Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

by on November 27, 2007 · 60 comments· LAST UPDATED December 31, 2007

in , ,

rssh support chrooting option. If you want to chroot users, use chrootpath option. It is used to set the directory where the root of the chroot jail will be located. This is a security feature.

A chroot on Linux or Unix OS is an operation that changes the root directory. It affects only the current process and its children. If your default home directory is /home/vivek normal user can access files in /etc, /sbin or /bin directory. This allows an attacker to install programs / backdoor via your web server in /tmp. chroot allows to restrict file system access and locks down user to their own directory.

Configuring rssh chroot

=> Chroot directory: /users.
Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.

=> Required directories in jail:

  • /users/dev - Device file
  • /users/etc - Configuration file such as passwd
  • /users/lib - Shared libs
  • /users/usr - rssh and other binaries
  • /users/bin - Copy default shell such as /bin/csh or /bin/bash

=> Required files in jail at /users directory (default for RHEL / CentOS / Debian Linux):

  • /etc/ld.so.cache
  • /etc/ld.so.cache.d/*
  • /etc/ld.so.conf
  • /etc/nsswitch.conf
  • /etc/passwd
  • /etc/group
  • /etc/hosts
  • /etc/resolv.conf
  • /usr/bin/scp
  • /usr/bin/rssh
  • /usr/bin/sftp
  • /usr/libexec/openssh/sftp-server OR /usr/lib/openssh/sftp-server
  • /usr/libexec/rssh_chroot_helper OR /usr/lib/rssh/rssh_chroot_helper (suid must be set on this binary)
  • /bin/sh or /bin/bash (default shell)

Tip: Limit the binaries which live in the jail to the absolute minimum required to improve security. Usually /bin/bash and /bin/sh is not required but some system may give out error.

A note about jail file system

Note: The files need to be placed in the jail directory (such as /users) in directories that mimic their placement in the root (/) file system. So you need to copy all required files. For example, /usr/bin/rssh is located on / file system. If your jail is located at /users, then copy /usr/bin/rssh to /users/usr/bin/rssh. Following instuctions are tested on:

  • FreeBSD
  • Solaris UNIX
  • RHEL / Redhat / Fedora / CentOS Linux
  • Debian Linux

Building the Chrooted Jail

Create all required directories:
# mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh

Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.

Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

OR
# cp /bin/bash .

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output:

     linux-gate.so.1 =>  (0x00456000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
        libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
        libdl.so.2 => /lib/libdl.so.2 (0x00123000)
        libnss3.so => /usr/lib/libnss3.so (0x00569000)
        libc.so.6 => /lib/libc.so.6 (0x00b6c000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
        /lib/ld-linux.so.2 (0x00525000)
        libplc4.so => /usr/lib/libplc4.so (0x008c9000)
        libplds4.so => /usr/lib/libplds4.so (0x00133000)
        libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)

You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

OR
# l2chroot /bin/bash

Modify syslogd configuration

The syslog library function works by writing messages into a FIFO file such as /dev/log. You need to pass -a /path/to/chroot/dev/log option. Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you’re going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. Open /etc/sysconfig/syslog file:
# vi /etc/sysconfig/syslog
Find line that read as follows:
SYSLOGD_OPTIONS="-m 0"
Append -a /users/dev/log
SYSLOGD_OPTIONS="-m 0 -a /users/dev/log"
Save and close the file. Restart syslog:
# /etc/init.d/syslog restart
If you are using Debian / Ubuntu Linux apply changes to /etc/default/syslogd file.

Set chroot path

Open configuration file /etc/rssh.conf:
# vi /etc/rssh.conf
Set chrootpath to /users
chrootpath=/users
Save and close the file. If sshd is not running start it:
# /etc/init.d/sshd start

Add user to jail

As explained eariler, configure rssh user account. For example, add user vivek in chrooted jail with the following command:
# useradd -m -d /users/vivek -s /usr/bin/rssh vivek
# passwd vivek

Now vivek can login using sftp or copy files using scp:

sftp vivek@my-server.com
vivek@my-server.com's password:
sftp> ls
sftp> pwd
Remote working directory: /vivek
sftp> cd /tmp
Couldn't canonicalise: No such file or directory

User vivek is allowed to login to server to trasfer files, but not allowed to browse entier file system.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 60 comments… read them below or add one }

1 Alexis Munyandekwe January 17, 2008 at 1:47 am

Nice article Vivek. However some directories are not even required according to the admin restriction
It`s better to use less directories in chroot jail account for security reasons.The following directories are enough for files transmission

/etc
/usr
/lib

Thanks

Reply

2 Tomas L. Gomez January 22, 2008 at 12:16 pm

Very nice article!. I have two questions:

1) Shouldn’t /etc/ld.so.cache.d/* be
/etc/ld.so.conf.d/*?

2) In Debian 4.0 and Ubuntu 7.10, I do not
have the line
SYSLOGD_OPTIONS=”-m 0″
Instead, I have the line
SYSLOGD=””
What should I do?

