{"id":13307,"date":"2019-04-01T11:54:19","date_gmt":"2019-04-01T11:54:19","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=13307"},"modified":"2019-04-01T11:54:19","modified_gmt":"2019-04-01T11:54:19","slug":"restrict-ssh-user-access-to-certain-directory-using-chrooted-jail","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/04\/01\/restrict-ssh-user-access-to-certain-directory-using-chrooted-jail\/","title":{"rendered":"Restrict SSH User Access to Certain Directory Using Chrooted Jail"},"content":{"rendered":"

There are several reasons to\u00a0restrict a SSH user session<\/a>\u00a0to a particular directory, especially on web servers, but the obvious one is a system security. In order to lock SSH users in a certain directory, we can use\u00a0chroot<\/strong>mechanism.<\/p>\n

change root (chroot<\/strong>) in Unix-like systems such as Linux, is a means of separating specific user operations from the rest of the Linux system; changes the apparent root directory for the current running user process and its child process with new root directory called a\u00a0chrooted jail<\/strong>.<\/p>\n

In this tutorial, we\u2019ll show you how to restrict a SSH user access to a given directory in Linux. Note that we\u2019ll run the all the commands as root, use the\u00a0sudo command<\/a>\u00a0if you are logged into server as a normal user.<\/p>\n

Step 1: Create SSH Chroot Jail<\/h3>\n

1.<\/strong>\u00a0Start by creating the chroot jail using the mkdir command below:<\/p>\n

