61 comment

1. Nice article Vivek. However some directories are not even required according to the admin restriction
   It`s better to use less directories in chroot jail account for security reasons.The following directories are enough for files transmission

   /etc
   /usr
   /lib

   Thanks

2. Very nice article!. I have two questions:

   1) Shouldn’t /etc/ld.so.cache.d/* be
   /etc/ld.so.conf.d/*?

   2) In Debian 4.0 and Ubuntu 7.10, I do not
   have the line
   SYSLOGD_OPTIONS=”-m 0″
   Instead, I have the line
   SYSLOGD=””
   What should I do?

3. Very nice article. Plenty of good information.

   only 1 “complaint” if you will…
   the title “configure chroot jail to lock users to their home directory only” leads me to believe the article will show how to “lock users to home”.

   It does not do this. Users are locked to the chroot jail ONLY.

   if my chroot jail is: /home/chroot
   and my users home directors go under that ie:
   /home/chroot/user1

   I’m using sftp only – and I do NOT want my users leaving their home directory. In fact – I don’t even want them to be able to ls another users directory.

   I have seen NO solution that deals with this…
   can this be done?
   (note: modifying the rssh.conf file & restarting services every time a new user is added to the system is not an acceptable solution)

   TIA

4. First of all, thank you very much for the interesting and well written article.

   Eventually i do have a similar question as Ivan before, only that in my case users can backup their data to their home directories using rsync. Is it possible to positively prevent say user1 from accessing data from user2 ?

   Kind regards
   Stefan

5. I like these pages a lot. Clearly written and frequently right. I spent many hours struggling with this but, judging from other forums, this is a fiddly thing to provide definitive steps for.

   I kept failing with the chroot configuration (on Centos 5). sftp connections would be dropped with no clear errors logged. The problems proved to be down to required files (libz.so.1, for one) that existed as symlinks in the orginal file system. These had been copied into the chroot by the script as files with the name of the links that linked to them. While I would have thought this would work, deleting these files and recreating the symlink set-up manually did the trick.

   Thanks for getting me started!

6. Hello Folks,
   I’d really like to get the chroot jail set up (we have a need for people to deposit data without
   being able to ssh in). I’m running into two problems, and while I’ve been a solaris admin for a long time, I’m still a beginner with Linux, so I’m probably missing som ething obvious.

   my /etc/rssh.conf states: chrootpath = /altroot, and in this partition, I’ve manually copied a number of files from an earlier scponly install and the contents of this web page. One thing I note is that there’s many missing libraries on my system as compared to what ldd thinks sftp needs.. However, sftp works.

   But when I create a user with rssh as the shell, the following occurs:

   sftp 172.X.X.X
   Connecting to 172.X.X.X...
   pmitchel@172.X.X.X's password:
   Connection closed

   and the obvous error message is:

   Feb  2 16:58:22  ELNDZ01F last message repeated 3 times
   Feb  2 16:58:22  ELNDZ01F sshd[20208]: pam_krb5[20208]: authentication succeeds for 'pmitchel' (pmitchel@ISIS.UNC.EDU)
   Feb  2 16:58:22  ELNDZ01F sshd[20208]: Accepted password for pmitchel from 152.2.102.25 port 40272 ssh2
   Feb  2 16:58:22  ELNDZ01F sshd[20211]: subsystem request for sftp
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting log facility to LOG_USER
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: allowing sftp to all users
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: setting umask to 022
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: chrooting all users to /altroot
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: user pmitchel attempted to execute forbidden commands
   Feb  2 16:58:22  ELNDZ01F rssh[20214]: command: /opt/local/ssh/libexec/sftp-server

   My question is, why is rssh invoking /opt/local/ssh/libexec/sftp-server, esspecially as this file doesn’t exist!

   Any help will be appreciated, thanks.

   Paul Mitchell

7. Addendum to the above:

   Of course, /opt/local/ssh/libexec/sftp-server did exist, and it was pointed to in t he /etc/ssh/sshd_config file. I’ve changed that to: /altroot/opt/local/ssh/libexec/sftp-server
   and copied the executable there.

   I also updated the .etc.rssh.conf file to allowscp and sftp, as follows:

   # Leave these all commented out to make the default action for rssh to lock
   # users out completely…
   allowscp
   allowsftp

   My entry in this file is:
   chrootpath = /altroot
   user=”pmitchel:502:00011:/altroot”

   which should translate to allows sco, sftp, start from altroot.

