How to create chrooted openSSH SFTP in Debian 4 (“etchy”)

Two years ago, I had a subject at university that consisted of developing our skills as Systems Administrator (its fullname was “Administración de sistemas informáticos“).

The main task was to configure a minimal Debian GNU/Linux 4 (“etchy”) to work as a server for a webpage which provided internet services. One of the things to do was to allow users to connect the server using openSSH SFTP, restricting the folders they could visit to the user’s home directory. I looked on the internet and the only easy and complete tutorial about this topic was this one., but some details differed slightly as it was written for Ubuntu users and not Debian.

I considered posting my result on the internet to make accesible to other the information I couldn’t get. I never did it because I didn’t have a blog; now the situation has changed, it’s time to post it (although -WARNING- the information may be out-of-date and there will be easier ways to perform this.

HOW TO CREATE CHROOTED OPENSSH SFTP IN DEBIAN 4

Folder “/users” will be considered to be the chroot folder.

1. Install rssh:

apt-get install rssh

2. Edit /etc/rssh.conf and ensure that the following field are configured:

allowsftp
[…]
umask=022
[…]
chrootpath = “/users/”

The only transfer protocol allowed will be SFTP (we are discarding SCP, but it could have been added). The goal is to avoid any kind of connection except the safe transfer protocol SFTP.

3. Enter “rssh -v” in the console. We will get the following paths:

rssh config file =1
chroot helper path = /usr/lib/rssh/rssh_chroot_helper
scp binary path = /usr/bin/scp
sftp server binary = /usr/lib/openssh/sftp-server
cvs binary path = /usr/bin/cvs
rdist binary path = /usr/bin/rdist
rsync binary path = /usr/bin/rsync

3. Edit the executable file located in /usr/share/doc/rssh/examples/mkchroot.sh

Paths should be substituted for those that we got with the command “rssh -v”, so in this way:

scp_path = /usr/bin/scp
sftp_server_path = /usr/libexec/openssh/sftp-server
rssh_path = /usr/bin/rssh
chroot_helper_path = /usr/libexec/rssh_chroot_helper

will be:

scp_path = /usr/bin/scp
sftp_server_path = /usr/lib/openssh/sftp-server
rssh_path = /usr/bin/rssh
chroot_helper_path = /usr/lib/rssh/rssh_chroot_helper

4. Make the script mkchroot.sh executable:

chmod u+x mkchroot.sh

5. