View the Most Wanted LQ Wiki articles.
LinuxQuestions.org > Linux Wiki > OpenSSH chrooting

From LQWiki

Jump to: navigation, search

Maybe someone wants to add experiences with or comments on this.

I mean, stuff like:
http://chrootssh.sourceforge.net
http://mail.incredimail.com/howto/openssh/index.html

The method explained to create a chroot doesn't seem to work on the first link above, I have written a short script to create a chroot folder: 

#!/bin/bash
#chroot script v1.0
cd /;                  mkdir -p chroot/{dev,bin,usr/bin}
cd /chroot/dev;        mknod zero c 13 12; mknod null c 13 2
cd /chroot/bin;        cp /bin/{cp,ls,mkdir,mv,rm,rmdir,sh} ./
cd /chroot/usr/bin;    cp /usr/bin/{rsync} ./

for bin in `find /chroot | grep bin/`; do
       ldd $bin | awk '{ print $3 }' | grep lib/
done | sort | uniq |
while read lib; do
       echo cp $lib /chroot$lib
done

This creates a /chroot folder with probably most things to need, please feel free to improve it and comment. Remember, I do not guarantee it will work, nor will I take any responsibility.

--Hackeron 13:58, May 9, 2004 (EDT)

If you're only concerned with a user using "standard" Linux utilities inside the chroot and have limited space, have a look at "Busybox". Busybox is a single binary that mimics (to some extent) the behaviour of fileutils/psutils. Be aware some binaries like mount, mknod and setuid/setgid binaries should *never* be put in a chroot jail in whatever form, and that some utils (like the ones that rely on /proc for instance) may not work if you're for instance using the Grsecurity kernel patch (user /proc separation, enhanced chroot functionality) or if /proc is not mounted inside the chroot jail. Just to make sure: /proc should *not* be mounted inside a chroot jail.

--TruckStuff 2004-10-12 09-14 (CDT)

I've just finished setting up a chroot environment for OpenSSH, so I'll contribute my experience.

I used a patch from the Sourceforge chrootssh project mentioned above. I used this guide to help: http://www.brandonhutchinson.com/chroot_ssh.html. These instructions made it pretty easy to get this running. This solution is also a bit easier than some of the other solutions I found on the net (e.g. the "scponly" package). Just a simple patch to the OpenSSH source tree, and away you go. ;)

---

For a definition of chroot, see chroot

This article is a stub and needs to be finished. Plunge forward and help it grow !

Retrieved from "http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting"

Personal tools