OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Chroot in OpenSSH
Contributed by merdely on Wed Feb 20 11:00:39 2008 (GMT)
from the lock-em-up dept.

You may have seen the recent commit message from djm@ about the new feature in OpenSSH: ChrootDirectory

Damien Miller (djm@), who worked on this new feature with Markus Friedl (markus@), offers more details about ChrootDirectory:

This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option "ChrootDirectory". This can be used to "jail" users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.

More from Damien follows.

Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.

In a previous commit, markus@ implemented an "in-process" sftp server in sshd, basically linking sftp-server(8) into sshd(8). When the in-process sftp server is used, sshd does not need any special chroot configuration (no /dev nodes, no libraries, no statically-linked sftp-server) so the chroot setup and maintenance burden is eliminated. The chroot support does work for login and command-execution sessions too, but administrators will need to configure the chroot environment manually.

To set up a restricted sftp server one should use the "ForceCommand" and "ChrootDirectory" directives in sshd_config. Presumably most people will not want to restrict every user, so they should also use the "Match" directive to select a user or group to apply the restrictions to. For example:

Match user djm
    ForceCommand internal-sftp
    ChrootDirectory /chroot

This will cause the user 'djm' to be chrooted to the "/chroot" directory at login, and the use of the in-process sftp server will be forced for all connections. I.e. the user will not be able to login interactively, or run arbitrary commands - the login will only be useful for sftp transfers. Note that the user's home directory may exist under the "/chroot" directory above (e.g. "/chroot/home/djm") and sshd will try to chdir to it before starting to serve files, but it doesn't matter if it does not exist.

Setting up a safe chroot jail is somewhat tricky, and it is quite easy to make to compromise one's security. To reduce this risk, sshd ensures the ChrootDirectory and each of its components is root-owned and not writable by other users, but it is still possible for administrators to break their own setups by doing dumb things (e.g. leaving /dev nodes for the physical drives in a chroot, executing scripts inside the chroot from cron(8) or elsewhere, etc.).

A limitation of the chroot support is that the in-process sftp server does not support scp(1) transfers. scp is a really busted protocol and it would be a fair bit more work to build it in in the way we have built in sftp. It is still possible to support chrooted scp, but administrators will need to populate the chroot environment manually. Please use sftp instead.

To make the internal-sftp chroot work for me, I made the following changes to /etc/ssh/sshd_config:

#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem       sftp    internal-sftp

The full commit message:

CVSROOT:        /cvs
Module name:    src
Changes by:     djm@     2008/02/08 16:24:08

Modified files:
        usr.bin/ssh    : sshd_config.5 sshd_config sftp.h sftp-server.c
                         sftp-server-main.c session.c servconf.h
                         servconf.c

Log message:
add sshd_config ChrootDirectory option to chroot(2) users to a directory and
tweak internal sftp server to work with it (no special files in chroot
required). ok markus@

Thanks to Damien Miller for taking the time to explain the ChrootDirectory feature.

[topicopenssh]

<< KDE4 First Impressions | Reply | Flattened | Expanded | OpenBSD turns 4.3-beta >>

Threshold: Help

Related Links
more by merdely


  Re: Chroot in OpenSSH (mod 12/88)
by Didier (194.154.200.108) (didier.wiroth@mcesr.etat.lu) on Wed Feb 20 11:32:23 2008 (GMT)
http://www.wiroth.net
  Thanks:
1) for the excellent feature
2) for the excellent report on this page
3) for the good sample!!!
and THANKS AGAIN!!!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 14/74)
by Anonymous Coward (24.37.242.64) on Wed Feb 20 14:09:01 2008 (GMT)
  Awesome! Just what I was looking for. Is it safe to assume that this will be included in the upcoming 4.3?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 14/62)
by Anonymous Coward (81.83.46.237) on Wed Feb 20 14:39:43 2008 (GMT)
  I am going to try this out tonight.
GREAT feature
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 13/61)
by Paul R. (72.227.179.28) on Wed Feb 20 15:19:40 2008 (GMT)
  Thank you for working on this, it is a great feature....
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 13/67)
by Paul Irofti (86.106.14.45) (bulibuta@gmail.com) on Wed Feb 20 15:38:50 2008 (GMT)
  When I first saw the cvs commit I was at home reading my mail, I read
the announcement just a few minutes after the code entered the tree. I
remember I just pool()-ed my cvs mirror to get in sync and fetch this
beauty!

