Openssh-chroot
From ArchWiki
[edit] OpenSSH-chroot HOWTO (by Shastry & ZaxX)
OpenSSH-chroot is based on the standard OpenSSH-package and adds the feature of creating a chrootjail. This feature has been requested by a lot of people and most large Linux distributions already have this as an addon. This is why we have decided to add this to Arch Linux as well. OpenSSH-chroot works just like the ordinary OpenSSH. package; with just some extra functionality added to it.
Note, this is for SSH (remote users) only. Also, even though it's easy to install for all users we only recommend it to intermediate or advanced users due to it's underlying complex nature.
Once the installation/configuration-process are complete you can add as much users as wanted/needed to the chroot-enviroment with ease.
Note, some apps do not like to be in a chrootjail cause of the way they have been coded/implemented, but we have done the tedious job for you by adding 'screen' and 'irssi' as apps into the chroot-enviroment. We will continue to update this package with more hard-to-implement-apps as time allows us.
Warning, this is not a 100% secure setup. Very experienced hackers might (very slim chance) break out of even this SSH-based chrootjail. To get a bulletproof setup we recommend compiling the kernel with the grsecurity-patch.
Install-process
This package is available in the community repository. To install it, run
pacman -S openssh-chroot
- Note! 'openssh-chroot' WILL conflict with the ordinary 'openssh'. So, remove 'openssh' with 'pacman -Rd openssh' before installing openssh-chroot. This is quite alright.
- Edit
'/usr/sbin/chroot_create'to add or remove apps which will be available in the chrootjail.
- Time to create the actual enviroment:
/usr/sbin/chroot_create [<chroot-rootdir>]
- If the optional chroot-rootdir isn't stated at the commandline the script will use the default hardcoded '/chroot' instead.
Configuration-process
- Add the following line to /etc/fstab:
none /<chroot-rootdir>/dev/pts devpts defaults 0 0
- Now you have to restart your ssh-daemon:
/etc/rc.d/sshd restart
Adding new chrooted users
- The automagical way:
chroot_adduser <username> <chroot-rootdir>
- OR you can do it the manual way:
/usr/sbin/groupadd <username>
/usr/sbin/useradd -d /<chroot-rootdir>/./home/<username> -g <username> -m -s /bin/bash <username>
- NOTE! The dot in the row above is what jails the user.
- Now we need to add 1 line in both /<chroot-rootdir>/etc/passwd & group
cat /etc/passwd
- Now copy the whole line with <username> from the output.
echo '<paste here>' >> /<chroot-rootdir>/etc/passwd
- For example
zaxx:x:1001:1001::/home/chroot/./home/zaxx:/bin/bash. Unfortunatly you have to REMOVE a part of the path to the user after this. Edit/<chroot-rootdir>/etc/passwdand remove chars until the line looks like this:zaxx:x:1001:1001::/home/zaxx:/bin/bash
- Now we need to copy the line with <username> in /etc/group.
cat /etc/group
echo '<paste here>' >> /<chroot-rootdir>/etc/group
- Now it's time to set a password for the newly created user.
/usr/bin/passwd <username>
- We also want to modify <username>'s homedir slightly.
/bin/chmod 700 /<chroot-rootdir>/./home/<username>
/bin/chown -R <username>:<username> /<chroot-rootdir>/./home/<username>
Testing your chrootjail
chroot /<chroot-rootdir>/ /bin/bash
- If the above doesn't work you have done something seriously wrong with the install-process. How? We have no idea. Remove (
rm -rf <chroot-rootdir> && userdel -r <username>) the chrootjail and do it all over.
ssh <username>@localhost
- If that works you have a fully working chrootjail. Congratz!
- Note! If the first test is successful, but the ssh-test isn't it's a strong possibility your
/etc/hosts.allowis misconfigured. Add the following to that file and try the ssh-test once again:
ALL: localhost sshd: ALL