Chrooted SSH in RHEL

OpenSSH 4.9+ includes a built-in chroot for sftp, but requires a few tweaks to the normal install.

You can create a rule to jail users and groups, it is very simple, if you want to create a rule based on group do the following.

  •  Override default subsystem “/usr/libexec/openssh/sftp-server” on /etc/ssh/sshd_config and create a group that will contain all sftp only users and add the user to this group.
  • The commented line Match User can be used to rules based on single user.
# groupadd sftponly
# gpasswd -a kdiegorsantos sftponly
# cat <EOF> /etc/ssh/sshd_config
Subsystem       sftp    internal-sftp
Match Group sftponly # Match User kdiegorsantos
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no
        X11Forwarding no EOF

The chroot directory must be owned by root.

# chown root:root /home/kdiegorsantos
# chmod 700 /home/kdiegorsantos

Change the user shell to prevent SSH login.

# usermod -s /bin/false kdiegorsantos

After change the SSH config file, make sure to reload the daemon to apply the rules.

# service sshd restart

Now only SFTP connections can be established by users on group sftponly.

[root@server002 ~]# ssh -l kdiegorsantos server001
kdiegorsantos@server001's password:
This service allows sftp connections only.
Connection to server001 closed.
[root@server002 ~]#

If a user is able to write to the chroot directory then it is possible for them to escalate their privileges to root and escape the chroot. One way around this is to give the user two home directories – one “real” home they can write to, and one SFTP home that is locked down to keep sshd happy and your system secure. By using mount –bind you can make the real home directory appear as a subdirectory inside the SFTP home directory, allowing them full access to their real home directory.

# mkdir /home/chroot/kdiegorsantos
# mount --bind /home/kdiegorsantos /home/chroot/kdiegorsantos
# echo '/home/kdiegorsantos /home/chroot/kdiegorsantos        none    bind' >> /etc/fstab

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s