Ubuntu - rssh - sftp only, with chroot
Here’s how to setup rssh on Ubuntu, to allow sftp only with a chroot directory. Note that these instructions are for Ubuntu Server 9.04 x64, other versions may require c
hanges.
First, add the rssh package.
sudo apt-get install rssh
Second, edit /etc/rssh.conf. Uncomment the #allowsftp
line and one of the #chrootpath
lines, and set the chrootpath to wherever you want your top-level chroot directory.
Third, modify or add whichever users you want to access using sftp and set their shell to /usr/bin/rssh.
Fourth, setup the chroot environment, which includes copying the following from the main system into your chroot directory:
./etc/ld.so.cache
./etc/resolv.conf
./etc/ld.so.conf.d/x86_64-linux-gnu.conf
./etc/ld.so.conf.d/libc.conf
./etc/ld.so.conf
./etc/passwd
./etc/group
./etc/nsswitch.conf
./etc/rssh.conf
./usr/bin/rssh
./usr/lib/libgssapi_krb5.so.2.2
./usr/lib/rssh/rssh_chroot_helper
./usr/lib/openssh/sftp-server
./usr/lib/libk5crypto.so.3.1
./usr/lib/libkrb5support.so.0.1
./usr/lib/libkrb5.so.3.3
./lib/libutil-2.9.so
./lib/libz.so.1.2.3.3
./lib/libpthread-2.9.so
./lib/libdl-2.9.so
./lib/libnsl-2.9.so
./lib/libcrypt-2.9.so
./lib/ld-2.9.so
./lib/libresolv-2.9.so
./lib/libnss_files-2.9.so
./lib/libc-2.9.so
./lib/libkeyutils-1.2.so
./lib/libcom_err.so.2.1
./lib/libnss_compat-2.9.so
./lib/libcrypto.so.0.9.8
Additionally, setup these links, again copying what’s setup in the main system.
./usr/lib/libkrb5support.so.0
./usr/lib/libgssapi_krb5.so.2
./usr/lib/libk5crypto.so.3
./usr/lib/libkrb5.so.3
./lib/ld-linux-x86-64.so.2
./lib/libutil.so.1
./lib/libkeyutils.so.1
./lib/libnss_files.so.2
./lib/libnsl.so.1
./lib/libcom_err.so.2
./lib/libdl.so.2
./lib/libc.so.6
./lib/libz.so.1
./lib/libresolv.so.2
./lib/libpthread.so.0
./lib/libnss_compat.so.2
./lib/libcrypt.so.1
./lib64
You may want to strip out users/groups you don’t want visible from the etc/passwd and etc/group files.
Fifth, create a dev directory in your chroot directory, then create a /dev/null in it as follows.
mknod -m 666 dev/null c 1 3
Sixth, edit /etc/default/syslogd and update the SYSLOGD=""
line as follows.
SYSLOGD="-a /[chroot dir]/dev/log"
Then restart syslogd.
sudo /etc/init.d/sysklogd restart
Finally, test.
Note that if you add users/groups to the system /etc/passwd and /etc/group files they will need to be copied again (possibly just the new lines) into the appropriate files in the chroot directory’s etc.
References:
Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only