Thank you *very* much!!!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod -3/67)
by Anonymous Coward (64.129.81.169) on Wed Feb 20 16:21:07 2008 (GMT)
  great feature,

but SCARRY, so many commands like ping could break out of other ssh jail setups....

So many web servers need to support scp/sftp that jury rigged ssh jails are widespread,
But if it is in the base, it stands a better chance of being better scrutinized... thank you.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 6/68)
by Anonymous Coward (24.222.223.104) on Wed Feb 20 17:09:08 2008 (GMT)
  I hope this is another nail in the coffin of ftp. I think sshd just needs a feature to configure an sftp-only account (if it doesn't have already -- I haven't checked recently) that can be encryptionless and passwordless, and that ftp server can go the way of the dodo.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Port Forwarding (mod 4/68)
by Alan Watson (132.248.81.29) (alan@alan-watson-.org) on Wed Feb 20 19:23:25 2008 (GMT)
http://www.alan-watson.org
  This looks like a great addition. However, can a user limited to the internal sftp server still forward ports?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  scp is busted? (mod 3/61)
by Pete (12.147.96.10) on Wed Feb 20 20:46:46 2008 (GMT)
  I'm curious by what is meant by the "scp is a really busted protocol." Because sftp has always been an external process, and I can put everything except the password on the command line, I've generally preferred the scp client over sftp in the past. Am I putting myself at risk doing so, or is the busted part in the server security side?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 3/69)
by Mike (203.99.66.6) on Wed Feb 20 21:22:14 2008 (GMT)
 

sshd ensures the ChrootDirectory and each of its components is root-owned and not writable by other users

Does that mean that the whole chroot jail is actually read-only for the user? Or what does each of its components mean?

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod -1/71)
by Anonymous Coward (80.172.22.46) on Thu Feb 21 00:00:23 2008 (GMT)
  Is is possible to have some unchrooted users using /usr/libexec/sftp-server and other chrooted
users with internal-sftp on the same server?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 5/67)
by Lennie (84.246.2.129) on Thu Feb 21 11:52:46 2008 (GMT)
  I was hoping for ChrootDirectory ~ (homedirectory), so it could be used for shared webservers...

But this looks like it's not that simple.

That's too bad.

I would have loved to have been able to do:

Match user user1
Match user user2
ChrootDirectory ~

AllowUsers adminuser1 adminuser2 user1 user2

It's to bad, this won't kill FTP, I'm afraid. It would have been better to have something really simple.

Maybe a chroot-dir and a hardlink per user would be kinda manageable ?

ssh killed telnet, sftp could have killed ftp.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 13/63)
by Rico Secada (ricosecada) (coolzone@it.dk) on Thu Feb 21 17:15:26 2008 (GMT)
  Thank you very very much!! A long needed feature!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Cheroot for OpenSSH (mod 8/64)
by Anonymous Coward (128.171.90.200) on Tue Feb 26 00:48:32 2008 (GMT)
  Time to smoke a cheroot in celebration.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 9/69)
by Anonymous Coward (83.199.74.32) on Sun May 4 17:09:25 2008 (GMT)
  Great feature !
is it possible to build a jail with a bash session ?!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 0/26)
by TA (86.185.71.201) on Sun Aug 10 19:14:42 2014 (GMT)
  Is it possible to use the chroot and use public key authentication where the authorized_keys file is outside the home directory, so that the user cannot modify or see the keys? I cannot get this to work. I also used usermod user -s /bin/false to prevent ssh login. Please advise
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 0/24)
by morophla (184.162.174.15) on Fri Apr 17 03:07:45 2015 (GMT)
  Cool. But what is the procedure to truly isolate users from each other? With this method, any user can sneak in everobdy's directory in the same chroot. That's not what we want for web hosting.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 1/25)
by Anonymous Coward (172.98.214.131) on Mon Jan 18 08:01:15 2016 (GMT)
  Vous pouvez choisir de regarder une variété d'axe vertical montre l'interface, personnalisé à votre mode d'affichage actuel. replique montre
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Chroot in OpenSSH (mod 1/13)
by mxffiles (218.11.246.179) on Tue Feb 7 06:44:00 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]