As a matter of fact, there is nothing complex about getting this beast to run caged. I have done it numerous times on NetBSD, but I am pretty sure it will run just as nicely on any other distro. Its not complex, but rather long.
*) Creating the chroot jail
First of all, we create a directory structure.
The permissions have to be right to only allow copying files to the user home folder and to tmp.
# mkdir -p /opt/chroot/sshd
# cd /opt/chroot/sshd
# mkdir -p bin dev etc home lib libexec sbin tmp var
# mkdir -p var/run var/chroot/sshd
# ln -s . usr
# chmod 555 home
# chmod 1777 tmp
# mkdir –p pkg/etc/ssh
As u can see `ln -s . usr`, make usr subdirectory becomes a symblink to chroot's top directory.
This will avoid binary distinction.
In “pkg/etc/ssh” is the place where the sshd config file and keys are going to be copied.
*) Copying the needed stuff to the chrooted directory structure
# cd /opt/chroot/sshd
# cp /bin/ksh /usr/bin/passwd /bin/date /bin/ls /bin/pwd /usr/bin/groups bin
# cp /usr/pkg/bin/scponly bin
# cp /etc/localtime etc/localtime
# cp /sbin/nologin /usr/sbin/pwd_mkdb /usr/pkg/sbin/sshd sbin
# cp /etc/master.passwd /etc/group /etc/passwd.conf etc
# cp /usr/libexec/ld.elf_so /usr/libexec/ld.so /usr/pkg/libexec/sftp-server libexec
# cp -rf /etc/ssh pkg/etc
Next we create the needed device files
# cd /opt/chroot/sshd/dev
# /dev/MAKEDEV std pty0 tty random
We need some share libraries as well.
If u use static linked binaries then u should not need those or at least some of them.
Using ldd and awk is quite easy to get all of them inside the chrooted environment.
# cd /opt/chroot/sshd/
# cp `ldd bin/* sbin/* | awk '{print $3}'` lib
*) Setting up the user(s)
# cd /opt/chroot/sshd/etc
# vi group
My group file is as follows:
wheel:*:0:imanassy
sshd:*:16:
staff:*:20:scpuser
nobody:*:39:
The next step is edit the master.passwd file (inside the chroot).
# cd /opt/chroot/sshd/etc
# vi master.passwd
My master.passwd file become this short.
sshd:*:16:16:& pseudo-user:/var/chroot/sshd:/sbin/nologin
nobody:*:32767:39:Unprivileged user:/nonexistent:/sbin/nologin
scpuser:*:2003:100:test:/home/scpuser:/bin/scponly
Everytime we modify the master.passwd file, we need to recreate the db files. We can use these commands:
# cd /opt/chroot/sshd/
# sbin/pwd_mkdb -d /opt/chroot/sshd etc/master.passwd
# sbin/pwd_mkdb -d /opt/chroot/sshd -p etc/master.passwd
The scpuser is configured. Now we create his home folder.
# cd /opt/chroot/sshd/home
# mkdir –p scpuser
# chown 2003:sshd scpuser
*) Setting up the initial passwords
# cd /opt/chroot/sshd/
# passwd scpuser
Changing local password for scpuser.
New password: *********
Retype new password: *********
# exit
# cd /opt/chroot/sshd
# rm bin/passwd
# rm bin/ksh
# rm bin/date
Note: If any users has to be added afterwards, then "passwd" and "ksh" has to be temporary copied back
to the chroot environment to accomplish the set up tasks for the new users.
*) Setting up the SSHD server
We need to make sure the chrooted ssh daemon does not conflict with any other SSHD server in the same machine,
so we will set it up. The first step is to generate some new keys (or copy the ones you already have):
# cd /opt/chroot/sshd/pkg/etc/ssh/
# /usr/pkg/bin/ssh-keygen -t rsa1 -b 1024 -f ssh_host_key -N ''
# /usr/pkg/bin/ssh-keygen -t dsa -f ssh_host_dsa_key -N ''
# /usr/pkg/bin/ssh-keygen -t rsa -f ssh_host_rsa_key -N ''
To start the chrooted sshd server, if u have another sshd server already running in the same machine,
u have to choose another port than the 22 ( the default port of the ssh daemon).
To accomplish that edit the sshd_config and edit the following line:
“Port 22” and change the 22 to anything else up to 65535:
Another alternative to this would be to create a virtual ip on the interface, and bind the server to that ip.
*) Starting the sshd server
At this point everything is ready to start the ssh daemon and it is done with the following command:
# chroot /opt/chroot/sshd /sbin/sshd
Add this line to your startup scripts if you want it to be started at system bootup.
*) Set up syslogd to log from the chrooted sshd server
It is very important to know how our chrooted sshd server is doing inside the chroot.
To syslog to the /var/log/authlog ( the default log file for the sshd server)
we configure the syslogd_flags in the /etc/defaults/rc.conf file.
# vi /etc/defaults/rc.conf
And add/modify this line:
syslogd=YES syslogd_flags="-p /var/run/log -p /opt/chroot/sshd/var/run/log -s" # -s "secure" unix domain only
And then restart the syslogd daemon a la rc.d way.
# /etc/rc.d/syslogd restart
*) Client configuration
The client configuration part is up to U.
I use the scp command that comes with the openssh suite.
A good free scp client for Windows is WinSCP (
http://winscp.net).
*) The folder/file structure
This is how my chrooted folder/file structure looks like.
Remember that the soft-linked pkg/etc acts like usr/pkg/etc.
The dev folder is omitted, so don't panic if you don't see it.
bin
bin/scponly
bin/groups
bin/pwd
bin/ls
etc
etc/passwd.conf
etc/group
etc/master.passwd
etc/spwd.db
etc/passwd
etc/pwd.db
etc/localtime
home
home/scpuser
home/scpuser/.ssh
home/scpuser/.ssh/authorized_keys
lib
lib/libcrypt.so.0
lib/libutil.so.7
lib/libskey.so.1
lib/libcrypto.so.0.9.7
lib/libc.so.12
lib/libwrap.so.0
lib/libtermcap.so.0
lib/libedit.so.2
lib/libroken.so.12
lib/libcom_err.so.4
lib/libasn1.so.6
lib/libcrypto.so.2
lib/libkrb5.so.19
lib/libz.so.0
libexec
libexec/ld.so
libexec/ld.elf_so
libexec/sftp-server
sbin
sbin/sshd
sbin/nologin
sbin/pwd_mkdb
tmp
var
var/run
var/run/sshd.pid
var/run/log
var/run/utmpx
var/chroot
var/chroot/sshd
pkg
pkg/etc
pkg/etc/ssh
pkg/etc/ssh/moduli
pkg/etc/ssh/ssh_known_hosts
pkg/etc/ssh/ssh_config
pkg/etc/ssh/sshd_config
pkg/etc/ssh/ssh_host_key.pub
pkg/etc/ssh/ssh_host_dsa_key
pkg/etc/ssh/ssh_host_dsa_key.pub
pkg/etc/ssh/ssh_host_rsa_key
pkg/etc/ssh/ssh_host_rsa_key.pub
pkg/etc/ssh/ssh_host_key