Chroot’ing users with openssh

I recently learned about the new ChrootDirectory in OpenSSH 5.2, and wanted to play around with it to see what it was capable of. To begin my quest, I started off by creating a couple of users that would be chroot’ed to their home directories when they logged into the server with sftp. Once the users were created, I added the following configuration stanza to my sshd_config file to chroot these users when they logged in with their sftp client:

Subsystem       sftp    internal-sftp

Match user u1,u2,u3
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp



Once these directives where added, I started up the daemon in debug mode:

$ /usr/local/sbin/sshd -ddd -f /usr/local/etc/sshd_config

Debug mode will cause the daemon to log verbosely to stdout, which is extremely useful for locating problems with new configuration directives. Now that the daemon was running, I tried to login with the user u1:

$ sftp -oPort=222 u1@192.168.1.15
Connecting to 192.168.1.15…
u1@192.168.1.15’s password:
Read from remote host 192.168.1.15: Connection reset by peer
Connection closed

The first attempt was a no go, but luckily verbose logging made debugging this issue a snap:

debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: safely_chroot: checking ‘/’
debug3: safely_chroot: checking ‘/home/’
debug3: safely_chroot: checking ‘/home/u1’
bad ownership or modes for chroot directory “/home/u1”

After changing /home/u1 to be owned by root, I was able to login and poke around:

$ sftp -oPort=222 u1@192.168.1.15
Connecting to 192.168.1.15…
u1@192.168.1.15’s password:
sftp> pwd
Remote working directory: /
sftp> ls -l
drwxr-xr-x 2 1001 1001 4096 Mar 15 15:03 uploads
sftp> cd uploads
sftp> ls -l
-rw-r–r– 1 1001 1001 39655552 Mar 15 15:04 techtalk1.mp3
sftp> put techtalk2*
Uploading techtalk2.mp3 to /uploads/techtalk2.mp3
techtalk2.mp3 3% 3776KB 2.3MB/s 00:39 ETA^
sftp> ls -l
-rw-r–r– 1 1001 1001 5046272 Mar 15 15:11 techtalk2.mp3
-rw-r–r– 1 1001 1001 39655552 Mar 15 15:04 techtalk1.mp3

This is super useful, though building chroot jails for normal SSH sessions will require a bit more work (i.e., you need to populate the chroot directory with all the config files and binaries needed to run a typical shell session). Makejail can make this a WHOLE lot easier, and I am about to submit a patch to the makejail developers to allow it to work on Solaris hosts. OpenSSH rocks!

2 thoughts on “Chroot’ing users with openssh”

  1. Hello!
    Very Interesting post! Thank you for such interesting resource!
    PS: Sorry for my bad english, I’v just started to learn this language ;)
    See you!
    Your, Raiul Baztepo

  2. The “new” Chrooting of sshd is a great idea, took a little head-banging to figure it out…

    If I’d only thought of the debug mode ‘-ddd’ it would made things much easier.

    Great Post!

Leave a Reply

Your email address will not be published. Required fields are marked *