Chroot in OpenSSH / SFTP Feature Added To OpenSSH

For regular user accounts, a properly configured chroot jail is a rock solid security system. I’ve already written about chrooting sftp session using rssh. According to OpenBSD journal OpenSSH devs Damien Miller and Markus Friedl have recently added a chroot security feature to openssh itself:

Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.

This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option “ChrootDirectory”. This can be used to “jail” users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • Bryan Feb 21, 2008 @ 2:19

    Yes, this is a long time coming. You finally don’t have to jump through hoops now.

  • Bensode Feb 21, 2008 @ 14:40

    Any ideas when this will get placed into production and out of CVS? Hoping that it will be available in apt sources soon.

  • Dave Mar 14, 2008 @ 4:19

    You mean I just did a whole upgrade to openssl, zlib, prngd, openssh, etc., and the chrootdirectory is still not in there. LOL!!! Looking forward to the release into production, and THANKYOU!!!

  • od Apr 9, 2008 @ 3:49

    this is awesome. thanks.

  • Webagentur Nov 5, 2008 @ 15:16

    Thank you for this tutorial. That has me very helped.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum