Jailing an SSH user to their home directory allows you (the administrator) to exercise a lot of control and security over the user accounts on a Linux system.

The jailed user still has access to their home directory, but can't traverse the rest of the system. This keeps everything else on the system private and will prevent anything from being tampered with by an SSH user. It's an ideal setup for a system that has various users and each user's files need to stay private and isolated from the others.

In this guide, we'll show you the step by step instructions for jailing an SSH user to their home directory.

In this tutorial you will learn:
  • How to jail SSH user to home directory
Jail ssh user to home directory on Linux
Jail ssh user to home directory on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software OpenSSH Server
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

Jail user to home directory with chroot


SUBSCRIBE TO NEWSLETTER
Subscribe to Linux Career NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


Open a terminal and get ready to type a lot of commands, as the process to setup a secure chroot is pretty drawn out. You'll want to elevate to the root user account or use sudo for every command.

  1. Start by making the chroot directory, which will contain the various nodes, libs, and shell for our jailed user(s).
    # mkdir /var/chroot
    
  2. Next, let's copy some essential /dev nodes over to the chroot directory, which allows users basic use of the terminal.
    # mkdir /var/chroot/dev		
    # cd /var/chroot/dev
    # mknod -m 666 null c 1 3
    # mknod -m 666 tty c 5 0
    # mknod -m 666 zero c 1 5
    # mknod -m 666 random c 1 8
    


  3. Next, set permissions on the chroot directory. The root user will need to own the directory in order to make sure that the jailed users can't leave it. Other users can only have read and execute permissions.
    # chown root:root /var/chroot
    # chmod 755 /var/chroot
    
  4. Next, let's give our jailed user(s) a shell. We'll be using the bash shell in this example, though you could use a different one if you wanted to.
    # mkdir /var/chroot/bin
    # cp /bin/bash /var/chroot/bin
    
  5. The bash shell requires various libs to run, so they will also need to be copied to the chroot directory. You can see what libs are required with the ldd command:
    # ldd /bin/bash
    	linux-vdso.so.1 (0x00007ffd59492000)
    	libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f91714cd000)
    	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f91714c7000)
    	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91712d5000)
    	/lib64/ld-linux-x86-64.so.2 (0x00007f917163a000)
    
    Copy those files over to the chroot directory:
    # mkdir -p /var/chroot/lib/x86_64-linux-gnu /var/chroot/lib64
    # cp /lib/x86_64-linux-gnu/{libtinfo.so.6,libdl.so.2,libc.so.6} /var/chroot/lib/x86_64-linux-gnu
    # cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64
    


  6. Now we can create the user and set a password for the account.
    # useradd example
    # passwd example
    
  7. Add the /etc/passwd and /etc/group files into the chroot directory.
    # mkdir /var/chroot/etc
    # cp /etc/{passwd,group} /var/chroot/etc
    
  8. Next, we need to do some editing to the SSH config file. Use nano or your favorite text editor to open it.
    # sudo nano /etc/ssh/sshd_config
    
    Add the following lines to the bottom of the file.
    Match user example
    ChrootDirectory /var/chroot
    
    Configure chroot to jail an SSH user
    Configure chroot to jail an SSH user
    Save your changes and restart the SSH service for the changes to take effect.
    # systemctl restart sshd
    

  9. SUBSCRIBE TO NEWSLETTER
    Subscribe to Linux Career NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


  10. Create a home directory for the user and give it proper permissions.
    # mkdir -p /var/chroot/home/example
    # chown example:example /var/chroot/home/example
    # chmod 700 /var/chroot/home/example
    
  11. At this point, the user should be able to login and use native bash commands, but they won't have access to much. Let's give them access to some more basics like ls, cat, echo, rm, vi, date, mkdir. Rather than manually copying over all the shared libraries for these commands, you can use the following script to streamline the process.

    #!/bin/bash
    # This script can be used to create simple chroot environment
    # Written by LinuxConfig.org 
    # (c) 2020 LinuxConfig under GNU GPL v3.0+
    
    #!/bin/bash
    
    CHROOT='/var/chroot'
    mkdir $CHROOT
    
    for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
      do
        cp --parents $i $CHROOT
      done
    
    # ARCH amd64
    if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
       cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
    fi
    
    # ARCH i386
    if [ -f  /lib/ld-linux.so.2 ]; then
       cp --parents /lib/ld-linux.so.2 /$CHROOT
    fi
    
    echo "Chroot jail is ready. To access it execute: chroot $CHROOT"
    


    Using that script, let's enable some of these commands.
    # ./chroot.sh /bin/{ls,cat,echo,rm,vi,date,mkdir}
    

We're finally done. You can SSH with the user you created to make sure everything works correctly.

# ssh example@localhost
The SSH user is jailed to the chroot but has access to basic commands
The SSH user is jailed to the chroot but has access to basic commands

As you can see, our user has access to the commands we've given it and cannot access the rest of the system outside of chroot.

Conclusion

In this guide, we saw how to jail an SSH user to their home directory on Linux. It's a long process but the script we've provided you should save a massive amount of tedious work. Jailing a user to a single directory is a very good way to maintain privacy for individual users on a shared server.

FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT or subscribe to RSS feed.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.

You may also be interested in:



Comments and Discussions