Reply

3 Ivan August 22, 2008 at 7:22 pm

Very nice article. Plenty of good information.

only 1 “complaint” if you will…
the title “configure chroot jail to lock users to their home directory only” leads me to believe the article will show how to “lock users to home”.

It does not do this. Users are locked to the chroot jail ONLY.

if my chroot jail is: /home/chroot
and my users home directors go under that ie:
/home/chroot/user1

I’m using sftp only – and I do NOT want my users leaving their home directory. In fact – I don’t even want them to be able to ls another users directory.

I have seen NO solution that deals with this…
can this be done?
(note: modifying the rssh.conf file & restarting services every time a new user is added to the system is not an acceptable solution)

TIA

Reply

4 Stefan September 2, 2008 at 9:06 pm

First of all, thank you very much for the interesting and well written article.

Eventually i do have a similar question as Ivan before, only that in my case users can backup their data to their home directories using rsync. Is it possible to positively prevent say user1 from accessing data from user2 ?

Kind regards
Stefan

Reply

5 Benjamin Priestman September 3, 2008 at 3:01 am

I like these pages a lot. Clearly written and frequently right. I spent many hours struggling with this but, judging from other forums, this is a fiddly thing to provide definitive steps for.

I kept failing with the chroot configuration (on Centos 5). sftp connections would be dropped with no clear errors logged. The problems proved to be down to required files (libz.so.1, for one) that existed as symlinks in the orginal file system. These had been copied into the chroot by the script as files with the name of the links that linked to them. While I would have thought this would work, deleting these files and recreating the symlink set-up manually did the trick.

Thanks for getting me started!

Reply

6 Paul Mitchell February 2, 2009 at 10:02 pm

Hello Folks,
I’d really like to get the chroot jail set up (we have a need for people to deposit data without
being able to ssh in). I’m running into two problems, and while I’ve been a solaris admin for a long time, I’m still a beginner with Linux, so I’m probably missing som ething obvious.

my /etc/rssh.conf states: chrootpath = /altroot, and in this partition, I’ve manually copied a number of files from an earlier scponly install and the contents of this web page. One thing I note is that there’s many missing libraries on my system as compared to what ldd thinks sftp needs.. However, sftp works.

But when I create a user with rssh as the shell, the following occurs:

sftp 172.X.X.X
Connecting to 172.X.X.X...
pmitchel@172.X.X.X's password:
Connection closed

and the obvous error message is:

Feb  2 16:58:22  ELNDZ01F last message repeated 3 times
Feb  2 16:58:22  ELNDZ01F sshd[20208]: pam_krb5[20208]: authentication succeeds for 'pmitchel' (pmitchel@ISIS.UNC.EDU)
Feb  2 16:58:22  ELNDZ01F sshd[20208]: Accepted password for pmitchel from 152.2.102.25 port 40272 ssh2
Feb  2 16:58:22  ELNDZ01F sshd[20211]: subsystem request for sftp
Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting log facility to LOG_USER
Feb  2 16:58:22  ELNDZ01F rssh[20214]: allowing sftp to all users
Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting umask to 022
Feb  2 16:58:22  ELNDZ01F rssh[20214]: chrooting all users to /altroot
Feb  2 16:58:22  ELNDZ01F rssh[20214]: user pmitchel attempted to execute forbidden commands
Feb  2 16:58:22  ELNDZ01F rssh[20214]: command: /opt/local/ssh/libexec/sftp-server

My question is, why is rssh invoking /opt/local/ssh/libexec/sftp-server, esspecially as this file doesn’t exist!

Any help will be appreciated, thanks.

Paul Mitchell

Reply

7 Paul Mitchell February 3, 2009 at 7:29 pm

Addendum to the above:

Of course, /opt/local/ssh/libexec/sftp-server did exist, and it was pointed to in t he /etc/ssh/sshd_config file. I’ve changed that to: /altroot/opt/local/ssh/libexec/sftp-server
and copied the executable there.

I also updated the .etc.rssh.conf file to allowscp and sftp, as follows:

# Leave these all commented out to make the default action for rssh to lock
# users out completely…
allowscp
allowsftp

My entry in this file is:
chrootpath = /altroot
user=”pmitchel:502:00011:/altroot”

which should translate to allows sco, sftp, start from altroot.

Still, I’m getting:

Feb 3 14:23:46 ELNDZ01F sshd[3591]: Accepted password for pmitchel from 152.X.X.X port 33128 ssh2
Feb 3 14:23:46 ELNDZ01F sshd[3596]: subsystem request for sftp
Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting log facility to LOG_USER
Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing scp to all users
Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing sftp to all users
Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting umask to 022
Feb 3 14:23:46 ELNDZ01F rssh[3597]: chrooting all users to /altroot
Feb 3 14:23:46 ELNDZ01F rssh[3597]: user pmitchel attempted to execute forbidden commands
Feb 3 14:23:46 ELNDZ01F rssh[3597]: command: /altroot/opt/local/ssh/libexec/sftp-server

why?