   Still, I’m getting:

   Feb 3 14:23:46 ELNDZ01F sshd[3591]: Accepted password for pmitchel from 152.X.X.X port 33128 ssh2
   Feb 3 14:23:46 ELNDZ01F sshd[3596]: subsystem request for sftp
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting log facility to LOG_USER
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing scp to all users
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: allowing sftp to all users
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: setting umask to 022
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: chrooting all users to /altroot
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: user pmitchel attempted to execute forbidden commands
   Feb 3 14:23:46 ELNDZ01F rssh[3597]: command: /altroot/opt/local/ssh/libexec/sftp-server

   why?

8. Hi Vivek,

   Thanks for your guide, I got it working on debian, but first I need to do some extra steps:
   1. There is no /etc/ld.so.cache.d in debian, so, don’t worry about copying it.
   2. Instead of copying your /etc/passwd and /etc/group files to your chroot folder, just do this:
   touch /passwd
   touch /group
   For jailing you don’t really need to have users and groups inside that files.
   3. The syslog configuration from debian is under /etc/default/syslogd. Instead of a “SYSLOGD_OPTIONS” variable, you have to change “SYSLOGD” instead.
   4. Somewhere on the cybercity howto is written: “Tip: If possible mount /users filesystem with the noexec/nosuid option to improve security.”; unfortunatelly, if you set noexec to the filesystem, then the user won’t be allowed to run sftp-server, thus the connection will fail. So, set only nosuid.
   5. suid the original chroot_rssh_chroot_helper command, otherwise, you won’t be able to login in the machine:
   chmod u+s /usr/lib/rssh/rssh_chroot_helper
   Note: A solution for avoding this is explained here:
   Howto create chrooted Openssh SFTP without shell access through rssh:
   http://ubuntuforums.org/showthread.php?t=128206&page=9
   I may try it later
   6. In order to avoid users to browse other people’s stuff, just add this to common-session from the /etc/pam.d folder:
   session required pam_mkhomedir.so debug skel=/etc/skel umask=0077
   So, only the owner will be able to browse the files on a user folder.

9. Opps, sorry, on step 2. I meant:
   touch /users/etc/passwd
   touch /users/etc/group

10. That’s a lot of bullshit just to restrict a user to a specific directory. Holy shit.

    1. Feel the exact same why *sigh* but client gets what client wants.

11. I could use some help. I already have a user named publicfiles and a home directory with a crap load of files in it for school. How do i lock it down so when people use winscp, they cant go anywhere in my server BUT the publicfiles folder? Please help. I dont want to add any new users or whatever. Just want to edit the current publicfiles user.

    Thanx

12. I followed all the instructions very carefully, and I almost have this working. It seems to work for scp, but when I use SFTP, the session is closed immediately after the log in. The log messages show that the passwd was accepted, but I see this message: “May 5 21:42:38 localhost rssh_chroot_helper[25142]: execv() failed, /usr/libexec/openssh/sftp-server: No such file or directory” The file “/usr/libexec/openssh/sftp-server” does exist, so it canb only be talking about the execv command, which I have found does not exist on my system. What do I do? Did anyone experience this?

13. I just found some information in the CHROOT document file, which seems to be exactly what is happening to me. I had not looked at this document previously so let me check it out and see if I can fix this problem I am having.

14. hey i been trying to do this chroot thingy for myserver but it gives me some error.

    users cant seem to connect at all. the connection is also terminated by the server.i followed each n every step of wat is written here. everything copied perfectly i doubled check as well.

    but yest this chroot doesnt work. can i know why is tat .. i use debian based server . Ubuntu server 9.04

15. ok the explaination did solve some of the problem.

    now i face the same problem henry is facing the execv command. plus my file location is /usr/lib/rssh/rssh_chroot_helper & /usr/lib/openssh/sftp_server

    what should i do next ?

