Chroot jail for SSH

From MEPIS Documentation Wiki

Jump to: navigation, search

Background

This HOW-TO explains how to set up a chroot jail, an operation that changes the apparent disk root directory for a running program so that it cannot access or name files outside that directory. It should be used as a guide: while I have tried to cover everything by just retracing my steps after I got it all working, I haven't gone through this with a fine tooth comb.

This HOW-TO is based on Mepis 7 which is basically Debian Etch (For all the googlers :-P ) and presumes you have SSH server up and running already.

Installation

Install the PAM module which will be Chrooting our SSH Users

apt-get install libpam-chroot

Setup

Create the user (if you haven't already)

adduser testuser

Add the user you want to Chroot via SSH into /etc/security/chroot.conf like:

# username      chroot_dir
testuser	/home/testuser

add lines to /etc/pam.d/ssh like:

#Setup CHROOT Environment for users who SSH in
session    required     pam_chroot.so debug

Setup the virtual file system for the chroot jail, Run the following commands as root:

mkdir -p /home/testuser/home/
cd /home/testuser
mkdir etc
mkdir bin
mkdir lib
mkdir -p usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Now setup a basic passwd file for the chroot jail:

touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
touch etc/group
grep /etc/group -e "^root" -e "^users" > etc/group

Now we need to copy the applications we want to run into the chrooted jail, Create a txt file called makeapps.sh, add the following to it:

#!/bin/bash
APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS;  do
        cp $prog ./$prog

        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir -p ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l
                done
        fi
done

Note: If you require other programs etc add the absolute path to them in the APPS line

One thing that happens when you try log in at present is you type in the password and receive:

/bin/bash: No such file or directory
Connection to SSH-SERVER closed.

The makeapps.sh hasn't copied one of the libraries across, we are actually missing a copy of: ld-linx.so.2 So as root:

cp /lib/ld-linux.so.2 /home/testuser/lib/

Now you should be able log into a chrooted home!

Guide derived from: http://www.howtoforge.com/chrooted_ssh_howto_debian

Original Article by Cam Mckenzie aka cAm34 of MepisLovers

Personal tools