Reply

8 Josef Meile February 4, 2009 at 5:07 pm

Hi Vivek,

Thanks for your guide, I got it working on debian, but first I need to do some extra steps:
1. There is no /etc/ld.so.cache.d in debian, so, don’t worry about copying it.
2. Instead of copying your /etc/passwd and /etc/group files to your chroot folder, just do this:
touch /passwd
touch /group
For jailing you don’t really need to have users and groups inside that files.
3. The syslog configuration from debian is under /etc/default/syslogd. Instead of a “SYSLOGD_OPTIONS” variable, you have to change “SYSLOGD” instead.
4. Somewhere on the cybercity howto is written: “Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.”; unfortunatelly, if you set noexec to the filesystem, then the user won’t be allowed to run sftp-server, thus the connection will fail. So, set only nosuid.
5. suid the original chroot_rssh_chroot_helper command, otherwise, you won’t be able to login in the machine:
chmod u+s /usr/lib/rssh/rssh_chroot_helper
Note: A solution for avoding this is explained here:
Howto create chrooted Openssh SFTP without shell access through rssh:
http://ubuntuforums.org/showthread.php?t=128206&page=9
I may try it later
6. In order to avoid users to browse other people’s stuff, just add this to common-session from the /etc/pam.d folder:
session required pam_mkhomedir.so debug skel=/etc/skel umask=0077
So, only the owner will be able to browse the files on a user folder.

Reply

9 Josef Meile February 4, 2009 at 5:09 pm

Opps, sorry, on step 2. I meant:
touch /users/etc/passwd
touch /users/etc/group

Reply

10 Enzo March 5, 2009 at 5:43 am

That’s a lot of bullshit just to restrict a user to a specific directory. Holy shit.

Reply

11 Rick November 4, 2011 at 2:10 am

Feel the exact same why *sigh* but client gets what client wants.

Reply

12 LT72884 April 7, 2009 at 4:59 pm

I could use some help. I already have a user named publicfiles and a home directory with a crap load of files in it for school. How do i lock it down so when people use winscp, they cant go anywhere in my server BUT the publicfiles folder? Please help. I dont want to add any new users or whatever. Just want to edit the current publicfiles user.

Thanx

Reply

13 Henry May 7, 2009 at 6:02 pm

I followed all the instructions very carefully, and I almost have this working. It seems to work for scp, but when I use SFTP, the session is closed immediately after the log in. The log messages show that the passwd was accepted, but I see this message: “May 5 21:42:38 localhost rssh_chroot_helper[25142]: execv() failed, /usr/libexec/openssh/sftp-server: No such file or directory” The file “/usr/libexec/openssh/sftp-server” does exist, so it canb only be talking about the execv command, which I have found does not exist on my system. What do I do? Did anyone experience this?

Reply

14 Henry May 7, 2009 at 6:19 pm

I just found some information in the CHROOT document file, which seems to be exactly what is happening to me. I had not looked at this document previously so let me check it out and see if I can fix this problem I am having.

Reply

15 Firesh June 6, 2009 at 8:38 am

hey i been trying to do this chroot thingy for myserver but it gives me some error.

users cant seem to connect at all. the connection is also terminated by the server.i followed each n every step of wat is written here. everything copied perfectly i doubled check as well.

but yest this chroot doesnt work. can i know why is tat .. i use debian based server . Ubuntu server 9.04

Reply

16 Firesh June 6, 2009 at 9:52 am

ok the explaination did solve some of the problem.

now i face the same problem henry is facing the execv command. plus my file location is /usr/lib/rssh/rssh_chroot_helper & /usr/lib/openssh/sftp_server

what should i do next ?

Reply

17 shireRom June 28, 2009 at 3:58 pm

For all having the execv problem:

It happens on amd64 systems.
Add the following lines to mkchroot.sh:


#####################################################################
#
# set up /dev/log
#
mkdir -p "$jail_dir/dev"

######### user added code ##############
# cp some more files
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
# make /dev/null
mknod -m 666 "$jail_dir/dev/null" c 1 3
########## end user added code ############

echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"

I found the solution here

Reply

18 seth July 4, 2009 at 8:33 am

I’m using CentOS 5.3 and when trying to sftp with chroot was getting a No User Found error after successful authentication and chroot… I scoured the web and found this solution:

Add the following files (note you’ll need to find these files on your system and you will need to change “chroot” in the example to your chroot directory):

/chroot/lib64/libnss_files.so.2
/chroot/lib64/ld-linux-x86-64.so.2
/chroot/lib64/libc.so.6

AND you also must add each user to the /chroot/etc/passwd file, just copy it from the real /etc/passwd

Reply

19 vukasin August 25, 2010 at 6:51 am

I can confirm that this is working.

