Create a ssh jail for rsync

2 minute read Published:

This blogpost was original posted on [url=http://blog.capitar.com/create-ssh-jail-rsync/]capitar’s blog[/url].

Sometimes you want to allow people to put stuff on your webserver in a secure way, but not give them a shell account. You can use rsync and ssh jail via public key authentication to accomplish this.

The public key has to be in the authorized_keys file in the normal home directory of the user (/home/user/.ssh/authorized_keys) when importing the key put the following on the same line as the key, before the public key:

no-agent-forwarding,no-user-rc,no-X11-forwarding,no-port-forwarding,no-pty ssh-rsa AAAA...

This disables most things that are not needed for rsync and does not allow the user to do an interactive ssh session. See also the AUTHORIZED_KEYS FILE FORMAT section of sshd(8).

To create a jail, you can use the following commands: A script: 

#!/bin/bash
# This script can be used to create simple chroot environment
# Written by LinuxCareer.com 
# (c) 2013 LinuxCareer under GNU GPL v3.0+
# See http://how-to.linuxcareer.com/how-to-automatically-chroot-jail-selected-ssh-user-logins
# call the script like this:
# ./chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/vi /etc/hosts

CHROOT='/var/chroot'
mkdir $CHROOT

for i in $( ldd $* | grep -v dynamic | cut -d " " -f 3 | sed 's/://' | sort | uniq )
  do
    cp --parents $i $CHROOT
  done

# ARCH amd64
if [ -f /lib64/ld-linux-x86-64.so.2 ]; then
   cp --parents /lib64/ld-linux-x86-64.so.2 /$CHROOT
fi

# ARCH i386
if [ -f  /lib/ld-linux.so.2 ]; then
   cp --parents /lib/ld-linux.so.2 /$CHROOT
fi

echo "Chroot jail is ready. To access it execute: chroot $CHROOT"
Then run it and create some needed devices: 
bash make_simple_chroot.sh /bin/{ls,cat,echo,rm,bash} /usr/bin/{vi,ssh,rsync,scp}

cd /var/chroot
mkdir dev
mknod dev/urandom c 1 9
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/null c 1 3
mknod -m 666 dev/zero c 1 5
mknod -m 666 dev/tty c 5 0
mkdir etc
grep <span style="color:#ff0000;">user</span> /etc/passwd &gt;&gt; etc/passwd
mkdir -p home/<span style="color:#ff0000;">user</span>
chown <span style="color:#ff0000;">user</span>:<span style="color:#ff0000;">group</span> home/<span style="color:#ff0000;">user</span></pre>
Also put the following in /etc/ssh/sshd_config and restart ssh:

Match Group rsync_users
        ChrootDirectory /var/chroot/
        AllowTCPForwarding no
        X11Forwarding no

You can also use Match User to do this for a single user instead of a group.

Recent posts
- full list -
Tags
- full list -