Makejail

Installing and configuring an SSHD in a chroot environment using Makejail

Sometimes you need to restrict a user who has ssh access, of course you can do this by changing the directory permissions, limiting the user’s rights etc. But changing a user root directory and restricting it to a set of programs you choose is much safer. Here is how to configure your SSHD to work with a chroot and only apply restrictions to the correct users.

For this we need a modified version of the SSHD and the makejail package which creates a chroot environment for the software automatically using configuration files. There is a downside to this as there is currently not the most up to date version of the sshd package which is version 4.3p2. The installation and setup was done on Ubuntu 8.04 but there is source code available for downloading the patched SSHD on other operating systems.

Install the required software with the command

Code:

aptitude install makejail

Then create a configuration file for this program, we need it to create a chroot environment with the necessary programs, libraries and stuff.

Code:

touch /etc/makejail/sshd

Here is my file, you can change the directory for chroot, the names of the users as well as a set of programs by putting names in the packages section

Code:

chroot="/mnt/chroot"
forceCopy=["/etc/ssh/ssh_host*","/etc/ssh/sshd*","/etc/ssh/moduli",
"/etc/pam.conf","/etc/security/*","/etc/pam.d/ssh","/etc/pam.d/other",
"/etc/hosts","/etc/nsswitch.conf",
"/var/run/sshd","/lib/security/*",
"/etc/shells", "/etc/nologin","/etc/environment","/etc/motd",
"/etc/shadow","/etc/hosts*",
"/bin/*sh", "/lib/libnss*",
"/dev/pt*","/dev/ttyp[0-9]*"]

Install a patched SSHD which has chroot support. You also need to change the client so that the versions match.

Code:

wget http://debian.home-dn.net/etch/ssh/openssh-server_4.3p2-9etch2-chroot4.3p1_i386.deb
wget http://debian.home-dn.net/etch/ssh/openssh-client_4.3p2-9etch2-chroot4.3p1_i386.deb
dpkg -i openssh-client_4.3p2-9etch2-chroot4.3p1_i386.deb openssh-server_4.3p2-9etch2-chroot4.3p1_i386.deb

Create a test user with the login tester

Code:

useradd -m -d /mnt/chroot/home/tester -s /bin/bash -p secret tester

If you look in the file /etc/passwd you can see there something like the following:
tester:x:142:142::/mnt/chroot/home/tester:/bin/bash
In order to bring our user to chroot during SSH login it is necessary to change /etc/passwd line like this:
tester:x:142:142::/mnt/chroot/./home/tester:/bin/bash
We added /./ to this line which will change the root directory of our user from / to /mnt/chroot

Now run the makejail program to create a chroot environment

The code is:

makejail /etc/makejail/sshd

This will automatically copy everything you need and start the SSHD daemon. After that, try to log in to the server as the user tester.

So that our SSH server would start in the isolated environment we created with reboots and restarts, change the /etc/init.d/ssh script a bit and read “start-stop-daemon …” to “chroot /var/chroot/sshd start-stop-daemon …”.

Our Recent Client Success!

trusted online casino Malaysia
$10 deposit casinos Australia
one casino
Casinos not on GamStop

Perhaps you have some questions?

You can ask them by filling out the form