Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Chroot Jail for SSH Access
# Chroot Jail for SSH Access
# Tested on Ubuntu 14.04.2 LTS and Debian GNU/Linux 8 (jessie)
# Reference :
# Had to add/change several things to make it work, including:
# - create lib64 folder
# - copy whoami dependencies that ldd doesn't show to fix 'I have no name!'
# in the customized prompt + create passwd file
# All the commands below are typed as root
# Setup the jail directories
mkdir -p /var/jail/{dev,etc,lib,lib64,usr/bin,bin}
# Create null device node
mknod -m 666 /var/jail/dev/null c 1 3
# Copy minimum files
cp /etc/{cache,conf} /var/jail/etc/
cp /etc/nsswitch.conf /var/jail/etc/
cp /etc/hosts /var/jail/etc/
# here we just want 'ls' and 'bash' in our chrooted environment
for ii in ls bash; do cp $(which $ii) /var/jail$(which $ii); done
# FHS requires that /bin/sh exists
pushd /var/jail/bin/
ln -s bash sh
# copy library dependencies for the binaries we just copied
# to find out what we need, 'ldd' can be used
# ex: ldd $(which bash)
# => (0x00007ffd4c735000)
# => /lib/x86_64-linux-gnu/ (0x00007fe0cce9c000)
# => /lib/x86_64-linux-gnu/ (0x00007fe0ccc98000)
# => /lib/x86_64-linux-gnu/ (0x00007fe0cc8d3000)
# /lib64/ (0x00007fe0cd0c5000)
# to avoid manual copy, the l2chroot script can be used:
wget -O /usr/local/sbin/l2chroot
chmod 744 /usr/local/sbin/l2chroot
# Edit l2chroot script and change the BASE="/webroot" variable to BASE="/var/jail"
sed -i 's@/webroot@/var/jail@' /usr/local/sbin/l2chroot
# copy library dependencies (with l2chroot)
for ii in ls bash; do l2chroot $(which $ii); done
# Additional dependencies for displaying the name of our user in its prompt
cp /lib/x86_64-linux-gnu/ /var/jail/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libnss_* /var/jail/lib/x86_64-linux-gnu/
# Configure sshd to chroot the users
# Add the followind lines in '/etc/ssh/sshd_config'
Match group sshjailed
ChrootDirectory /var/jail/
X11Forwarding no
AllowTcpForwarding no
# Don't forget to restart ssh
service ssh restart
# Setup group for SSH jailed users
groupadd sshjailed
# All the steps below will have to be done for all users we want to chroot
# Create new user and add it to the sshjailed group
useradd -G sshjailed -d /home/prisoner -s /bin/bash prisoner
passwd prisoner
mkdir -p /var/jail/home/prisoner
# create or update minimal '/etc/passwd' file for our chrooted environment
cat /etc/passwd | grep prisoner >> /var/jail/etc/passwd
# Optional: create minimal but nice prompt for our user(s)
# create the .bashrc and .profile files on /var/jail/home/<user>/
# .bashrc contents
export PS1='\u@\h:\w\$ '
# .profile contents
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
Copy link

askz commented Apr 11, 2017

Hi @floudet,
Thanks for this nice script, saved me lot of time. I'm currently rewriting some parts to add some flexibility to the jail.
Why do you add user with home directory /home/prisoner instead of /var/jail/home/prisoner, is there some limitations I'm not aware about ?

It seems logic now I tested.
For others : when your user will login via ssh, it will take the path /home/prisoner as is homedir, but in the jail directory ! so if you choose to set homedir like /var/jail/home/prisoner, your shell will throw an error at login saying "/var/jail/home/prisoner not such file or directory" because it doesn't exists in the jail context.

Thanks @floudet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment