How to Configure a Chroot Jail for SSH Access in Linux

Share It!

Chroot jail keep users locked in a specific directory which they will not be able to break out of. With this setup, you can give access to your users without having to fear especially in the shared environment. If a user only allowed to access his files without ssh shell access we can create a chroot environment for those users.

Chroot Jail

See Also:
1. How To Create SSH Keys on a Linux
2. Difference between Telnet and SSH in Linux
3. SSH Interview Questions and Answers
4. Allow/Deny logins via ssh server using PAM module
5. Block SSH Server Attacks Using DenyHosts in CentOS/RHEL 5/6/7
6. How to Enable SSH Login Email Alerts Notification

In this article, we will describe how to configure chrooted jail for any user or any group.

Step 1: Create User or Group for Chroot Jail

If you have to use an existing users or groups then no need create a new user.

# groupadd jailuser
# useradd -g jailuser dennis 
# useradd -g jailuser steve

Step 2: Configure Chroot Jail

Now edit SSHD configuration file to setup chroot jail.

# vim /etc/ssh/sshd_config

Comment below line in SSHD configuration.

# Subsystem       sftp    /usr/libexec/openssh/sftp-server

For groups add below lines:

Subsystem sftp internal-sftp

Match Group jailuser
	X11Forwarding no
	AllowTcpForwarding no
	ChrootDirectory /images
	ForceCommand internal-sftp

For users add below lines:

Subsystem sftp internal-sftp

Match User dennis
	X11Forwarding no
	AllowTcpForwarding no
	ChrootDirectory /images
	ForceCommand internal-sftp

Step 3: Set Permission

After configuring SSHD configuration we need to setup directory permission.

For Group:

# chmod -R 755 /images
# chown -R root:root /images
# mkdir /images/jailroot
# chmod -R 775 /images/jailroot
# chown -R root:jailuser /images

For User:

# chmod -R 755 /images
# chown -R root:root /images
# mkdir /images/jailroot
# chmod -R 755 /images/jailroot
# chown -R dennis:root /images

Step 4: Restart SSH Service

After all the configuration restart the SSHD service.

# service sshd restart

Step 5: Verify Configuration

Now you are ready to verify the configuration.

Chroot Verification

I hope now you know how to restrict users home directories using a Chroot environment in Linux.

Enjoy it!

No Responses

Leave a Reply

Your email address will not be published.