Openssh Sftp Chroot

Using OpenSSH you can bind SSH or SFTP users to their home directory and restrict them to access other directories on the SSH server. In this article we will demonstrate Chroot SSH Configuration on Linux|RHEL|CentOS for selected ssh users or group.

Openssh Sftp Server
Openssh Sftp Windows
Openssh Sftp Chroot User

Now when the user logs in, the ssh key is looked up in /home//.ssh as per /etc/passwd, a chroot is done into /home//sftp, and then a cd is done into /home/ inside the chroot. In other words, the user's remote working directory will appear as /home/. To set the default command shell, first confirm that the OpenSSH installation folder is on the system path. For Windows, the default installation folder is SystemDrive:WindowsDirectory System32 openssh. The following commands shows the current path setting, and add the default OpenSSH installation folder to it.

Topic

How to configure chroot SSH on Linux?
How to configure chroot SSH on CentOS 7?
How to configure chroot SSH on RHEL 7?
Restrict SSH user to a specific directory
Restrict SSH user to home directory
Chroot SSH on Ubuntu
Chroot SSH on Debian
Chroot SSH on RHEL

Solution

Prerequisites

Install Openssh server

Configuration

Setting up a secure or chroot ssh environment requires a sandox environment which has its own libraries and binaries. In this article, we’ll bind all ssh users who are part of chrootssh group into /data/chroot-ssh directory.

There are 3 configuration steps used in this article to setup chroot SSH environment:

Chroot Environment Setup
Chroot Binary Setup
Chroot User Account Setup

This article has been tested on CentOS 7 and RHEL 7. You can refer to the steps given in this article to configure chroot ssh on other Linux distributions. This article also contains 3 bash scripts to automate the setup. Login to the system with root account to perform the given steps.

Chroot Environment Setup [1]

Create a chroot environment directory named /data/chroot-ssh. You can create the chroot environment directory on any path of your choice.

Create a chroot group named chrootssh. You can create the chroot group of your choice.

Setup chroot environment with the following steps.

Append the following configuration to /etc/ssh/sshd_config file and then restart sshd service.

We can automate the complete above steps given in Chroot Environment Setup section with the following bash script.

The above script needs two arguments 1) Chroot Directory path 2) Chroot Group Name.
Execute the following command to run the above script. Relace the directory path and group name of your choice.

Chroot Binary Setup [2]

Openssh Sftp Server

In this section, we’ll setup required binaries for chroot sandbox environment. Binaries are the commands allowed to execute in the chroot environment. Basically, we need the following mandatory commands or binaries for chroot environment but you can setup other commands if required.

/bin/{ls,cat,echo,rm,sh,touch,vi,mkdir}
Copy the above binaries to $CHROOT_DIR/bin directory.

Openssh Sftp Windows

Then copy dependent library files of those binaries/commands to $CHROOT_DIR/lib64 directory.

Copy the following special binary file to $CHROOT_DIR/lib64 directory.

We can automate the complete above steps in Chroot Binary Setup section with the following bash script.

The above script needs two arguments 1) Chroot Directory path 2) absolute path of the binary or command.
Execute the following command to run the above script. Replace the directory path and binary name of your choice.

Chroot User Account Setup [3]

In this section, we’ll setup user accounts with chroot privileges only. For exercise, we’ll use testssh account for chroot ssh login.