Openssh Sftp Chroot



Using OpenSSH you can bind SSH or SFTP users to their home directory and restrict them to access other directories on the SSH server. In this article we will demonstrate Chroot SSH Configuration on Linux|RHEL|CentOS for selected ssh users or group.

  1. Openssh Sftp Server
  2. Openssh Sftp Windows
  3. Openssh Sftp Chroot User

Now when the user logs in, the ssh key is looked up in /home//.ssh as per /etc/passwd, a chroot is done into /home//sftp, and then a cd is done into /home/ inside the chroot. In other words, the user's remote working directory will appear as /home/. To set the default command shell, first confirm that the OpenSSH installation folder is on the system path. For Windows, the default installation folder is SystemDrive:WindowsDirectory System32 openssh. The following commands shows the current path setting, and add the default OpenSSH installation folder to it.


Topic

  • How to configure chroot SSH on Linux?
  • How to configure chroot SSH on CentOS 7?
  • How to configure chroot SSH on RHEL 7?
  • Restrict SSH user to a specific directory
  • Restrict SSH user to home directory
  • Chroot SSH on Ubuntu
  • Chroot SSH on Debian
  • Chroot SSH on RHEL

Solution

Prerequisites

  • Install Openssh server

Configuration

Setting up a secure or chroot ssh environment requires a sandox environment which has its own libraries and binaries. In this article, we’ll bind all ssh users who are part of chrootssh group into /data/chroot-ssh directory.

There are 3 configuration steps used in this article to setup chroot SSH environment:

  1. Chroot Environment Setup
  2. Chroot Binary Setup
  3. Chroot User Account Setup

This article has been tested on CentOS 7 and RHEL 7. You can refer to the steps given in this article to configure chroot ssh on other Linux distributions. This article also contains 3 bash scripts to automate the setup. Login to the system with root account to perform the given steps.

Chroot Environment Setup [1]
  • Create a chroot environment directory named /data/chroot-ssh. You can create the chroot environment directory on any path of your choice.
  • Create a chroot group named chrootssh. You can create the chroot group of your choice.
  • Setup chroot environment with the following steps.
  • Append the following configuration to /etc/ssh/sshd_config file and then restart sshd service.
  • We can automate the complete above steps given in Chroot Environment Setup section with the following bash script.
  • The above script needs two arguments 1) Chroot Directory path 2) Chroot Group Name.
  • Execute the following command to run the above script. Relace the directory path and group name of your choice.


Chroot Binary Setup [2]

Openssh Sftp Server

In this section, we’ll setup required binaries for chroot sandbox environment. Binaries are the commands allowed to execute in the chroot environment. Basically, we need the following mandatory commands or binaries for chroot environment but you can setup other commands if required.

Openssh Sftp Chroot
  • /bin/{ls,cat,echo,rm,sh,touch,vi,mkdir}

  • Copy the above binaries to $CHROOT_DIR/bin directory.

Openssh Sftp Windows

  • Then copy dependent library files of those binaries/commands to $CHROOT_DIR/lib64 directory.
  • Copy the following special binary file to $CHROOT_DIR/lib64 directory.
  • We can automate the complete above steps in Chroot Binary Setup section with the following bash script.
  • The above script needs two arguments 1) Chroot Directory path 2) absolute path of the binary or command.
  • Execute the following command to run the above script. Replace the directory path and binary name of your choice.


Chroot User Account Setup [3]

In this section, we’ll setup user accounts with chroot privileges only. For exercise, we’ll use testssh account for chroot ssh login.

Openssh Sftp Chroot User

Chrootdirectory sftp
  • Create user account and add the user to chroot group chrootssh.
  • Setup home directory for the chroot user account with the following steps.
  • We can automate the complete above steps in Chroot User Account Setup section with the following bash script. In the following script modify two variables 1) CHROOT_DIR 2) CHGROUP and put the value of your choice. In our case, CHROOT_DIR='/data/chroot-ssh' and CHGROUP='chrootssh'.
  • The above script needs one argument user_name.
  • Execute the following command to run the above script. Relace the user_name of your choice.


Testing

Chrootdirectory sftp

Execute the following commands for chroot ssh login test.


If you have enjoyed the above article, the following are add on articles related to Chroot SSH Configuration on Linux|RHEL|CentOS:






Comments are closed.