Skip to content

Instantly share code, notes, and snippets.

@ammgws

ammgws/archlinux_chroot_jail_user_setup_guide.md

Created March 15, 2021 13:40
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ammgws/bf1b46a68d1a996576a4b12772cc7257 to your computer and use it in GitHub Desktop.
Save ammgws/bf1b46a68d1a996576a4b12772cc7257 to your computer and use it in GitHub Desktop.
Download ZIP
Create chroot jail so friend can SSH into server and/or use it for sshuttle (Arch Linux)
Raw
archlinux_chroot_jail_user_setup_guide.md

Replace "jaileduser" with whatever you want the username to be.

Step 1 (as root) - Setup chroot environment and user. Replace fish in the last command with whatever shell you want.

sudo su - 
mkdir --parents /home/jaileduser/home
useradd --create-home --gid users --home /home/jaileduser/home/jaileduser jaileduser
usermod --home /home/jaileduser jaileduser
mkdir --parents /{etc/jail/jaileduser,var/jail/jaileduser/{cache/{key,pkg},lib}}
chown jaileduser:users /var/jail/jaileduser/cache/key
cp /etc/pacman.conf /etc/jail/jaileduser/pacman.conf
pacman --dbpath /var/jail/jaileduser/lib --root /home/jaileduser --cachedir /var/jail/jaileduser/cache/pkg --config /etc/jail/jaileduser/pacman.conf --logfile /var/jail/jaileduser/pacman.log --sync --refresh fish

Step 2 (as root) - Setup SSH

mkdir --parents /home/jaileduser/var/cache/ssh
chown jaileduser:users /home/jaileduser/var/cache/ssh
chmod 700 /home/jaileduser/var/cache/ssh

Step 3 (as jaileduser) - Generate SSH keys

sudo su - jaileduser
ssh-keygen -t ed25519 -C "jaileduser SSH key" -f /var/jail/jaileduser/cache/key/id_ed25519
cp /var/jail/jaileduser/cache/key/id_ed25519.pub /home/jaileduser/var/cache/ssh/authorized_keys
chmod 600 /home/jaileduser/var/cache/ssh/authorized_keys
exit

Step 4 (as root) - Update /etc/ssh/sshd_config to allow connection from jaileduser (assumes you're already using pubkey auth and password auth is disabled)

AllowUsers existinguser1 existinguser2 jaileduser

# must be at the end of the config file
Match User jaileduser
    ChrootDirectory %h
    AuthorizedKeysFile %h/var/cache/ssh/authorized_keys
    X11Forwarding no
    AllowTcpForwarding no

systemctl restart sshd

End

Now you should be able to SSH into the system using the SSH key generated in Step 3.

Alternatively, you can add another public key to jaileduser's authorized_keys file and SSH in using that.

Troubleshooting

If you can't remote in and ssh logs show something about the account being locked, try running sudo usermod --password '*' jaileduser. See https://unix.stackexchange.com/a/193131

Extra

Create /dev/null for jaileduser: mknod -m 666 /home/jaileduser/dev/null c 1 3

Credits

Mostly based on https://charoitehllee.wordpress.com/knowledge-base/setting-up-chroot-jail-for-ssh-scp-with-arch-linux/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment