SSH and SFTP Chroot Jail

SSH and SFTP Chroot Jail
Photo by Andrea Schaffer

For a little while now I've wanted to be able to chroot both SFTP and SHH accounts on one of my multi-user VPSs.

SFTP on its own is not so difficult. OpenSSH 4.9p1 and above includes the ChrootDirectory directive. And an SFTP chroot is a little more forgiving in so far as it doesn't actually require any supporting system or userpsace services (a shell, ls, cp, etc.), which is why you often see ChrootDirectory accompanied with ForceCommand internal-sftp which will prevent SSH access altogether.

What I'd like to do is create a restricted environment for both SSH and SFTP.

I spent a little while looking at a very interesting project from Olivier Sessink called Jailkit. Jailkit has most of what I was looking for but, it has quite a few moving parts, including the need to replace a users shell with a special Jailkit shim that hands over to Jailkit. This is okay but it means changes to passwd are required, and editing your /etc/ssh/sshd_config to use Subsystem sftp /usr/lib/openssh/sftp-server and not Subsystem sftp internal-sftp if you want to chroot and jail both SFTP and SHH logins.

It turns out that OpenSSH gets us most of the way there with the ChrootDirectory directive.

And so here are the steps required to create a minimal chroot jail on Ubuntu 12.04 LTS.

Read more