I’ve had problem with RHEL5 64-bit and just adding:

/chroot/lib64/libnss_files.so.2

did job for me.

Already have copied files:

/chroot/lib64/ld-linux-x86-64.so.2
/chroot/lib64/libc.so.6

All libs is located under /lib64/ dir.

I’ve had problem with with connection closed right after successfully authentication of user.

Here list of files which should be contained in chrooted structure (some binaries can be excluded – depends on requirements):

/chroot/bin:
sh

/chroot/dev:
log null

/chroot/etc:
group hosts ld.so.cache ld.so.conf ld.so.conf.d nsswitch.conf passwd resolv.conf

/chroot/etc/ld.so.conf.d: (I think that we don’t really need this dir)
mysql-x86_64.conf

/chroot/lib: (this is soft link – “ln -s lib64 lib”)
ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

/chroot/lib64:
ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

/chroot/libexec:
openssh

/chroot/libexec/openssh:

/chroot/usr:
bin lib lib64 libexec

/chroot/usr/bin:
rssh scp sftp sftp-server

/chroot/usr/lib64:
lib libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 libkrb5support.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libz.so.1

/chroot/usr/libexec:
openssh rssh_chroot_helper

/chroot/usr/libexec/openssh:
sftp-server

Reply

20 Martin December 25, 2010 at 1:01 pm

I too can confirm that this is working.

Reply

21 Download Free Photos October 8, 2009 at 8:28 am

I followed all the instructions, but I cannot lock user in his directory ?

Am I missing something ?

Reply

22 Girish December 4, 2009 at 11:25 pm

Vivek,

I’m trying this on CentOS release 4.8 (Final). The user can’t login if chrootpath and user is defined.

if I comment out (disable) the chrootpath and user entry, it will allow login but the user is free to roam around. How can I lock the user down to their own directory?

Any help very much appreciated.

My rssh.conf is as follows (in this state it does not allow user to login):
==================== begin: rssh.conf =================
logfacility = LOG_USER
allowscp
allowsftp
umask = 022
chrootpath=/users
user = ftptester:011:11000:/users/ftptester # whole user string can be quoted
==================== end rssh.conf ==============

The error in /var/log/messages is
===========================================================
Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session opened for user ftptester by (uid=0)
Dec 4 10:13:34 summitftp-new rssh[13481]: setting log facility to LOG_USER
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing scp to all users
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing sftp to all users
Dec 4 10:13:34 summitftp-new rssh[13481]: setting umask to 022
Dec 4 10:13:34 summitftp-new rssh[13481]: line 53: configuring user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: setting ftptester’s umask to 011
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rdist to user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rsync to user ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: chrooting ftptester to /users/ftptester
Dec 4 10:13:34 summitftp-new rssh[13481]: user ftptester attempted to execute forbidden commands
Dec 4 10:13:34 summitftp-new rssh[13481]: command: /usr/libexec/openssh/sftp-server
Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session closed for user ftptester
==================

What am I missing?

Thanks

Reply

23 loshen March 31, 2011 at 2:23 pm

Hi,

I also get the same error .
Is it possible to post all of this in a cleaner article ?

Reply

24 loshen March 31, 2011 at 2:23 pm

I’m using Centos 5.5

Reply

25 Naren Koka December 31, 2009 at 2:26 pm

I have tried this and worked very well on CentOS 5.2. However on CentOS 5.4, it does not work. As soon as I type the password at the sftp prompt, I get the message “Connection closed”.

I have disabled SELinux. When it did not work, I have done “yum install openssh” and built RSSH from source – that did not help either. Please suggest some help. I added the log file entries below:

Thank you,
Naren

/var/log/messages:
Dec 31 06:56:06 sftpserver1 rssh[10317]: setting log facility to LOG_USER
Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing scp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: new session for sftpuserA, UID=500
Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing sftp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: user's home dir is /sftproot/sftpuserA
Dec 31 06:56:06 sftpserver1 rssh[10317]: setting umask to 022
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: chrooted to /sftproot
Dec 31 06:56:06 sftpserver1 rssh[10317]: chrooting all users to /sftproot
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: changing working directory to /sftpuserA (inside jail)
Dec 31 06:56:06 sftpserver1 rssh[10317]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"

/var/log/secure:
Dec 31 06:56:05 sftpserver1 sshd[10314]: Accepted password for sftpuserA from 10.8.0.6 port 62566 ssh2
Dec 31 06:56:05 sftpserver1 sshd[10314]: pam_unix(sshd:session): session opened for user sftpuserA by (uid=0)
Dec 31 06:56:06 sftpserver1 sshd[10316]: subsystem request for sftp
Dec 31 06:56:06 sftpserver1 sshd[10314]: pam_unix(sshd:session): session closed for user sftpuserA

