css (1) jQuery (7) linux (38) mac (70) php (29) python (1) svn/git (9) trac (4) ubuntu (1) virtualbox (6) vista (2) windows (14)

Wednesday, 15 February 2012

chroot SSH using OpenSSH ChrootDirectory with Ubuntu/Debian

It's quite common to use sftp jails using OpenSSH's ChrootDirectory and the ForceCommand internal-sftp directives in the sshd_config file, however it's not as obvious how to set up a full shell in a chroot.

Since shell access requires some files (/bin/bash, various files from /lib, /dev/null etc etc) the common way I've seen on the internet to set up a chroot shell is to simply copy these files.

Personally I don't like that method, since you have to copy each file over and all the libraries then it's a pain to keep them up to date since package managers won't touch get the picture.

So this is what I've done, note I've not tested it for security the chroot I required was to prevent a user with limited experience from being able to break a live system yet still access the files in /home

Replace all instances of [username] with the chrooted user's username

Step 1:

Create a chroot directory, I chose /chroots/[username]

Make sure this is owned by root and only writable by root.

Step 2:
At the end of /etc/ssh/sshd_config add

Match user [username]
ChrootDirectory /chroots/[username]

Restart ssh

Step 3:
Install and run debootstrap, this creates a minimal install of your chosen distribution in the chroot so all your binaries and libraries are there including an apt conf so you can update using apt

aptitude -y install debootstrap
debootstrap lucid /chroots/[username]

This installs ubuntu lucid to /chroots/[username]

Now a few files need to be linked from the main system to the chroot, you can either 1) copy these or 2) hard link them
These are at a minimum

You can then use apt to update the system as normal by running  chroot /chroots/[username] then your normal apt commands.

Step 4:

Mount the home directory in the chroot, in the main system add a line like this to /etc/fstab
/home/[username]/ /chroots/webdev/home/[username]/ none defaults,bind 0 0

And that's pretty much it.