16. For all having the execv problem:

    It happens on amd64 systems.
    Add the following lines to mkchroot.sh:

    
#####################################################################
#
# set up /dev/log
#
mkdir -p "$jail_dir/dev"

    ######### user added code ##############
# cp some more files
cp /lib/ld-linux-x86-64.so.2 "$jail_dir/lib/"
cp /lib/ld-linux.so.2 "$jail_dir/lib/"
cp -pR /lib64 "$jail_dir/"
# make /dev/null
mknod -m 666 "$jail_dir/dev/null" c 1 3
########## end user added code ############

    echo -e "NOTE: you must MANUALLY edit your syslog rc script to start syslogd"


    I found the solution here

17. I’m using CentOS 5.3 and when trying to sftp with chroot was getting a No User Found error after successful authentication and chroot… I scoured the web and found this solution:

    Add the following files (note you’ll need to find these files on your system and you will need to change “chroot” in the example to your chroot directory):

    /chroot/lib64/libnss_files.so.2
    /chroot/lib64/ld-linux-x86-64.so.2
    /chroot/lib64/libc.so.6

    AND you also must add each user to the /chroot/etc/passwd file, just copy it from the real /etc/passwd

    1. I can confirm that this is working.

       I’ve had problem with RHEL5 64-bit and just adding:

       /chroot/lib64/libnss_files.so.2

       did job for me.

       Already have copied files:

       /chroot/lib64/ld-linux-x86-64.so.2
       /chroot/lib64/libc.so.6

       All libs is located under /lib64/ dir.

       I’ve had problem with with connection closed right after successfully authentication of user.

       Here list of files which should be contained in chrooted structure (some binaries can be excluded – depends on requirements):

       /chroot/bin:
       sh

       /chroot/dev:
       log null

       /chroot/etc:
       group hosts ld.so.cache ld.so.conf ld.so.conf.d nsswitch.conf passwd resolv.conf

       /chroot/etc/ld.so.conf.d: (I think that we don’t really need this dir)
       mysql-x86_64.conf

       /chroot/lib: (this is soft link – “ln -s lib64 lib”)
       ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
       libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
       libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

       /chroot/lib64:
       ld-linux-x86-64.so.2 libcrypto.so.6 libdl.so.2 libkeyutils.so.1 libnsl.so.1 libnss_files.so libplc4.so libresolv.so.2 libutil.so.1
       libcrypt.so.1 libgssapi_krb5.so.2 libkrb5.so.3 libnspr4.so libnss_files.so.2 libplds4.so libselinux.so.1 libz.so.1
       libcom_err.so.2 libc.so.6 libk5crypto.so.3 libkrb5support.so.0 libnss3.so libnssutil3.so libpthread.so.0 libsepol.so.1

       /chroot/libexec:
       openssh

       /chroot/libexec/openssh:

       /chroot/usr:
       bin lib lib64 libexec

       /chroot/usr/bin:
       rssh scp sftp sftp-server

       /chroot/usr/lib64:
       lib libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 libkrb5support.so.0 libnspr4.so libnss3.so libnssutil3.so libplc4.so libplds4.so libz.so.1

       /chroot/usr/libexec:
       openssh rssh_chroot_helper

       /chroot/usr/libexec/openssh:
       sftp-server

    2. I too can confirm that this is working.

18. I followed all the instructions, but I cannot lock user in his directory ?

    Am I missing something ?

19. Vivek,

    I’m trying this on CentOS release 4.8 (Final). The user can’t login if chrootpath and user is defined.

    if I comment out (disable) the chrootpath and user entry, it will allow login but the user is free to roam around. How can I lock the user down to their own directory?

    Any help very much appreciated.

    My rssh.conf is as follows (in this state it does not allow user to login):
    ==================== begin: rssh.conf =================
    logfacility = LOG_USER
    allowscp
    allowsftp
    umask = 022
    chrootpath=/users
    user = ftptester:011:11000:/users/ftptester # whole user string can be quoted
    ==================== end rssh.conf ==============

    The error in /var/log/messages is
    ===========================================================
    Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session opened for user ftptester by (uid=0)
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting log facility to LOG_USER
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing scp to all users
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing sftp to all users
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting umask to 022
    Dec 4 10:13:34 summitftp-new rssh[13481]: line 53: configuring user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: setting ftptester’s umask to 011
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rdist to user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: allowing rsync to user ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: chrooting ftptester to /users/ftptester
    Dec 4 10:13:34 summitftp-new rssh[13481]: user ftptester attempted to execute forbidden commands
    Dec 4 10:13:34 summitftp-new rssh[13481]: command: /usr/libexec/openssh/sftp-server
    Dec 4 10:13:34 summitftp-new sshd(pam_unix)[13478]: session closed for user ftptester
    ==================

    What am I missing?

    Thanks

    1. Hi,

       I also get the same error .
       Is it possible to post all of this in a cleaner article ?

       1. I’m using Centos 5.5

20. I have tried this and worked very well on CentOS 5.2. However on CentOS 5.4, it does not work. As soon as I type the password at the sftp prompt, I get the message “Connection closed”.

