Chrooted SFTP on Ubuntu Hardy AMD64 using RSSH

I was in need of providing SFTP access for an Ubuntu Hardy AMD64 setup. After some trial and error with the varied information returned by the search engines I was able to get this working. Once finished with the steps below you’ll be able to provide SFTP accounts to semi trusted users who need access to your server.

First we need to install RSSH:

sudo apt-get install rssh

Then we need to edit /etc/rssh.conf:

sudo vi /etc/rssh.conf

Uncomment the following lines and change CHROOTPATH value to /home/chroot:

allowsftp

chrootpath = /home/chroot

Create a copy of mkchroot.sh to work with:

 sudo cp /usr/share/doc/rssh/examples/mkchroot.sh ~/mkchroot.sh

Edit mkchroot.sh and update the following lines (based on output of command: rssh -v)

scp_path="/usr/bin/scp"
sftp_server_"path=/usr/lib/openssh/sftp-server"
rssh_path="/usr/bin/rssh"
chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"

We also need to include AMD64 library files and make /dev/null available. Add the following directly after this line:

mkdir -p “$jail_dir/dev”

################################
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
mknod -m 666 "$jail_dir/dev/null" c 1 3
################################

Save our changes to mkchroot.sh and make it executable with:

 sudo chmod u+x ~/mkchroot.sh

Now make rssh a valid shell by running the command:

sudo add-shell /usr/bin/rssh

The contents of /etc/passwd have been coppied to /home/chroot/etc/passwd and should be pruned to only users that will be under chroot control. We can also create a new chrooted user. First lets create /home/chroot/home for our chrooted users:

sudo mkdir /home/chroot/home

Then we create a new user:

sudo useradd -m -d /home/chroot/home/joe -s /usr/bin/rssh joe

Give them a password:

sudo passwd joe

Next we need to set up logging.

sudo vi /etc/default/syslogd

Update the SYSLOGD=”” line with our chrooted log information:

 SYSLOGD="-a /home/chroot/dev/log"

The chrooting process /usr/lib/rssh/rssh_chroot_helper has to be setuid root in order to work:

 sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper

Without the above command you will see errors such as this in your /var/log/syslog:

Nov 16 20:30:04 server1 rssh[10241]: setting log facility to LOG_USER
Nov 16 20:30:04 server1 rssh[10241]: allowing sftp to all users
Nov 16 20:30:04 server1 rssh[10241]: setting umask to 022
Nov 16 20:30:04 server1 rssh[10241]: chrooting all users to /home/chroot
Nov 16 20:30:04 server1 rssh[10241]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: new session for joe, UID=1002
Nov 16 20:30:04 server1 rssh_chroot_helper[10241]: chroot() failed, 2: Operation not permitted

And that’s that!

You should now be able to SFTP into your box with Joe’s chrooted account.

Feedback

  Comments: 8


  1. I followed your howto, but i keep stumbling onto one problem. The sftp user has access to all the files from /home/chroot on up… Including any additional users that you add later. How did you go about restricting the users to their /home/chroot/home directory without breaking their ability to log into the sftp?

    Please let me know.

    Thanks

    Corey


  2. Hey Corey!

    The SFTP users will have access to everything in /home/chroot but they should not be able to leave the /home/chroot area. When trying to SSH in do you get disconnected with a notice that the account is limited to SFTP only? If so then that’s a good sign things are working. (along with not being able to leave /home/chroot)

    Cheers,
    ~Dave


  3. I just followed your tutorial for a Hardy server running on Amazon’s Elastic Compute Cloud, but I’m running in to trouble- my chrooted users can not log in: they get an error: “Fatal: unable to initialise SFTP on server: could not connect” while other users remain just fine. I’m having trouble finding the problem via Google, any ideas?


  4. Hi Charlie,

    You may possibly need a symbolic link to sftp-server.

    sudo ln /home/chroot/usr/lib/openssh/sftp-server /home/chroot/usr/lib/

    Check the path with rssh -v as well.

    Please let me know if that cures it. Thanks!


  5. Dave

    I followed your instruction but failed to get it to work. I suspect that the “~/mkchroot.sh” didn’t quite get made executable successfully. I don’t see the “$jail_dir” directory. I set the chrootpath to my desired rather than /home/chroot. Does the chrootpath have to be /home/chroot? How do I make sure that ~/mkchroot.sh gets made executable successfully?

    Scott


  6. Hey Scott! Sorry for the late reply on this. If you set chrootpath to another destination it may possibly not have had the permissions to create the path structure. You can perhaps create them manually after the fact and see if that allows everything else to fall into place. Please let me know how it goes. Thanks!


  7. I followed the guilds and on the client I see:

    $ sftp [email protected]
    Connecting to myhost…
    [email protected]’s password:
    Connection closed

    On the server I see:

    May 7 03:04:10 myhost rssh[8608]: setting log facility to LOG_USER
    May 7 03:04:10 myhost rssh[8608]: allowing sftp to all users
    May 7 03:04:10 myhost rssh[8608]: setting umask to 022
    May 7 03:04:10 myhost rssh[8608]: chrooting all users to /home/chroot
    May 7 03:04:10 myhost rssh[8608]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”

    No errors what so ever, but connection is just closed 🙁

    Any ideas how to troubleshoot?


  8. I have the same issue as heckeron, no connection possible, but no errors either. Not in syslog nor in auth.log.

    Would be thankfully for any help !

Your feedback