Reply

26 Brad Bortree March 14, 2010 at 12:10 am

Naren,

I had the same problem. I tried something from one of the above comments and it worked. Just copy the /lib/libnss_files.so.2 file into your chroot jail. For example, if your chroot jail is “/chroot” then

cp /lib/libnss_files.so.2 /chroot/lib

Also remember to copy the entry from /etc/passwd for your user into the chroot jail. For example, if your jailed username is “jaileduser” then

grep jaileduser /etc/passwd >> /chroot/etc/passwd

Brad

Reply

27 robroy March 2, 2012 at 7:33 am

Thanks for the tip! It helped me too ;)

Reply

28 Rolandow April 29, 2010 at 9:19 am

I feel like I’m almost there, but somehow I cannot connect. I don’t see any error in my logfiles. I’m running Debian Lenny. This is what my syslog says:

Apr 29 11:17:27 jukebox rssh[4960]: setting log facility to LOG_USER
Apr 29 11:17:27 jukebox rssh[4960]: allowing scp to all users
Apr 29 11:17:27 jukebox rssh[4960]: allowing sftp to all users
Apr 29 11:17:27 jukebox rssh[4960]: setting umask to 022
Apr 29 11:17:27 jukebox rssh[4960]: chrooting all users to /users
Apr 29 11:17:27 jukebox rssh[4960]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”

So everything looks okay, but my client still gives me an error.
Error: Fatal: unable to initialise SFTP on server: could not connect
Error: Could not connect to server

Reply

29 SPM March 13, 2012 at 11:33 am

Me too getting the same error. Can someone give me the fix.

Reply

30 SPM March 13, 2012 at 12:20 pm

It worked for me after copying /etc/passwd to /users/etc/passwd. :) :)

Reply

31 Nilesh April 29, 2010 at 6:20 pm

Hi vivek,
I want to offer some users sftp only with a jail. How do I do it ? The above stuff you wrote does more than what I need.

Reply

32 gyurman October 24, 2010 at 10:08 am

l2chroot script get error message with dirname and cp command.

Reply

33 Khark January 4, 2011 at 1:20 pm

Hi,
if your system uses rsyslogd and not syslogd you need to specify the parameter $AddUnixListenSocket /users/dev/log for example in a separate config under /etc/rsyslog.d/ .

I keep mine in a file called: /etc/rsyslog.d/999-chroot-rsyslogd.conf

This will create the needed log-device for rsyslogd in the chroot.

Reply

34 Khark January 4, 2011 at 1:21 pm

Uhm, yeah forgot to add: You need to restart rsyslogd after creating the file :-)
/etc/init.d/rsyslogd restart will do :-)

Reply

35 Danilo Mota April 4, 2011 at 2:26 am

For those who stops at:
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

The home directory at /chroot/etc/passwd must be relative to system chrooted, and the original file must have the full path if you want sshd find user’s authorized keys and so on.
Eg:
# /etc/passwd
user_sftp:x:505:500::/chroot/home/user_sftp:/usr/bin/rssh
# /chroot/etc/passwd
user_sftp:x:505:500::/home/user_sftp:/usr/bin/rssh

DM

Reply

36 Jp April 7, 2011 at 4:45 pm

I have tried everything in RHEL5 64, bit to get this working. I have copied all the binnaries and libs to the same folder structure as vukasin. I have even used the default location in the guide. I dont see any message to do with rssh in my /var/log/messages log.

Can someone point me to some helpful troubleshooting tips? Or how to work out why users are able to go up levels and see all the folder structures I have created?

Reply

37 Zoltan April 7, 2011 at 11:00 pm

I have RHEL5 64, did everything needed and still stuck at
chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

I have the user in the passwd file with relative home directory as Danilo proposed.

I can run chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as root, no error message (after copied chroot/lib64/libnss_files.so.2).

Anybody has any other idea?
Naturally if I remove chrooting from rssh then sftp works fine with this user.

Reply

38 Zoltan April 7, 2011 at 11:40 pm

I figured it out, it works now. Actually I didn’t figure out what I did wrong but redid everything from zero and then it worked.
Altough I believe there are a few typos in the original instructions and also I needed to copy:
“cp /lib64/libnss_files.so.2 /var/www/lib64/”

Phuh, it took me 10 hours to figure out all issues,

Reply

39 jp April 8, 2011 at 9:13 am

1> To get the rssh system to appear in my log. I followed – Paul Mitchell comment and added the following line to the sshd.conf. “Subsystem sftp /usr/libexec/openssh/sftp-server”

After which the following shows up in my /var/log/messages

{code}
Apr 8 09:15:34 test-ftp rssh[11728]: setting log facility to LOG_USER
Apr 8 09:15:34 test-ftp rssh[11728]: allowing scp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: allowing sftp to all users
Apr 8 09:15:34 test-ftp rssh[11728]: setting umask to 022
Apr 8 09:15:34 test-ftp rssh[11728]: chrooting all users to /users
Apr 8 09:15:34 test-ftp rssh[11728]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
Apr 8 09:15:34 test-ftp kernel: type=1104 audit(1302250534.943:2545183): user pid=11723 uid=0 auid=526 msg=’PAM: setcred acct=”testing” : exe=”/usr/sbin/sshd” (hostname=XX.XX.XX.XX, addr=XX.XX.XX.XX, terminal=ssh res=success)’
{code}

2> followed – Danilo Mota advise and made my passwd paths in the file relative to the enviroment.

