Bryan Fullerton

Middle aged tech person

1 minute read

Here’s how to setup rssh on Ubuntu, to allow sftp only with a chroot directory. Note that these instructions are for Ubuntu Server 9.04 x64, other versions may require c
hanges.

First, add the rssh package.

sudo apt-get install rssh

Second, edit /etc/rssh.conf. Uncomment the #allowsftp line and one of the #chrootpath lines, and set the chrootpath to wherever you want your top-level chroot directory.

Third, modify or add whichever users you want to access using sftp and set their shell to /usr/bin/rssh.

Fourth, setup the chroot environment, which includes copying the following from the main system into your chroot directory:

./etc/ld.so.cache
./etc/resolv.conf
./etc/ld.so.conf.d/x86_64-linux-gnu.conf
./etc/ld.so.conf.d/libc.conf
./etc/ld.so.conf
./etc/passwd
./etc/group
./etc/nsswitch.conf
./etc/rssh.conf
./usr/bin/rssh
./usr/lib/libgssapi_krb5.so.2.2
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/openssh/sftp-server
./usr/lib/libk5crypto.so.3.1
./usr/lib/libkrb5support.so.0.1
./usr/lib/libkrb5.so.3.3
./lib/libutil-2.9.so
./lib/libz.so.1.2.3.3
./lib/libpthread-2.9.so
./lib/libdl-2.9.so
./lib/libnsl-2.9.so
./lib/libcrypt-2.9.so
./lib/ld-2.9.so
./lib/libresolv-2.9.so
./lib/libnss_files-2.9.so
./lib/libc-2.9.so
./lib/libkeyutils-1.2.so
./lib/libcom_err.so.2.1
./lib/libnss_compat-2.9.so
./lib/libcrypto.so.0.9.8

Additionally, setup these links, again copying what’s setup in the main system.

./usr/lib/libkrb5support.so.0
./usr/lib/libgssapi_krb5.so.2
./usr/lib/libk5crypto.so.3
./usr/lib/libkrb5.so.3
./lib/ld-linux-x86-64.so.2
./lib/libutil.so.1
./lib/libkeyutils.so.1
./lib/libnss_files.so.2
./lib/libnsl.so.1
./lib/libcom_err.so.2
./lib/libdl.so.2
./lib/libc.so.6
./lib/libz.so.1
./lib/libresolv.so.2
./lib/libpthread.so.0
./lib/libnss_compat.so.2
./lib/libcrypt.so.1
./lib64

You may want to strip out users/groups you don’t want visible from the etc/passwd and etc/group files.

Fifth, create a dev directory in your chroot directory, then create a /dev/null in it as follows.

mknod -m 666 dev/null c 1 3

Sixth, edit /etc/default/syslogd and update the SYSLOGD="" line as follows.

SYSLOGD="-a /[chroot dir]/dev/log"

Then restart syslogd.

sudo /etc/init.d/sysklogd restart

Finally, test.

Note that if you add users/groups to the system /etc/passwd and /etc/group files they will need to be copied again (possibly just the new lines) into the appropriate files in the chroot directory’s etc.

References:

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

You May Also Enjoy

Security RSS feeds

less than 1 minute read

I follow the RSS feeds for the following security sites to keep up to date on what’s going on.

Move to Jekyll

3 minute read

As discussed on my personal blog, I’ve moved all the more technical posts from there to this site, and also moved both sites from Ghost to Jekyll (link at th...