    I have disabled SELinux. When it did not work, I have done “yum install openssh” and built RSSH from source – that did not help either. Please suggest some help. I added the log file entries below:

    Thank you,
    Naren

    /var/log/messages:
    Dec 31 06:56:06 sftpserver1 rssh[10317]: setting log facility to LOG_USER
Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing scp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: new session for sftpuserA, UID=500
Dec 31 06:56:06 sftpserver1 rssh[10317]: allowing sftp to all users
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: user's home dir is /sftproot/sftpuserA
Dec 31 06:56:06 sftpserver1 rssh[10317]: setting umask to 022
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: chrooted to /sftproot
Dec 31 06:56:06 sftpserver1 rssh[10317]: chrooting all users to /sftproot
Dec 31 13:56:06 sftpserver1 rssh_chroot_helper[10317]: changing working directory to /sftpuserA (inside jail)
Dec 31 06:56:06 sftpserver1 rssh[10317]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 "/usr/libexec/openssh/sftp-server"

    /var/log/secure:
    Dec 31 06:56:05 sftpserver1 sshd[10314]: Accepted password for sftpuserA from 10.8.0.6 port 62566 ssh2
Dec 31 06:56:05 sftpserver1 sshd[10314]: pam_unix(sshd:session): session opened for user sftpuserA by (uid=0)
Dec 31 06:56:06 sftpserver1 sshd[10316]: subsystem request for sftp
Dec 31 06:56:06 sftpserver1 sshd[10314]: pam_unix(sshd:session): session closed for user sftpuserA

21. Naren,

    I had the same problem. I tried something from one of the above comments and it worked. Just copy the /lib/libnss_files.so.2 file into your chroot jail. For example, if your chroot jail is “/chroot” then

    cp /lib/libnss_files.so.2 /chroot/lib

    Also remember to copy the entry from /etc/passwd for your user into the chroot jail. For example, if your jailed username is “jaileduser” then

    grep jaileduser /etc/passwd >> /chroot/etc/passwd

    Brad

    1. Thanks for the tip! It helped me too 😉

22. I feel like I’m almost there, but somehow I cannot connect. I don’t see any error in my logfiles. I’m running Debian Lenny. This is what my syslog says:

    Apr 29 11:17:27 jukebox rssh[4960]: setting log facility to LOG_USER
    Apr 29 11:17:27 jukebox rssh[4960]: allowing scp to all users
    Apr 29 11:17:27 jukebox rssh[4960]: allowing sftp to all users
    Apr 29 11:17:27 jukebox rssh[4960]: setting umask to 022
    Apr 29 11:17:27 jukebox rssh[4960]: chrooting all users to /users
    Apr 29 11:17:27 jukebox rssh[4960]: chroot cmd line: /usr/lib/rssh/rssh_chroot_helper 2 “/usr/lib/openssh/sftp-server”

    So everything looks okay, but my client still gives me an error.
    Error: Fatal: unable to initialise SFTP on server: could not connect
    Error: Could not connect to server

    1. Me too getting the same error. Can someone give me the fix.

       1. It worked for me after copying /etc/passwd to /users/etc/passwd. 🙂 🙂

23. Hi vivek,
    I want to offer some users sftp only with a jail. How do I do it ? The above stuff you wrote does more than what I need.

24. l2chroot script get error message with dirname and cp command.

25. Hi,
    if your system uses rsyslogd and not syslogd you need to specify the parameter $AddUnixListenSocket /users/dev/log for example in a separate config under /etc/rsyslog.d/ .

    I keep mine in a file called: /etc/rsyslog.d/999-chroot-rsyslogd.conf

    This will create the needed log-device for rsyslogd in the chroot.

26. Uhm, yeah forgot to add: You need to restart rsyslogd after creating the file 🙂
    /etc/init.d/rsyslogd restart will do 🙂

27. For those who stops at:
    chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

    The home directory at /chroot/etc/passwd must be relative to system chrooted, and the original file must have the full path if you want sshd find user’s authorized keys and so on.
    Eg:
    # /etc/passwd
    user_sftp:x:505:500::/chroot/home/user_sftp:/usr/bin/rssh
    # /chroot/etc/passwd
    user_sftp:x:505:500::/home/user_sftp:/usr/bin/rssh

    DM

28. I have tried everything in RHEL5 64, bit to get this working. I have copied all the binnaries and libs to the same folder structure as vukasin. I have even used the default location in the guide. I dont see any message to do with rssh in my /var/log/messages log.