I am still getting the errors above.

3> I copied the nesary files sugested in several comments down. content of my /users folder shown below.

{code}
drwx—— 2 root root 4096 Apr 7 16:56 bin
drwxr-x— 2 root root 4096 Apr 8 09:36 dev
drwx—— 3 root root 4096 Apr 7 16:43 etc
lrwxrwxrwx 1 root root 5 Apr 7 16:40 lib -> lib64
drwxr-xr-x 2 root root 4096 Apr 7 17:02 lib64
drwxr-xr-x 3 root root 4096 Apr 7 13:35 libexec
drwxr-xr-x 2 testing testing 4096 Apr 7 20:57 testing
drwxr-xr-x 5 root root 4096 Apr 7 14:05 usr

./bin:
total 1576
-rwx—— 1 root root 801512 Apr 7 16:56 bash
-rwx—— 1 root root 801512 Apr 7 16:56 sh

./dev:
total 0
srwxr-x— 1 root root 0 Apr 8 09:36 log
crwxr-x— 1 root root 1, 3 Apr 7 13:35 null

./etc:
total 76
-rwx—— 1 root root 36 Apr 8 09:49 group
-rwx—— 1 root root 100 Apr 7 13:37 hosts
-rwx—— 1 root root 47495 Apr 7 15:40 ld.so.cache
-rwx—— 1 root root 280 Apr 7 15:39 ld.so.conf
drwx—— 2 root root 4096 Apr 7 16:43 ld.so.conf.d
-rwx—— 1 root root 1696 Apr 7 15:40 nsswitch.conf
-rwx—— 1 root root 74 Apr 8 09:56 passwd
-rwx—— 1 root root 74 Apr 7 13:37 resolv.conf

./etc/ld.so.conf.d:
total 4
-rwx—— 1 root root 17 Oct 23 03:23 mysql-x86_64.conf

./lib64:
total 6852
-rwxr-xr-x 1 root root 139416 Apr 7 14:04 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Apr 7 16:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366272 Apr 7 20:55 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Apr 7 20:55 libcrypt.so.1
-rwxr-xr-x 1 root root 1718120 Apr 7 20:55 libc.so.6
-rwxr-xr-x 1 root root 23360 Apr 7 20:55 libdl.so.2
-rwxr-xr-x 1 root root 190976 Apr 7 16:57 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 17:01 libk5crypto.so.3
-rwxr-xr-x 1 root root 9728 Apr 7 16:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 613896 Apr 7 16:58 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 17:01 libkrb5support.so.0
-rwxr-xr-x 1 root root 114352 Apr 7 20:55 libnsl.so.1
-rwxr-xr-x 1 root root 233112 Apr 7 16:59 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 17:01 libnss3.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:24 libnss_files-2.5.so
-rwxr-xr-x 1 root root 53880 Apr 7 16:53 libnss_files.so
-rwxr-xr-x 1 root root 53880 Apr 8 09:59 libnss_files.so.2
-rwxr-xr-x 1 root root 123152 Apr 7 17:02 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:54 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 17:00 libplds4.so
-rwxr-xr-x 1 root root 145824 Apr 7 16:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Apr 7 20:55 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Apr 7 16:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Apr 7 16:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Apr 7 20:55 libutil.so.1
-rwxr-xr-x 1 root root 85928 Apr 7 17:00 libz.so.1

./libexec:
total 4
drwxr-xr-x 2 root root 4096 Apr 7 13:35 openssh

./libexec/openssh:
total 0

./testing:
total 0

./usr:
total 12
drwxr-xr-x 2 root root 4096 Apr 7 17:03 bin
drwxr-xr-x 2 root root 4096 Apr 7 14:05 lib64
drwxr-xr-x 3 root root 4096 Apr 7 16:55 libexec

./usr/bin:
total 252
-rwxr-xr-x 1 root root 29712 Apr 7 15:05 rssh
-rwxr-xr-x 1 root root 57504 Apr 7 15:05 scp
-rwxr-xr-x 1 root root 96280 Apr 7 15:05 sftp
-rwxr-xr-x 1 root root 53072 Apr 7 17:03 sftp-server

./usr/lib64:
total 2680
-rwxr-xr-x 1 root root 190976 Apr 7 16:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153720 Apr 7 16:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Apr 7 16:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Apr 7 16:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 233112 Apr 7 16:18 libnspr4.so
-rwxr-xr-x 1 root root 1231352 Apr 7 16:18 libnss3.so
-rwxr-xr-x 1 root root 123152 Apr 7 16:18 libnssutil3.so
-rwxr-xr-x 1 root root 17992 Apr 7 16:18 libplc4.so
-rwxr-xr-x 1 root root 13960 Apr 7 16:18 libplds4.so
-rwxr-xr-x 1 root root 85928 Apr 7 20:55 libz.so.1

./usr/libexec:
total 76
drwxr-xr-x 2 root root 4096 Apr 7 13:45 openssh
-rwsr-xr-x 1 root root 67691 Apr 7 16:55 rssh_chroot_helper

./usr/libexec/openssh:
total 56
-rwxr-xr-x 1 root root 53072 Apr 7 15:05 sftp-server
{code}

I am not sure what else to do – can anyone else provide any guidance?

