September 2008 Archives

How to restrict a user to only using sftp in a chroot jail on Ubuntu server

By krobe on September 10, 2008 11:38 PM | | Comments (0) | TrackBacks (0)

I wanted to set up a user to be able to sftp to my server without being able to see any of my filesystem. I found a couple somewhat outdated guides and combining them was able to get it working. The following steps assume you are running Ubuntu 8.04 Server with OpenSSH installed and the service started

All the following commands require root privileges so log in as root: sudo -i

First you need to choose where you want the user's chroot jail should be. I am creating a user called 'sftp' and wanted to create the jail under /home: mkdir /home/sftp

rssh is a shell that can be used to restrict a user to only use sftp: aptitude install rssh

Create the user specifying a home directory within the chroot jail and rssh as the user's shell: useradd -m -d /home/sftp/files -s /usr/bin/rssh sftp passwd sftp

Alternatively if you are setting this up for an existing user you can modify the line in /etc/passwd corresponding to that user.

You need to make some changes to the rssh configuration file: vi /etc/rssh.conf

Add a line like the following for your user, see the examples in the configuration file for an explanation of the syntax user = "sftp:022:00010:/home/sftp"

Next you need to modify the chroot creation script: vi /usr/share/doc/rssh/examples/mkchroot.sh

Make the following changes to correctly point the script at the sftp-server and rssh_chroot_helper binaries: sftp_server_path="/usr/libexec/openssh/sftp-server" sftp_server_path="/usr/lib/openssh/sftp-server" chroot_helper_path="/usr/libexec/rssh_chroot_helper" chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

Run the script to creat the chroot jail: /usr/share/doc/rssh/examples/mkchroot.sh /home/sftp

This copies the server's passwd file to the chroot jail, you'll want to edit out any of the users other than the one you are creating the jail for: vi /home/sftp/etc/passwd sftp:x:1001:1001::/home/sftp/files:/usr/bin/rssh

One necessary file is missed by the script and needs to be copied over manually: cp /lib/ld-linux.so.2 /home/sftp/lib/

You'll need to create /dev/null within the chroot jail: mknod -m 666 /home/sftp/dev/null c 1 3

To set up logging you'll need to edit the syslog config file: vi /etc/default/syslogd

Make the following change to point syslog at the correct /dev/log location: SYSLOGD="" SYSLOGD="-a /home/sftp/dev/log"

Restart the syslog service for the change to take effect: /etc/init.d/sysklogd restart

Finally you'll have to setuid root for the rssh_chroot_helper binary (note this is for the original one, NOT the one in the chroot jail): chmod u+s /usr/lib/rssh/rssh_chroot_helper

You can then test to make sure things are working: sftp sftp@localhost

If it doesn't work check the system log: tail -f /var/log/syslog

« January 2008 | Main Index | Archives

Search

About this Archive

This page is an archive of entries from September 2008 listed from newest to oldest.

January 2008 is the previous archive.

Find recent content on the main index or look in the archives to find all content.

Powered by Movable Type 4.21-en