    Can someone point me to some helpful troubleshooting tips? Or how to work out why users are able to go up levels and see all the folder structures I have created?

29. I have RHEL5 64, did everything needed and still stuck at
    chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”

    I have the user in the passwd file with relative home directory as Danilo proposed.

    I can run chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as root, no error message (after copied chroot/lib64/libnss_files.so.2).

    Anybody has any other idea?
    Naturally if I remove chrooting from rssh then sftp works fine with this user.

30. I figured it out, it works now. Actually I didn’t figure out what I did wrong but redid everything from zero and then it worked.
    Altough I believe there are a few typos in the original instructions and also I needed to copy:
    “cp /lib64/libnss_files.so.2 /var/www/lib64/”

    Phuh, it took me 10 hours to figure out all issues,

31. 1> To get the rssh system to appear in my log. I followed – Paul Mitchell comment and added the following line to the sshd.conf. “Subsystem sftp /usr/libexec/openssh/sftp-server”

    After which the following shows up in my /var/log/messages

    {code}
    Apr 8 09:15:34 test-ftp rssh[11728]: setting log facility to LOG_USER
    Apr 8 09:15:34 test-ftp rssh[11728]: allowing scp to all users
    Apr 8 09:15:34 test-ftp rssh[11728]: allowing sftp to all users
    Apr 8 09:15:34 test-ftp rssh[11728]: setting umask to 022
    Apr 8 09:15:34 test-ftp rssh[11728]: chrooting all users to /users
    Apr 8 09:15:34 test-ftp rssh[11728]: chroot cmd line: /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
    Apr 8 09:15:34 test-ftp kernel: type=1104 audit(1302250534.943:2545183): user pid=11723 uid=0 auid=526 msg=’PAM: setcred acct=”testing” : exe=”/usr/sbin/sshd” (hostname=XX.XX.XX.XX, addr=XX.XX.XX.XX, terminal=ssh res=success)’
    {code}

    2> followed – Danilo Mota advise and made my passwd paths in the file relative to the enviroment.

    I am still getting the errors above.

    3> I copied the nesary files sugested in several comments down. content of my /users folder shown below.

    {code}
    drwx—— 2 root root 4096 Apr 7 16:56 bin
    drwxr-x— 2 root root 4096 Apr 8 09:36 dev
    drwx—— 3 root root 4096 Apr 7 16:43 etc
    lrwxrwxrwx 1 root root 5 Apr 7 16:40 lib -> lib64
    drwxr-xr-x 2 root root 4096 Apr 7 17:02 lib64
    drwxr-xr-x 3 root root 4096 Apr 7 13:35 libexec
    drwxr-xr-x 2 testing testing 4096 Apr 7 20:57 testing
    drwxr-xr-x 5 root root 4096 Apr 7 14:05 usr

    ./bin:
    total 1576
    -rwx—— 1 root root 801512 Apr 7 16:56 bash
    -rwx—— 1 root root 801512 Apr 7 16:56 sh

    ./dev:
    total 0
    srwxr-x— 1 root root 0 Apr 8 09:36 log
    crwxr-x— 1 root root 1, 3 Apr 7 13:35 null

    ./etc:
    total 76
    -rwx—— 1 root root 36 Apr 8 09:49 group
    -rwx—— 1 root root 100 Apr 7 13:37 hosts
    -rwx—— 1 root root 47495 Apr 7 15:40 ld.so.cache
    -rwx—— 1 root root 280 Apr 7 15:39 ld.so.conf
    drwx—— 2 root root 4096 Apr 7 16:43 ld.so.conf.d
    -rwx—— 1 root root 1696 Apr 7 15:40 nsswitch.conf
    -rwx—— 1 root root 74 Apr 8 09:56 passwd
    -rwx—— 1 root root 74 Apr 7 13:37 resolv.conf

    ./etc/ld.so.conf.d:
    total 4
    -rwx—— 1 root root 17 Oct 23 03:23 mysql-x86_64.conf

