Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

I was in need of providing SFTP access for an Ubuntu Hardy AMD64 setup. After some trial and error with the varied information returned by the search engines I was able to get this working. Once finished with the steps below you’ll be able to provide SFTP accounts to semi trusted users who need access to your server.

First we need to install RSSH:

sudo apt-get install rssh

Then we need to edit /etc/rssh.conf:

sudo vi /etc/rssh.conf

Uncomment the following lines and change CHROOTPATH value to /home/chroot:

allowsftp

chrootpath = /home/chroot

Create a copy of mkchroot.sh to work with:

 sudo cp /usr/share/doc/rssh/examples/mkchroot.sh ~/mkchroot.sh

Edit mkchroot.sh and update the following lines (based on output of command: rssh -v)

scp_path="/usr/bin/scp"
sftp_server_"path=/usr/lib/openssh/sftp-server"
rssh_path="/usr/bin/rssh"
chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

We also need to include AMD64 library files and make /dev/null available. Add the following directly after this line:

mkdir -p “$jail_dir/dev”

################################
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
mknod -m 666 "$jail_dir/dev/null" c 1 3
################################

Save our changes to mkchroot.sh and make it executable with:

 sudo chmod u+x ~/mkchroot.sh

Now make rssh a valid shell by running the command:

sudo add-shell /usr/bin/rssh

The contents of /etc/passwd have been coppied to /home/chroot/etc/passwd and should be pruned to only users that will be under chroot control. We can also create a new chrooted user. First lets create /home/chroot/home for our chrooted users:

sudo mkdir /home/chroot/home

Then we create a new user:

sudo useradd -m -d /home/chroot/home/joe -s /usr/bin/rssh joe

Give them a password:

sudo passwd joe

Next we need to set up logging.

sudo vi /etc/default/syslogd

Update the SYSLOGD=”" line with our chrooted log information:

 SYSLOGD="-a /home/chroot/dev/log"

The chrooting process /usr/lib/rssh/rssh_chroot_helper has to be setuid root in order to work:

 sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper

Without the above command you will see errors such as this in your /var/log/syslog:

Nov 16 20:30:04 server1 rssh[10241]: setting log facility to LOG_USER
Nov 16 20:30:04 server1 rssh[10241]: allowing sftp to all users
Nov 16 20:30:04 server1 rssh[10241]: setting umask to 022
Nov 16 20:30:04 server1 rssh[10241]: chrooting all users to /home/chroot
Nov 16 20:30:04 server1 rssh[10241]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: new session for joe, UID=1002
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: chroot() failed, 2: Operation not permitted

And that’s that!

You should now be able to SFTP into your box with Joe’s chrooted account.

Posted by Dave on November 16, 2008 in ubuntu

6 Comments on Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

By corey on May 18, 2009 at 5:26 pm

I followed your howto, but i keep stumbling onto one problem. The sftp user has access to all the files from /home/chroot on up… Including any additional users that you add later. How did you go about restricting the users to their /home/chroot/home directory without breaking their ability to log into the sftp?

Please let me know.

Thanks

Corey

By Dave on May 18, 2009 at 10:11 pm

Hey Corey!

The SFTP users will have access to everything in /home/chroot but they should not be able to leave the /home/chroot area. When trying to SSH in do you get disconnected with a notice that the account is limited to SFTP only? If so then that’s a good sign things are working. (along with not being able to leave /home/chroot)

Cheers,
~Dave

By Charlie on June 7, 2009 at 7:50 pm

I just followed your tutorial for a Hardy server running on Amazon’s Elastic Compute Cloud, but I’m running in to trouble- my chrooted users can not log in: they get an error: “Fatal: unable to initialise SFTP on server: could not connect” while other users remain just fine. I’m having trouble finding the problem via Google, any ideas?

By Dave on June 9, 2009 at 8:26 pm

Hi Charlie,

You may possibly need a symbolic link to sftp-server.

sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/

Check the path with rssh -v as well.

Please let me know if that cures it. Thanks!

By Scott on July 9, 2009 at 3:32 pm

Dave

I followed your instruction but failed to get it to work. I suspect that the “~/mkchroot.sh” didn’t quite get made executable successfully. I don’t see the “$jail_dir” directory. I set the chrootpath to my desired rather than /home/chroot. Does the chrootpath have to be /home/chroot? How do I make sure that ~/mkchroot.sh gets made executable successfully?

Scott

By Dave on July 12, 2009 at 10:11 pm

Hey Scott! Sorry for the late reply on this. If you set chrootpath to another destination it may possibly not have had the permissions to create the path structure. You can perhaps create them manually after the fact and see if that allows everything else to fall into place. Please let me know how it goes. Thanks!

Write a Comment on Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

Subscribe

Follow comments by subscribing to the Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH Comments RSS feed.

More

Read more posts by Dave

AWstats with Vlogger Rotation What gender wrote this?