fcc000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7e9d000)
libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7e9a000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7e86000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7e71000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7e43000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d14000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7d11000)
/lib/ld-linux.so.2 (0xb7fe7000)
Once you are done you should be able to login to your chroot environment and scp files into it. Once I figure out sftp I will post more.