    ./lib64:
    total 6852
    -rwxr-xr-x 1 root root 139416 Apr 7 14:04 ld-linux-x86-64.so.2
    -rwxr-xr-x 1 root root 10000 Apr 7 16:18 libcom_err.so.2
    -rwxr-xr-x 1 root root 1366272 Apr 7 20:55 libcrypto.so.6
    -rwxr-xr-x 1 root root 48600 Apr 7 20:55 libcrypt.so.1
    -rwxr-xr-x 1 root root 1718120 Apr 7 20:55 libc.so.6
    -rwxr-xr-x 1 root root 23360 Apr 7 20:55 libdl.so.2
    -rwxr-xr-x 1 root root 190976 Apr 7 16:57 libgssapi_krb5.so.2
    -rwxr-xr-x 1 root root 153720 Apr 7 17:01 libk5crypto.so.3
    -rwxr-xr-x 1 root root 9728 Apr 7 16:18 libkeyutils.so.1
    -rwxr-xr-x 1 root root 613896 Apr 7 16:58 libkrb5.so.3
    -rwxr-xr-x 1 root root 35728 Apr 7 17:01 libkrb5support.so.0
    -rwxr-xr-x 1 root root 114352 Apr 7 20:55 libnsl.so.1
    -rwxr-xr-x 1 root root 233112 Apr 7 16:59 libnspr4.so
    -rwxr-xr-x 1 root root 1231352 Apr 7 17:01 libnss3.so
    -rwxr-xr-x 1 root root 53880 Apr 7 16:24 libnss_files-2.5.so
    -rwxr-xr-x 1 root root 53880 Apr 7 16:53 libnss_files.so
    -rwxr-xr-x 1 root root 53880 Apr 8 09:59 libnss_files.so.2
    -rwxr-xr-x 1 root root 123152 Apr 7 17:02 libnssutil3.so
    -rwxr-xr-x 1 root root 17992 Apr 7 16:54 libplc4.so
    -rwxr-xr-x 1 root root 13960 Apr 7 17:00 libplds4.so
    -rwxr-xr-x 1 root root 145824 Apr 7 16:18 libpthread.so.0
    -rwxr-xr-x 1 root root 92736 Apr 7 20:55 libresolv.so.2
    -rwxr-xr-x 1 root root 95464 Apr 7 16:18 libselinux.so.1
    -rwxr-xr-x 1 root root 247496 Apr 7 16:18 libsepol.so.1
    -rwxr-xr-x 1 root root 18152 Apr 7 20:55 libutil.so.1
    -rwxr-xr-x 1 root root 85928 Apr 7 17:00 libz.so.1

    ./libexec:
    total 4
    drwxr-xr-x 2 root root 4096 Apr 7 13:35 openssh

    ./libexec/openssh:
    total 0

    ./testing:
    total 0

    ./usr:
    total 12
    drwxr-xr-x 2 root root 4096 Apr 7 17:03 bin
    drwxr-xr-x 2 root root 4096 Apr 7 14:05 lib64
    drwxr-xr-x 3 root root 4096 Apr 7 16:55 libexec

    ./usr/bin:
    total 252
    -rwxr-xr-x 1 root root 29712 Apr 7 15:05 rssh
    -rwxr-xr-x 1 root root 57504 Apr 7 15:05 scp
    -rwxr-xr-x 1 root root 96280 Apr 7 15:05 sftp
    -rwxr-xr-x 1 root root 53072 Apr 7 17:03 sftp-server

    ./usr/lib64:
    total 2680
    -rwxr-xr-x 1 root root 190976 Apr 7 16:18 libgssapi_krb5.so.2
    -rwxr-xr-x 1 root root 153720 Apr 7 16:18 libk5crypto.so.3
    -rwxr-xr-x 1 root root 613896 Apr 7 16:18 libkrb5.so.3
    -rwxr-xr-x 1 root root 35728 Apr 7 16:18 libkrb5support.so.0
    -rwxr-xr-x 1 root root 233112 Apr 7 16:18 libnspr4.so
    -rwxr-xr-x 1 root root 1231352 Apr 7 16:18 libnss3.so
    -rwxr-xr-x 1 root root 123152 Apr 7 16:18 libnssutil3.so
    -rwxr-xr-x 1 root root 17992 Apr 7 16:18 libplc4.so
    -rwxr-xr-x 1 root root 13960 Apr 7 16:18 libplds4.so
    -rwxr-xr-x 1 root root 85928 Apr 7 20:55 libz.so.1

    ./usr/libexec:
    total 76
    drwxr-xr-x 2 root root 4096 Apr 7 13:45 openssh
    -rwsr-xr-x 1 root root 67691 Apr 7 16:55 rssh_chroot_helper

    ./usr/libexec/openssh:
    total 56
    -rwxr-xr-x 1 root root 53072 Apr 7 15:05 sftp-server
    {code}

    I am not sure what else to do – can anyone else provide any guidance?

