How to automatically chroot jail selected ssh user logins


In this article we will look on how to automatically chroot jail selected user ssh login based on the user group. This technique can be quite useful if you what your user to be provided with a limited system environment and at the same time keep them separate from your main system. You can also use this technique to create a simple ssh honeypot. In this tutorial you will learn how to create a basic chroot environment and how to configure your main system’s sshd to automatically chroot jail selected users upon the ssh login.

Creating basic chroot environment

First we need to create a simple chroot environment. Our chroot environment will consist of a bash shell. To do this, first, we need to create a chroot directory:

# mkdir /var/chroot

In the next step, we need to copy the bash binary and its all shared library dependencies.
You can see the bash’s shared library dependencies by executing the ldd command:

# ldd /bin/bash => (0x00007fff9a373000) => /lib/x86_64-linux-gnu/ (0x00007f24d57af000) => /lib/x86_64-linux-gnu/ (0x00007f24d55ab000) => /lib/x86_64-linux-gnu/ (0x00007f24d51eb000)
/lib64/ (0x00007f24d59f8000)

Now, we need to manually create all necessary directories and copy /bin/bash and all libraries to the new chroot directory into an appropriate location:

# cd /var/chroot/
# mkdir bin/ lib64/ lib/
# cp /lib/x86_64-linux-gnu/ lib/
# cp /lib/x86_64-linux-gnu/ lib/
# cp /lib/x86_64-linux-gnu/ lib/
# cp /lib64/ lib64/
# cp /bin/bash bin/

At this point all is ready and we can chroot

# chroot /var/chroot
bash-4.2# ls /
bash: ls: command not found

From the above you can see that bash is ready but there is not much to do as not even ls command is available. Rather then manually copy all commands and required libraries I have created a simple bash script to aid with this purpose. Create a script with the following content:

# This script can be used to create simple chroot environment
# Written by <>
# (c) 2013 LinuxCareer under GNU GPL v3.0+


mkdir $CHROOT

for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
    cp --parents $i $CHROOT

# ARCH amd64
if [ -f /lib64/ ]; then
   cp --parents /lib64/ /$CHROOT

# ARCH i386
if [ -f  /lib/ ]; then
   cp --parents /lib/ /$CHROOT

echo "Chroot jail is ready. To access it execute: chroot $CHROOT"

By default the above script will create chroot in /var/chroot as defined by the $CHROOT variable. Feel free to change this variable according to your needs. When ready, make the script executable and run it with the file full path to your executables and files you wish to include. For example, if you need: ls, cat, echo, rm, bash, vi then use the which command to get a full path and supply it as an argument to the above script:

# ./ /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hosts
Chroot jail is ready. To access it execute: chroot /var/chroot

Now, you can access your new chroot jail with:

# chroot /var/chroot
bash-4.2# echo > file
bash-4.2# cat file
bash-4.2# rm file
bash-4.2# vi --version
VIM - Vi IMproved 7.3 (2010 Aug 15, compiled May 4 2012 04:25:35)

Create chroot usergroup

A this point, we need to create a separate usergourp, which will be used by sshd to redirect all users belonging to this usergroup to the chroot jail.

$ sudo groupadd chrootjail

Now, add any existing users to this group. For example, to add user tester we will execute:

$ sudo adduser tester chrootjail
Adding user `tester' to group `chrootjail' ...
Adding user tester to group chrootjail

Configure sshd for chroot jail

All what remains is to configure sshd to automaticaly redirect all users from the chrootjail usergroup to the chroot jail at /var/chroot. This can be easily done be editing the sshd configuration file /etc/ssh/sshd_config. Add the following to /etc/ssh/sshd_config:

Match group chrootjail
ChrootDirectory /var/chroot/

and restarting ssh:

$ sudo service ssh restart
ssh stop/waiting
ssh start/running, process 17175

Login to chroot jail using ssh

At this point you can test your settings by log in to you server with configured sshd:

$ ssh tester@localhost
tester@localhost's password:
-bash-4.2$ ls
bin lib lib64 usr

Looks familiar?


As you can see setting the ssh chroot jail is a fairly simple process. If a user does not have its home user directory available in a chroot jail after login s/he will end up in /. You can create and further configure your chroot by creating a user home directory, defining bash environment, etc.

Comments and Discussions
Linux Forum