Index of /howtos/chrooted-sftp-server-for-suse

 Name                    Last modified      Size  Description
 Parent Directory                             -   
 HOWTOchroot_ssh.html    04-Dec-2006 21:42  9.4K  
 HOWTOchroot_ssh.html..> 04-Dec-2006 21:42  9.5K  
 README.html             04-Dec-2006 21:42  9.4K  
 README.html.bak         04-Dec-2006 21:42  9.4K  
 chroot-shell            04-Dec-2006 21:42  730   
 create-chroot-enviro..> 04-Dec-2006 21:42  4.6K  
 juseradd                04-Dec-2006 21:42  605   
 juserdel                04-Dec-2006 21:42  541   
 su                      04-Dec-2006 21:42   85K

HOWTO Secure ssh on Linux with a chroot jail

Written by Jens Heine <bluemelvin_at_web.de> 31 Jan 2003, last modified 14.05.2005 deepx.homelinux.net

Contents

What is this about?
How do I solve this?
What do I need?
What do I have to do?
How do I add/activate a user now?
Download section

1. What is this about?

I want to have a sftp server for my users. I don't want to allow them to have access to the directory tree on my server. They should be put in a jail after they have logged on. The following stuff has been tested on SuSE Linux 8.0/8.1/9.0 and Gentoo. It should work on other platform as well.

By the way: if you have some users who can not use sftp or you have any other reason not to secure you data with this method you should have a look at another program which I wrote together with a friend. The program is called comboard and it is written in java. You can chat and share files with this tool over high encrypted tcp-connections. Try the homepage of the comboard! For encrypting and decrypting your private files try my java program called slum.

2. How do I solve this?

The solution for this problem is a chroot jail for the users and the ssh system. If they log on via a sftp transfer program (there are lots of clients also for Windows) or even with ssh they will be chroot-ed to a special folder. They will have some elementary tools, a home folder and some shared files - nothing else.

3. What do I need?

The following stuff worked on a Suse Linux 8.0 installation. I'm not sure if this works everywhere but I would be happy if you send me some experiences with other systems. I got emails where people told me this works also on SuSE8.1, SuSE9.0, SuSE9.2.

You will at least need some packages installed. You can install them with yast or with rpm. Gentoo users just emerge them. Debian users would use apt:

openssh,
openssl,
sudo
ncurses

For some reason (problems with PAM I think) you have to compile the command su on your machine . This is not a big problem: download the sources, do a ./configure and make. You will later need the compiled su command in your chroot-jail (it will appear in src/su after compilation). I put a compiled version of su with my scripts so you won't have to do it yourself until that is ok for you.

4. What do I have to do?

Create a temp folder and copy the following files to it: create-chroot-environment, chroot-shell, juseradd, juserdel and su. Change into the temp folder. Now run the create-chroot-environment script. It will create the directory structure (the chroot root folder is /home/chroot by default) for your sftp server and copy the neccessary files (read it before executing!):

./create-chroot-environment

To allow your users to execute the chroot-shell as root, add this line to your sudoers file with the command visudo:

visudo

#For SuSE add:

%users ALL = NOPASSWD: /usr/bin/chroot /home/chroot /bin/su - *

#For Gentoo add:

%users ALL = NOPASSWD: /bin/chroot /home/chroot /bin/su - *

If you are ready and there was no error - fine. If you have errors please read the create-chroot-environment script and search for errors there.

5. How do I add/activate a user now?

If you want to add a new user to your ssh jail you will have to do several steps or just use my tiny script juseradd:

dino:/tmp/jail # ./juseradd bob

Adding user to system...

Adding new user to jail...

Creating jail home for new user...

dino:/tmp/jail # su - bob

bash-2.05$ pwd

/home/bob

bash-2.05$ exit

dino:/tmp/jail #

As you can see, we are in the jail now. If you want to login over ssh you will have to give your new user a password (in your real system) and take care that he/she is allowed to login over ssh (see /etc/ssh/sshd_config for details):

dino:/tmp/jail # passwd bob

Changing password for bob.

New password:

Re-enter new password:

Password changed

Let's try a ssh login now:

dino:/tmp/jail # ssh bob@localhost

bob@localhost's password:

Have a lot of fun...

bash-2.05$ pwd

/home/bob

You can delete users the same way with my script juserdel.

That's all.

Good luck, Jens

5. Download Section

chroot-shell

create-chroot-environment

juseradd

juserdel