32. Hi JP,
    In my case the solution for the same problem was to add /[chrootedlibrary]/lib64/libnss_files.so.2

    But in your case it might be some other lib files missing.

    I would try to run /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server”
    from shell to see whether I get any error message. You might want to try with different users.

    Also if the user (At least the user number )is not in the /chrootlibrary/etc/passwd file, then you will get the same error as above, but when you run it from shell it will tell you that couldn’t find the user id.

    I hope it helps

    1. the problem is solved by copying the folder libexeclocated in /users/libexec to /users/usr/libexec.

       Run the command: cp-R usr libexec/

       and try again.

33. Hi JP,
    Actually I found another possibe reason.
    The rssh_chroot_helper is exeuted from the original folder and not the chrooted one, so you need to make sure that your chroot user has execute access to it.

34. Hi Zoltan,
    I have changed the user permissions on the original rssh_chroot_helper to root:testing and then performed a chmod to reassert the SetUID.
    I still get the same error and an extrea one when I do this.
    Apr 8 14:55:46 testing-ftp rssh_chroot_helper[5621]: chroot() failed, 2: Operation not permitted
    I have run throught the example 3 times and I know I have added more libs than are nessary at this point.
    I have already copied /libnss_files.so.2 into the rewlative location as shown in my ls –lR above.
    I can’t run the command /usr/libexec/rssh_chroot_helper 2 “/usr/libexec/openssh/sftp-server” as the testing user as the user is not allowed a shell. While trying to run the command as root. I get the following error
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: new session for root, UID=0
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: user’s home dir is /root
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: couldn’t find /root in chroot jail
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: chrooted to /users
    Apr 8 13:38:57 testing-ftp rssh_chroot_helper[4470]: changing working directory to / (inside jail)
    Thanks for your help.

35. What you get as a root is not an error, it just tells that the root user’s home directory is not in the chrooted folder. This is expected
    It seems your rssh is working with root user, so now you just need to figure out why it’s not working with your chroot user.

    Probably one of the necessary lib files, passwd file, sftp-server, rssh_chroot_helper etc file is not readable or executable by that user.
    Unfortunately I couldn’t figure out how to get logging activated to see what is missing, so from this point on you just need to check all these files for proper access rights.

36. ps.: also make sure that your chroot user exists in the chroot/etc/passw file.

    1. JP – /libexec is inside /usr. You can remove libexec from your /chroot dir. That probably won’t fix your problem but it could be messing with something. Other than that, I noticed your permissions in /etc are only operational for root. Try giving read permissions on the files in /etc. If that doesn’t work, change it back.

37. When in doubt, verify that the /chroot/dev/null exists. Worked for me.

38. I also found MySecureShell to be a superior tool to rssh.
    It solved the issue that Ivan and Stefan warned about.
    Their comments are dated August 22, 2008 & September 2, 2008.

39. Hi Vivek,
    In the first few lines, the you instructed

    …
    # mkdir -p /users/libexec/openssh

    and then after that, you said

    …
    # cd /users/usr/libexec/openssh/

    which will,of course, produce an error. I thought I could skip that code, but when I did, upon login it immediately prompted me “Connection closed” without any error whatsoever.

    So what I did was to

    …
    # mkdir -p /users/usr/libexec/openssh

    so I can proceed with

    …
    # cd /users/usr/libexec/openssh/
    # cp /usr/libexec/openssh/sftp-server

    which is, apparently, quite important because after doing so, it let me connect to it.

    Success!

    I am thinking of making a script for CentOS 5.5 based on this. I will post any update about my plan. 🙂

    Thanks Vivek!

40. I am getting this error.. please help

    Status: Connected to x.x.x.x
    Error: Connection closed by server with exitcode 1
    Error: Could not connect to server

41. Everyone stuck at:

    “… ssh_chroot_helper[4470]: changing working directory to / (inside jail)”

    but then getting a refused connection on your sftp client. *Trust other posters* in that it is a library issue… I thought it was bullshit myself and almost gave up hope (no aparent error on my /var/log/syslog). My last resort was to copy all the files in the /lib folder to the /chroot/lib folder. Use the -p and –preserve=link switches so you preserve permissions and links (otherwise linked libraries will be copied as a file…).

    cp -v -p -d –preserve=link /lib/* /chroot/lib/

    It *will* work… Now it’s a matter of deleting one by one (if you want) and figuring it out the minimum subset required. In my case (Ubuntu 11.04 server):
    ld-2.12.1.so
    ld-linux-x86-64.so.2
    libc-2.12.1.so
    libc.so.6
    libnsl-2.12.1.so
    libnsl.so.1
    libnss_compat-2.12.1.so
    libnss_compat.so.2

    I also followed all previous suggestions in the earlier comments on this site (e.g., adding user to /chroot/etc/passwd… etcetera). Good hunting!

