Labels

css (1) jQuery (7) linux (38) mac (70) php (29) python (1) svn/git (9) trac (4) ubuntu (1) virtualbox (6) vista (2) windows (14)

Wednesday, 15 February 2012

chroot SSH using OpenSSH ChrootDirectory with Ubuntu/Debian

It's quite common to use sftp jails using OpenSSH's ChrootDirectory and the ForceCommand internal-sftp directives in the sshd_config file, however it's not as obvious how to set up a full shell in a chroot.

Since shell access requires some files (/bin/bash, various files from /lib, /dev/null etc etc) the common way I've seen on the internet to set up a chroot shell is to simply copy these files.

Personally I don't like that method, since you have to copy each file over and all the libraries then it's a pain to keep them up to date since package managers won't touch them...you get the picture.

So this is what I've done, note I've not tested it for security the chroot I required was to prevent a user with limited experience from being able to break a live system yet still access the files in /home

Replace all instances of [username] with the chrooted user's username

Step 1:

Create a chroot directory, I chose /chroots/[username]

Make sure this is owned by root and only writable by root.

Step 2:
At the end of /etc/ssh/sshd_config add

Match user [username]
ChrootDirectory /chroots/[username]

Restart ssh

Step 3:
Install and run debootstrap, this creates a minimal install of your chosen distribution in the chroot so all your binaries and libraries are there including an apt conf so you can update using apt

aptitude -y install debootstrap
debootstrap lucid /chroots/[username]

This installs ubuntu lucid to /chroots/[username]

Now a few files need to be linked from the main system to the chroot, you can either 1) copy these or 2) hard link them
These are at a minimum
/etc/apt/sources.list
/etc/passwd
/etc/group

You can then use apt to update the system as normal by running  chroot /chroots/[username] then your normal apt commands.

Step 4:

Mount the home directory in the chroot, in the main system add a line like this to /etc/fstab
/home/[username]/ /chroots/webdev/home/[username]/ none defaults,bind 0 0

And that's pretty much it.