/ Useful

Ubuntu - rssh - sftp only, with chroot

Here's how to setup rssh on Ubuntu, to allow sftp only with a chroot directory. Note that these instructions are for Ubuntu Server 9.04 x64, other versions may require c
hanges.

First, add the rssh package.

sudo apt-get install rssh

Second, edit /etc/rssh.conf. Uncomment the #allowsftp line and one of the #chrootpath lines, and set the chrootpath to wherever you want your top-level chroot directory.

Third, modify or add whichever users you want to access using sftp and set their shell to /usr/bin/rssh.

Fourth, setup the chroot environment, which includes copying the following from the main system into your chroot directory:

./etc/ld.so.cache
./etc/resolv.conf
./etc/ld.so.conf.d/x86_64-linux-gnu.conf
./etc/ld.so.conf.d/libc.conf
./etc/ld.so.conf
./etc/passwd
./etc/group
./etc/nsswitch.conf
./etc/rssh.conf
./usr/bin/rssh
./usr/lib/libgssapi_krb5.so.2.2
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/openssh/sftp-server
./usr/lib/libk5crypto.so.3.1
./usr/lib/libkrb5support.so.0.1
./usr/lib/libkrb5.so.3.3
./lib/libutil-2.9.so
./lib/libz.so.1.2.3.3
./lib/libpthread-2.9.so
./lib/libdl-2.9.so
./lib/libnsl-2.9.so
./lib/libcrypt-2.9.so
./lib/ld-2.9.so
./lib/libresolv-2.9.so
./lib/libnss_files-2.9.so
./lib/libc-2.9.so
./lib/libkeyutils-1.2.so
./lib/libcom_err.so.2.1
./lib/libnss_compat-2.9.so
./lib/libcrypto.so.0.9.8

Additionally, setup these links, again copying what's setup in the main system.

./usr/lib/libkrb5support.so.0
./usr/lib/libgssapi_krb5.so.2
./usr/lib/libk5crypto.so.3
./usr/lib/libkrb5.so.3
./lib/ld-linux-x86-64.so.2
./lib/libutil.so.1
./lib/libkeyutils.so.1
./lib/libnss_files.so.2
./lib/libnsl.so.1
./lib/libcom_err.so.2
./lib/libdl.so.2
./lib/libc.so.6
./lib/libz.so.1
./lib/libresolv.so.2
./lib/libpthread.so.0
./lib/libnss_compat.so.2
./lib/libcrypt.so.1
./lib64

You may want to strip out users/groups you don't want visible from the etc/passwd and etc/group files.

Fifth, create a dev directory in your chroot directory, then create a /dev/null in it as follows.

mknod -m 666 dev/null c 1 3

Sixth, edit /etc/default/syslogd and update the SYSLOGD="" line as follows.

SYSLOGD="-a /[chroot dir]/dev/log"

Then restart syslogd.

sudo /etc/init.d/sysklogd restart

Finally, test.

Note that if you add users/groups to the system /etc/passwd and /etc/group files they will need to be copied again (possibly just the new lines) into the appropriate files in the chroot directory's etc.

References:

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

Bryan Fullerton

Bryan Fullerton

Just a middle-aged dude doing his best to survive. Geeky Internet things from remote professionally.

Read More
Ubuntu - rssh - sftp only, with chroot
Share this