Reply

40 Zoltan April 8, 2011 at 11:23 am

Hi JP,
In my case the solution for the same problem was to add /[chrootedlibrary]/lib64/libnss_files.so.2

But in your case it might be some other lib files missing.

I would try to run /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
from shell to see whether I get any error message. You might want to try with different users.

Also if the user (At least the user number )is not in the /chrootlibrary/etc/passwd file, then you will get the same error as above, but when you run it from shell it will tell you that couldn’t find the user id.

I hope it helps

Reply

41 Nicolas Casallas February 20, 2012 at 3:03 pm

the problem is solved by copying the folder libexeclocated in /users/libexec to /users/usr/libexec.

Run the command: cp-R usr libexec/

and try again.

Reply

42 Zoltan April 8, 2011 at 1:32 pm

Hi JP,
Actually I found another possibe reason.
The rssh_chroot_helper is exeuted from the original folder and not the chrooted one, so you need to make sure that your chroot user has execute access to it.

Reply

43 jp April 8, 2011 at 2:01 pm

Hi Zoltan,
I have changed the user permissions on the original rssh_chroot_helper to root:testing and then performed a chmod to reassert the SetUID.
I still get the same error and an extrea one when I do this.
Apr 8 14:55:46 testing-ftp rssh_chroot_helper[5621]: chroot() failed, 2: Operation not permitted
I have run throught the example 3 times and I know I have added more libs than are nessary at this point.
I have already copied /libnss_files.so.2 into the rewlative location as shown in my ls –lR above.
I can’t run the command /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as the testing user as the user is not allowed a shell. While trying to run the command as root. I get the following error
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: new session for root, UID=0
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: user’s home dir is /root
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: couldn’t find /root in chroot jail
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: chrooted to /users
Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: changing working directory to / (inside jail)
Thanks for your help.

Reply

44 Zoltan April 8, 2011 at 2:47 pm

What you get as a root is not an error, it just tells that the root user’s home directory is not in the chrooted folder. This is expected
It seems your rssh is working with root user, so now you just need to figure out why it’s not working with your chroot user.

Probably one of the necessary lib files, passwd file, sftp-server, rssh_chroot_helper etc file is not readable or executable by that user.
Unfortunately I couldn’t figure out how to get logging activated to see what is missing, so from this point on you just need to check all these files for proper access rights.

Reply

45 Zoltan April 8, 2011 at 2:48 pm

ps.: also make sure that your chroot user exists in the chroot/etc/passw file.

Reply

46 ALEX April 12, 2011 at 12:09 pm

JP – /libexec is inside /usr. You can remove libexec from your /chroot dir. That probably won’t fix your problem but it could be messing with something. Other than that, I noticed your permissions in /etc are only operational for root. Try giving read permissions on the files in /etc. If that doesn’t work, change it back.

Reply

47 Greg May 19, 2011 at 9:41 pm

When in doubt, verify that the /chroot/dev/null exists. Worked for me.

Reply

48 Greg May 20, 2011 at 10:24 pm

I also found MySecureShell to be a superior tool to rssh.
It solved the issue that Ivan and Stefan warned about.
Their comments are dated August 22, 2008 & September 2, 2008.

Reply

49 Macinville May 30, 2011 at 10:43 am

Hi Vivek,
In the first few lines, the you instructed


# mkdir -p /users/libexec/openssh

and then after that, you said


# cd /users/usr/libexec/openssh/

which will,of course, produce an error. I thought I could skip that code, but when I did, upon login it immediately prompted me “Connection closed” without any error whatsoever.

So what I did was to


# mkdir -p /users/usr/libexec/openssh

so I can proceed with


# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server

which is, apparently, quite important because after doing so, it let me connect to it.

Success!

I am thinking of making a script for CentOS 5.5 based on this. I will post any update about my plan. :)

Thanks Vivek!

