Openssh Sftp Chroot

| 30-04-2021
[RAND-1-100] Comments



For regular user accounts, a properly configured chroot jail is a rock solid security system. I’ve already written about chrooting sftp session using rssh. According to OpenBSD journal OpenSSH devs Damien Miller and Markus Friedl have recently added a chroot security feature to openssh itself: Unfortunately, setting up a chroot(2) environment is complicated, fragile and. OpenSSH is now configured to chroot to the directory 'user1' preventing the user from breaking out of his own directory. The user homedir is set to '/data' so that the working directory of the user is this one right after the SFTP login. 'user1' has limited access rights as required by OpenSSH, the user has no write access to this directory. And an SFTP chroot is a little more forgiving in so far as it doesn't actually require any supporting system or userpsace services (a shell, ls, cp, etc.), which is why you often see ChrootDirectory accompanied with `ForceCommand internal-sftp` which will prevent SSH access altogether. Configure SSH for SFTP Access Modify or add the following lines at the end of the file: #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory /sftpusers/chroot/ ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no Save and exit the file. Note: The services are named OpenSSH Authentication Agent and OpenSSH SSH Server. Opening the SSH port in the Windows Firewall manually SSH uses Port 22 for transfer/authentication, which is closed in Windows because SSH isn't included by default. To open it, open the Windows Firewall from the Control Panel. Click on Inbound Rules (in the left.

Using OpenSSH you can bind SSH or SFTP users to their home directory and restrict them to access other directories on the SSH server. In this article we will demonstrate Chroot SSH Configuration on Linux|RHEL|CentOS for selected ssh users or group.


Topic

  • How to configure chroot SSH on Linux?
  • How to configure chroot SSH on CentOS 7?
  • How to configure chroot SSH on RHEL 7?
  • Restrict SSH user to a specific directory
  • Restrict SSH user to home directory
  • Chroot SSH on Ubuntu
  • Chroot SSH on Debian
  • Chroot SSH on RHEL

Solution

Prerequisites

  • Install Openssh server

Configuration

Setting up a secure or chroot ssh environment requires a sandox environment which has its own libraries and binaries. In this article, we’ll bind all ssh users who are part of chrootssh group into /data/chroot-ssh directory.

There are 3 configuration steps used in this article to setup chroot SSH environment:

Openssh sftp example
  1. Chroot Environment Setup
  2. Chroot Binary Setup
  3. Chroot User Account Setup
Openssh Sftp Chroot

This article has been tested on CentOS 7 and RHEL 7. You can refer to the steps given in this article to configure chroot ssh on other Linux distributions. This article also contains 3 bash scripts to automate the setup. Login to the system with root account to perform the given steps.

Chroot Environment Setup [1]
  • Create a chroot environment directory named /data/chroot-ssh. You can create the chroot environment directory on any path of your choice.
  • Create a chroot group named chrootssh. You can create the chroot group of your choice.
  • Setup chroot environment with the following steps.
  • Append the following configuration to /etc/ssh/sshd_config file and then restart sshd service.
  • We can automate the complete above steps given in Chroot Environment Setup section with the following bash script.
  • The above script needs two arguments 1) Chroot Directory path 2) Chroot Group Name.
  • Execute the following command to run the above script. Relace the directory path and group name of your choice.


Openssh
Chroot Binary Setup [2]

In this section, we’ll setup required binaries for chroot sandbox environment. Binaries are the commands allowed to execute in the chroot environment. Basically, we need the following mandatory commands or binaries for chroot environment but you can setup other commands if required.

  • /bin/{ls,cat,echo,rm,sh,touch,vi,mkdir}

  • Copy the above binaries to $CHROOT_DIR/bin directory.

Ssh Sftp Chroot Umask

  • Then copy dependent library files of those binaries/commands to $CHROOT_DIR/lib64 directory.
  • Copy the following special binary file to $CHROOT_DIR/lib64 directory.
  • We can automate the complete above steps in Chroot Binary Setup section with the following bash script.
  • The above script needs two arguments 1) Chroot Directory path 2) absolute path of the binary or command.
  • Execute the following command to run the above script. Replace the directory path and binary name of your choice.


Chroot User Account Setup [3]

In this section, we’ll setup user accounts with chroot privileges only. For exercise, we’ll use testssh account for chroot ssh login.

  • Create user account and add the user to chroot group chrootssh.
  • Setup home directory for the chroot user account with the following steps.
  • We can automate the complete above steps in Chroot User Account Setup section with the following bash script. In the following script modify two variables 1) CHROOT_DIR 2) CHGROUP and put the value of your choice. In our case, CHROOT_DIR='/data/chroot-ssh' and CHGROUP='chrootssh'.
  • The above script needs one argument user_name.
  • Execute the following command to run the above script. Relace the user_name of your choice.


Testing

Execute the following commands for chroot ssh login test.


If you have enjoyed the above article, the following are add on articles related to Chroot SSH Configuration on Linux|RHEL|CentOS:

Sftp Chroot Jail