Setting Up Chroot Jail for SSH/SCP with Arch Linux

Setting up chroot jail could limit capability of users on your server. Meanwhile, the environment could be separately maintained, so that there could have better protection for main environment of your server and better control for jailed environment of your users.

In this page, you would find the steps in order to achieve the setup with Arch Linux. Before deploying your chroot settings, you may have to check if following items are installed:

Have your chroot directory ready
Once you have required packages installed, you are ready to setup the directory which would be used as the root directory for the chroot jail. You may create a new directory or use an existing directory, however, the directory must be owned root.

# mkdir -p /home/[user]/home
# useradd -m -g users -d /home/[user]/home/[user] [user]
# usermod -d /home/[user] [user]

If you are using an existing directory, you may have to make sure the directory is empty. Since after the deployment, anything in the directory would be visible to the users under chroot environment, as the directory would be used as the root directory for the users.

Prepare your chroot environment
After the chroot directory is ready, you could setup pacman to manage package installation for the jailed environment.

# mkdir -p /{etc/jail/[user],var/jail/[user]/{cache/{key,pkg},lib}}
# chown [user]:users /var/jail/[user]/cache/key
# cp /etc/pacman.conf /etc/jail/[user]/pacman.conf
# pacman --dbpath /var/jail/[user]/lib --root /home/[user] --cachedir /var/jail/[user]/cache/pkg --config /etc/jail/[user]/pacman.conf --logfile /var/jail/[user]/pacman.log -Sy bash

If your users are going to login through public key authentication, you may have to generate key for them as well.

# mkdir -p /home/[user]/var/cache/ssh
# chown [user]:users /home/[user]/var/cache/ssh
# chmod 700 /home/[user]/var/cache/ssh
# su - [user]
# ssh-keygen -t ecdsa -b 521 -C "[comments]"
Enter file in which to save the key: /var/jail/[user]/cache/key/id_ecdsa

# cp /var/jail/[user]/cache/key/ /home/[user]/var/cache/ssh/authorized_keys
# chmod 600 /home/[user]/var/cache/ssh/authorized_keys
# exit

Once pacman is ready for the chroot jail and basic packages are installed, you may have to copy scp utility in order to enable SCP for your users. Of course, there are other things which could make your jailed environment with higher security.

# cp `which scp` /home/[user]`which scp`
# mknod -m 666 /home/[user]/dev/null c 1 3
# cat /etc/passwd | grep '^[user]:' > /home/[user]/etc/passwd

Prepare your sshd_config

After the deployment of your chroot jail, you may check your sshd_config and test if your users are jailed properly.

Match Group users
    ChrootDirectory %h
    AuthorizedKeysFile %h/var/cache/ssh/authorized_keys
    X11Forwarding no
    AllowTcpForwarding no

Restart your sshd in order to activate your settings.

# systemctl restart sshd

Now, the chroot jail is ready to use. You may feel free to separate your users from the main environment of your server with providing custom runtime and packages. You may also use the chroot jail as a development environment or anything you like. Good luck and hope you enjoy it!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s