ARTICLES

CHROOT JAIL WITH OPENSSH 6

 

This was done on Centos 6.3:

 

Install base packages:

yum install gcc wget unzip make perl xauth telnet

 

Install and Configure Zlib:

cd /tmp
mkdir -p /opt/zlib
wget http://zlib.net/zlib127.zip
unzip zlib127.zip
cd zlib-1.2.7
./configure --prefix=/opt/zlib
make
make install prefix=/opt/zlib

 

Install Openssl:

cd /tmp
mkdir -p /opt/openssl
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
tar xvzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config --prefix=/opt/openssl --openssldir=/opt/openssl
make
make test
make install

Download Openssh:

cd /tmp
mkdir -p /opt/openssh
wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
tar xvzf openssh-openssh-6.1p1.tar.gz
cd openssh-6.1p1

 

Install Openssh:

./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/bin/xauth --with-zlib=/opt/zlib
make
make install

 

Create custom /etc/init.d/sshd script:

# Some functions to make the below more readable
KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key

 

Check it Works:

/etc/init.d/sshd restart
telnet localhost 22

(if not check iptables)

 

Edit /opt/openssh/etc/sshd_config - replace this:

Subsystem       sftp    /opt/openssh/libexec/sftp-server

 

With This:

Subsystem       sftp    internal-sftp

 

And add this to the bottom:

Match Group sftponly
ChrootDirectory /home/jail/%u
ForceCommand internal-sftp
AllowTcpForwarding no

 

Add SFTPOnly Group:

groupadd sftponly
mkdir /home/jail
chown root:root /home/jail
chmod 755 /home/jail

 

Add SFTPOnly User:

 

useradd --home /home/jail/sftp sftp
usermod -g sftponly sftp
usermod -s /sbin/nologin sftp
passwd sftp

 

Change the permissions to make CHRoot Jail work:

chmod 755 /home/jail/sftp
chown root:root /home/jail/sftp
mkdir /home/jail/sftp/public_html
chown sftp:sftponly /home/jail/sftp/public_html

You should now be done!

You should not be able to ssh but you should be able to sftp to /home/jail/sftp only, and write/execute/delete to /home/jail/sftp/public_home only