Chrooted SSH HowTo

Submitted by falko (Contact Author) (Forums) on Wed, 2006-01-18 07:27. :: Security

This is a "copy & paste" HowTo! The easiest way to follow this tutorial is to use a command line client/SSH client (like PuTTY for Windows) and simply copy and paste the commands (except where you have to provide own information like IP addresses, hostnames, passwords,...). This helps to avoid typos.

Chrooted SSH HowTo

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited: 01/18/2006

This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

This setup is based on a Debian Sarge (Debian 3.1) system, and the chrooted SSH will be installed in such a way that it will still use the configuration files of the standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your own init script and configuration file.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Install The Newest Zlib Version

Because there was a security hole in zlib-1.2.2 about which the chrooted SSH will complain when we try to compile it, we install the newest zlib version right now:

cd /tmp
wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3
make clean
./configure -s
make
make install

2 Install The Chrooted SSH

This is quite easy. We download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh
wget http://chrootssh.sourceforge.net/download/openssh-4.2p1-chroot.tar.gz
tar xvfz openssh-4.2p1-chroot.tar.gz
cd openssh-4.2p1-chroot
./configure --exec-prefix=/usr --sysconfdir=/etc/ssh --with-pam
make
make install


Copyright © 2006 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Broken chroot setup script.
Submitted by Anonymous (not registered) on Mon, 2006-03-20 23:53.
The chroot setup script didn't work on my Ubuntu 5.10 since the ldd output for some programs differed from what the script expected so i modified the script a bit. The improved version can be found here: http://hirvinen.dy.fi/chroot-setup.sh . Otherwise a nice howto. Thanks.
reply | view as pdf view as pdf
Utility and security
Submitted by EGearing (registered user) on Mon, 2006-01-30 01:15.
I looked for a shared system solution several months ago and gave up on ssh after a few attempts. By the time I added enough programs to be useful, I couldn't convince myself it was secure. lsof returns over 100 files, pipes, etc and I could not imagine a feasible way of assuring that injection in one of those couldn't lead to compromise.

For most environments, ftp is enough (my security is more important to me than user security). For the others, I permit only users I can reach with a baseball bat.

reply | view as pdf view as pdf
make install
Submitted by Anonymous (not registered) on Sun, 2006-01-29 19:18.
instead of running make install on your debian system try using checkinstall command that way you can uninstall easily.
reply | view as pdf view as pdf