42. Try to upgrade openSSH version and enjoy the new inbuilt jailroot system. Much easier.

    CyberCiti : please post an article for the same.

43. Got this working on Solaris, works well. Here are some of the errors encountered, and the solutions:

    Error: unknown user xxx
    

    Occurs during SCP. Missing “nss* lib in chroot, copy /lib/nss_files.so.1 to chroot. (Solaris 10)

    Error: connection closed
    

    Occurs during SFTP. Missing *ksh* in chroot, copy /bin/ksh and/or /usr/bin/ksh to chroot

    Error: connection closed
    

    Occurs during SCP on Solaris 9. Missing *nss* lib in chroot, different library path than in Solaris 10. Copy /usr/lib/nss_files.so.1 to chroot.

    Error: rssh_chroot_helper failed, Not owner
    

    /usr/local/libexec/rssh_chroot_helper must be SUID root

    Error: user attempted to execute forbidden commands; /usr/lib/ssh/sftp-server
    

    Occurs during SFTP, logged in /var/adm/messages. Target system had both OpenSSH and SolarisSSH, error caused by conflict between rssh config and sshd_config. run ‘/usr/local/bin/rssh -v’ to get sftp server binary path, compare to ‘Subsystem sftp’ path in sshd_config (both config files, OpenSSH and SolarisSSH). Edit sshd_config to match rssh config.

    Found a pretty good script file for setting up the chroot on Solaris…

44. Working!!
    This work perfectly,at first I’d connection problems but these problems were fixed just adding /chroot/lib64/libnss_files.so.2.
    I have RHEL 6

    Thanks

45. Very good tutorial, I wonder if there is no way to change the message out to access “This account is restricted by rssh.
    Allowed commands: scp

    If you believe this is in error, please contact your system administrator.
    ”
    For another message.

    Thank you for your help. Greetings from Colombia

46. In version 5, jailing is now natively supported.
    The problem is that SSH with centos 5.5 lower came with ssh 4.8 < .
    So if you upgrade you will automatically get Jailing.
    I followed these instructions. http://adamsworld.name/chrootjailv5.php

47. Vivek, this is a crazy good utility to use, made my life so much easier when I implemented chroot.

    I ran into one issue, in which certain utilities like “vim” and “file” require support libraries under /usr/share. I also needed to include /usr/share/locale and /usr/share/terminfo (for “vim” for instance.

    Is there a way to check within l2chroot for these support libs as well? It makes the installation a little more bullet proof.

    Thanks so much.

48. You can confine the user to their home folder by changing permissions on all the folders other than their home folder to 751. As per the example in this article:

    cd /
    chmod 751 users
    cd users
    find . -type d -exec chmod 751 {} ;

    If you need to return the home folder back to normal permissions then:

    chmod 700 vivek
    cd vivek
    find . -type d -exec chmod 755 {} ;

49. If user home is chmod 700
    And internal folders is find . -type d -exec chmod 755 {} ;
    How is possible to readable by apache2 the public_html , or if we execute the username:nobody /home/username/public_html and set the virtual host is can readable by the world ?
    Thank you.

50. Hi, just discovered problem on 64-bit OS, not copying shared libs:
    l2chroot /usr/bin/scp
    Copying shared files/libs to /home/jails…
    Copying /lib64/ld-linux-x86-64.so.2 /home/jails/lib64…

    when it should be:
    ldd /usr/bin/scp
    linux-vdso.so.1 => (0x00007fff4e35f000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffb9ed2e000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ffb9f2cf000)

51. This is one area where SSH really falls down. I’ve looked at other options like RSSH– what a joke. Unnecessarily complex. This should be just as easy as implementing cvsroot for ftp. Well, it is but nobody seems to know about it– take a look at Minstrel– have been using this solution production since 2008 without a single problem Just specify the user’s shell and the appropriate path to their home directory and voila, root-jailed sftp only.: http://www.minstrel.org.uk/papers/sftp/

    Have a question? Post it on our forum!