# mkdir -p \/home\/test\r\n<\/pre>\n
2.<\/strong>\u00a0Next, identify required files, according to the\u00a0sshd_config<\/strong>\u00a0man page, the\u00a0ChrootDirectory<\/code>\u00a0option specifies the pathname of the directory to chroot to after authentication. The directory must contain the necessary files and directories to support a user\u2019s session.<\/p>\n
For an interactive session, this requires at least a shell, commonly\u00a0sh<\/code>, and basic\u00a0\/dev<\/code>\u00a0nodes such as null, zero, stdin, stdout, stderr, and tty devices:<\/p>\n
# ls -l \/dev\/{null,zero,stdin,stdout,stderr,random,tty}\r\n<\/pre>\n
\n
\"Listing<\/a><\/p>\n
Listing Required Files<\/p>\n<\/div>\n
3.<\/strong>\u00a0Now, create the\u00a0\/dev<\/code>\u00a0files as follows using the\u00a0mknod command<\/strong>. In the command below, the\u00a0-m<\/code>\u00a0flag is used to specify the file permissions bits,\u00a0c<\/code>\u00a0means character file and the two numbers are major and minor numbers that the files point to.<\/p>\n
# mkdir -p \/home\/test\/dev\/\t\t\r\n# cd \/home\/test\/dev\/\r\n# mknod -m 666 null c 1 3\r\n# mknod -m 666 tty c 5 0\r\n# mknod -m 666 zero c 1 5\r\n# mknod -m 666 random c 1 8\r\n<\/pre>\n
\n
\"Create<\/a><\/p>\n
Create \/dev and Required Files<\/p>\n<\/div>\n
4.<\/strong>\u00a0Afterwards, set the appropriate permission on the chroot jail. Note that the chroot jail and its subdirectories and subfiles must be owned by\u00a0root<\/strong>\u00a0user, and not writable by any normal user or group:<\/p>\n
# chown root:root \/home\/test\r\n# chmod 0755 \/home\/test\r\n# ls -ld \/home\/test\r\n<\/pre>\n
\n
\"Set<\/a><\/p>\n
Set Permissions on Directory<\/p>\n<\/div>\n
Step 2: Setup Interactive Shell for SSH Chroot Jail<\/h3>\n
5.<\/strong>\u00a0First, create the\u00a0bin<\/code>\u00a0directory and then copy the\u00a0\/bin\/bash<\/code>\u00a0files into the\u00a0bin<\/code>\u00a0directory as follows:<\/p>\n
# mkdir -p \/home\/test\/bin\r\n# cp -v \/bin\/bash \/home\/test\/bin\/\r\n<\/pre>\n
\n
\"Copy<\/a><\/p>\n
Copy Files to bin Directory<\/p>\n<\/div>\n
6.<\/strong>\u00a0Now, identify bash required shared\u00a0libs<\/code>, as below and copy them into the\u00a0lib<\/code>\u00a0directory:<\/p>\n
# ldd \/bin\/bash\r\n# mkdir -p \/home\/test\/lib64\r\n# cp -v \/lib64\/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} \/home\/test\/lib64\/\r\n<\/pre>\n
\n
\"Copy<\/a><\/p>\n
Copy Shared Library Files<\/p>\n<\/div>\n
Step 3: Create and Configure SSH User<\/h3>\n
7.<\/strong>\u00a0Now, create the SSH user with the\u00a0useradd command<\/a>\u00a0and set a secure password for the user:<\/p>\n
# useradd tecmint\r\n# passwd tecmint\r\n<\/pre>\n
8.<\/strong>\u00a0Create the chroot jail general configurations directory,\u00a0\/home\/test\/etc<\/code>\u00a0and copy the updated account files (\/etc\/passwd<\/strong>\u00a0and\u00a0\/etc\/group<\/strong>) into this directory as follows:<\/p>\n
# mkdir \/home\/test\/etc\r\n# cp -vf \/etc\/{passwd,group} \/home\/test\/etc\/\r\n<\/pre>\n
\n
\"Copy<\/a><\/p>\n
Copy Password Files<\/p>\n<\/div>\n
Note<\/strong>: Each time you add more SSH users to the system, you will need to copy the updated account files into the\u00a0\/home\/test\/etc<\/code>\u00a0directory.<\/p>\n
Step 4: Configure SSH to Use Chroot Jail<\/h3>\n
9.<\/strong>\u00a0Now, open the\u00a0sshd_config<\/code>\u00a0file.<\/p>\n
# vi \/etc\/ssh\/sshd_config\r\n<\/pre>\n
and add\/modify the lines below in the file.<\/p>\n
#define username to apply chroot jail to\r\nMatch User tecmint<\/strong>\r\n#specify chroot jail\r\nChrootDirectory \/home\/test<\/strong>\r\n<\/pre>\n
\n
\"Configure<\/a><\/p>\n
Configure SSH Chroot Jail<\/p>\n<\/div>\n
Save the file and exit, and restart the SSHD services:<\/p>\n
# systemctl restart sshd\r\nOR\r\n# service sshd restart\r\n<\/pre>\n
Step 5: Testing SSH with Chroot Jail<\/h3>\n
10.<\/strong>\u00a0At this point, test if the chroot jail setup is working as expected:<\/p>\n
# ssh tecmint@192.168.0.10<\/strong>\r\n-bash-4.1$ ls\r\n-bash-4.1$ date\r\n-bash-4.1$ uname\r\n<\/pre>\n
\n
\"Testing<\/a><\/p>\n
Testing SSH User Chroot Jail<\/p>\n<\/div>\n
From the screenshot above, we can see that the SSH user is locked in the chrooted jail, and can\u2019t run any external commands (ls, date, uname etc).<\/p>\n
The user can only execute bash and its builtin commands such as(pwd, history, echo etc) as seen below:<\/p>\n
# ssh tecmint@192.168.0.10<\/strong>\r\n-bash-4.1$ pwd\r\n-bash-4.1$ echo \"Tecmint - Fastest Growing Linux Site\"\r\n-bash-4.1$ history\r\n<\/pre>\n
\n
\"SSH<\/a><\/p>\n
SSH Built-in Commands<\/p>\n<\/div>\n
Step 6. Create SSH User\u2019s Home Directory and Add Linux Commands<\/h3>\n
11.<\/strong>\u00a0From the previous step, we can notice that the user is locked in the root directory, we can create a home directory for the the SSH user like so (do this for all future users):<\/p>\n
# mkdir -p \/home\/test\/home\/tecmint\r\n# chown -R tecmint:tecmint \/home\/test\/home\/tecmint\r\n# chmod -R 0700 \/home\/test\/home\/tecmint\r\n<\/pre>\n
\n
\"Create<\/a><\/p>\n
Create SSH User Home Directory<\/p>\n<\/div>\n
12.<\/strong>\u00a0Next, install a few user commands such as ls, date, mkdir in the\u00a0bin<\/code>\u00a0directory:<\/p>\n
# cp -v \/bin\/ls \/home\/test\/bin\/\r\n# cp -v \/bin\/date \/home\/test\/bin\/\r\n# cp -v \/bin\/mkdir \/home\/test\/bin\/\r\n<\/pre>\n
\n
\"Add<\/a><\/p>\n
Add Commands to SSH User<\/p>\n<\/div>\n
13.<\/strong>\u00a0Next, check the shared libraries for the commands above and move them into the chrooted jail libraries directory:<\/p>\n
# ldd \/bin\/ls\r\n# cp -v \/lib64\/{libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0} \/home\/test\/lib64\/\r\n<\/pre>\n
\n
\"Copy<\/a><\/p>\n
Copy Shared Libraries<\/p>\n<\/div>\n
Step 7. Testing SFTP with Chroot Jail<\/h3>\n
14.<\/strong>\u00a0Do a final test using sftp; check if the commands you have just installed are working.<\/p>\n
Add the line below in the\u00a0\/etc\/ssh\/sshd_config<\/code>\u00a0file:<\/p>\n
#Enable sftp to chrooted jail \r\nForceCommand internal-sftp\r\n<\/pre>\n
Save the file and exit. Then restart the SSHD services:<\/p>\n
# systemctl restart sshd\r\nOR\r\n# service sshd restart\r\n<\/pre>\n
15.<\/strong>\u00a0Now, test using SSH, you\u2019ll get the following error:<\/p>\n
# ssh tecmint@192.168.0.10\r\n<\/pre>\n
\n
\"Test<\/a><\/p>\n
Test SSH Chroot Jail<\/p>\n<\/div>\n
Try using SFTP as follows:<\/p>\n
# sftp tecmint@192.168.0.10\r\n<\/pre>\n
\n
\"Testing<\/a><\/p>\n
Testing sFTP SSH User<\/p>\n<\/div>\n
Suggested Read:<\/b>\u00a0Restrict SFTP Users to Home Directories Using chroot Jail<\/a><\/p>\n
That\u2019s it for now!. In this article, we showed you how to restrict a SSH user in a given directory (chrooted jail) in Linux. Use the comment section below to offer us your thoughts about this guide.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
There are several reasons to\u00a0restrict a SSH user session\u00a0to a particular directory, especially on web servers, but the obvious one is a system security. In order to lock SSH users in a certain directory, we can use\u00a0chrootmechanism. change root (chroot) in Unix-like systems such as Linux, is a means of separating specific user operations from … <\/p>\n
Continue reading “Restrict SSH User Access to Certain Directory Using Chrooted Jail”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-13307","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=13307"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13307\/revisions"}],"predecessor-version":[{"id":13308,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/13307\/revisions\/13308"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=13307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=13307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=13307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}