Reply

50 Amit July 5, 2011 at 8:10 am

I am getting this error.. please help

Status: Connected to x.x.x.x
Error: Connection closed by server with exitcode 1
Error: Could not connect to server

Reply

51 X July 8, 2011 at 2:14 am

Everyone stuck at:

“… ssh_chroot_helper[4470]: changing working directory to / (inside jail)”

but then getting a refused connection on your sftp client. *Trust other posters* in that it is a library issue… I thought it was bullshit myself and almost gave up hope (no aparent error on my /var/log/syslog). My last resort was to copy all the files in the /lib folder to the /chroot/lib folder. Use the -p and –preserve=link switches so you preserve permissions and links (otherwise linked libraries will be copied as a file…).

cp -v -p -d –preserve=link /lib/* /chroot/lib/

It *will* work… Now it’s a matter of deleting one by one (if you want) and figuring it out the minimum subset required. In my case (Ubuntu 11.04 server):
ld-2.12.1.so
ld-linux-x86-64.so.2
libc-2.12.1.so
libc.so.6
libnsl-2.12.1.so
libnsl.so.1
libnss_compat-2.12.1.so
libnss_compat.so.2

I also followed all previous suggestions in the earlier comments on this site (e.g., adding user to /chroot/etc/passwd… etcetera). Good hunting!

Reply

52 Amit July 8, 2011 at 5:22 am

Try to upgrade openSSH version and enjoy the new inbuilt jailroot system. Much easier.

CyberCiti : please post an article for the same.

Reply

53 Solaria July 22, 2011 at 8:29 pm

Got this working on Solaris, works well. Here are some of the errors encountered, and the solutions:

Error: unknown user xxx

Occurs during SCP. Missing “nss* lib in chroot, copy /lib/nss_files.so.1 to chroot. (Solaris 10)

Error: connection closed

Occurs during SFTP. Missing *ksh* in chroot, copy /bin/ksh and/or /usr/bin/ksh to chroot

Error: connection closed

Occurs during SCP on Solaris 9. Missing *nss* lib in chroot, different library path than in Solaris 10. Copy /usr/lib/nss_files.so.1 to chroot.

Error: rssh_chroot_helper failed, Not owner

/usr/local/libexec/rssh_chroot_helper must be SUID root

Error: user attempted to execute forbidden commands; /usr/lib/ssh/sftp-server

Occurs during SFTP, logged in /var/adm/messages. Target system had both OpenSSH and SolarisSSH, error caused by conflict between rssh config and sshd_config. run ‘/usr/local/bin/rssh -v’ to get sftp server binary path, compare to ‘Subsystem sftp’ path in sshd_config (both config files, OpenSSH and SolarisSSH). Edit sshd_config to match rssh config.

Found a pretty good script file for setting up the chroot on Solaris…

Reply

54 tgutierrez September 9, 2011 at 10:56 pm

Working!!
This work perfectly,at first I’d connection problems but these problems were fixed just adding /chroot/lib64/libnss_files.so.2.
I have RHEL 6

Thanks

Reply

55 Gustavo September 10, 2011 at 3:36 am

Very good tutorial, I wonder if there is no way to change the message out to access “This account is restricted by rssh.
Allowed commands: scp

If you believe this is in error, please contact your system administrator.

For another message.

Thank you for your help. Greetings from Colombia

Reply

56 Loshen September 12, 2011 at 8:40 am

In version 5, jailing is now natively supported.
The problem is that SSH with centos 5.5 lower came with ssh 4.8 < .
So if you upgrade you will automatically get Jailing.
I followed these instructions. http://adamsworld.name/chrootjailv5.php

Reply

57 Sean Ackley March 22, 2012 at 10:21 pm

Vivek, this is a crazy good utility to use, made my life so much easier when I implemented chroot.

I ran into one issue, in which certain utilities like “vim” and “file” require support libraries under /usr/share. I also needed to include /usr/share/locale and /usr/share/terminfo (for “vim” for instance.

Is there a way to check within l2chroot for these support libs as well? It makes the installation a little more bullet proof.

Thanks so much.

Reply

58 Eli Wapniarski April 2, 2012 at 9:21 am

You can confine the user to their home folder by changing permissions on all the folders other than their home folder to 751. As per the example in this article:

cd /
chmod 751 users
cd users
find . -type d -exec chmod 751 {} \;

If you need to return the home folder back to normal permissions then:

chmod 700 vivek
cd vivek
find . -type d -exec chmod 755 {} \;

Reply

59 Sergios July 18, 2012 at 3:20 pm

If user home is chmod 700
And internal folders is find . -type d -exec chmod 755 {} \;
How is possible to readable by apache2 the public_html , or if we execute the username:nobody /home/username/public_html and set the virtual host is can readable by the world ?
Thank you.

Reply

60 TooMeeK May 5, 2013 at 12:46 am

Hi, just discovered problem on 64-bit OS, not copying shared libs:
l2chroot /usr/bin/scp
Copying shared files/libs to /home/jails…
Copying /lib64/ld-linux-x86-64.so.2 /home/jails/lib64…

when it should be:
ldd /usr/bin/scp
linux-vdso.so.1 => (0x00007fff4e35f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffb9ed2e000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffb9f2cf000)

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , ,

Previous post:

Next post: