Jail ssh user to home directory on Linux

by

Jailing an SSH user to their home directory allows you (the administrator) to exercise a lot of control and security over the user accounts on a Linux system.

The jailed user still has access to their home directory, but can’t traverse the rest of the system. This keeps everything else on the system private and will prevent anything from being tampered with by an SSH user. It’s an ideal setup for a system that has various users and each user’s files need to stay private and isolated from the others.

In this guide, we’ll show you the step by step instructions for jailing an SSH user to their home directory.

In this tutorial you will learn:

  • How to jail SSH user to home directory

Jail ssh user to home directory on Linux

Jail ssh user to home directory on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software OpenSSH Server
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Jail user to home directory with chroot

Open a terminal and get ready to type a lot of commands, as the process to setup a secure chroot is pretty drawn out. You’ll want to elevate to the root user account or use sudo for every command.

  1. Start by making the chroot directory, which will contain the various nodes, libs, and shell for our jailed user(s). 
    # mkdir /var/chroot
  2. Next, let’s copy some essential /dev nodes over to the chroot directory, which allows users basic use of the terminal. 
    # mkdir /var/chroot/dev		
# cd /var/chroot/dev
# mknod -m 666 null c 1 3
# mknod -m 666 tty c 5 0
# mknod -m 666 zero c 1 5
# mknod -m 666 random c 1 8
  3. Next, set permissions on the chroot directory. The root user will need to own the directory in order to make sure that the jailed users can’t leave it. Other users can only have read and execute permissions. 
    # chown root:root /var/chroot
# chmod 755 /var/chroot
  4. Next, let’s give our jailed user(s) a shell. We’ll be using the bash shell in this example, though you could use a different one if you wanted to. 
    # mkdir /var/chroot/bin
# cp /bin/bash /var/chroot/bin
  5. The bash shell requires various libs to run, so they will also need to be copied to the chroot directory. You can see what libs are required with the ldd command: 
    # ldd /bin/bash
	linux-vdso.so.1 (0x00007ffd59492000)
	libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f91714cd000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f91714c7000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91712d5000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f917163a000)

    Copy those files over to the chroot directory:

    # mkdir -p /var/chroot/lib/x86_64-linux-gnu /var/chroot/lib64
# cp /lib/x86_64-linux-gnu/{libtinfo.so.6,libdl.so.2,libc.so.6} /var/chroot/lib/x86_64-linux-gnu
# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64
  6. Now we can create the user and set a password for the account. 
    # useradd example
# passwd example
  7. Add the /etc/passwd and /etc/group files into the chroot directory. 
    # mkdir /var/chroot/etc
# cp /etc/{passwd,group} /var/chroot/etc
  8. Next, we need to do some editing to the SSH config file. Use nano or your favorite text editor to open it. 
    # sudo nano /etc/ssh/sshd_config

    Add the following lines to the bottom of the file.

    Match user example
ChrootDirectory /var/chroot
    Configure chroot to jail an SSH user

    Configure chroot to jail an SSH user

    Save your changes and restart the SSH service for the changes to take effect.

    # systemctl restart sshd
  9. Create a home directory for the user and give it proper permissions. 
    # mkdir -p /var/chroot/home/example
# chown example:example /var/chroot/home/example
# chmod 700 /var/chroot/home/example
  10. At this point, the user should be able to login and use native bash commands, but they won’t have access to much. Let’s give them access to some more basics like ls, cat, echo, rm, vi, date, mkdir. Rather than manually copying over all the shared libraries for these commands, you can use the following script to streamline the process. 
    #!/bin/bash
# This script can be used to create simple chroot environment
# Written by LinuxConfig.org 
# (c) 2020 LinuxConfig under GNU GPL v3.0+

#!/bin/bash

CHROOT='/var/chroot'
mkdir $CHROOT

for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
  do
    cp --parents $i $CHROOT
  done

# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
   cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi

# ARCH i386
if [ -f  /lib/ld-linux.so.2 ]; then
   cp --parents /lib/ld-linux.so.2 /$CHROOT
fi

echo "Chroot jail is ready. To access it execute: chroot $CHROOT"

    Using that script, let’s enable some of these commands.

    # ./chroot.sh /bin/{ls,cat,echo,rm,vi,date,mkdir}

We’re finally done. You can SSH with the user you created to make sure everything works correctly.

# ssh example@localhost
The SSH user is jailed to the chroot but has access to basic commands

The SSH user is jailed to the chroot but has access to basic commands

As you can see, our user has access to the commands we’ve given it and cannot access the rest of the system outside of chroot.

Conclusion

In this guide, we saw how to jail an SSH user to their home directory on Linux. It’s a long process but the script we’ve provided you should save a massive amount of tedious work. Jailing a user to a single directory is a very good way to maintain privacy for individual users on a shared server.

Related Linux Tutorials:

Comments and Discussions
Linux Forum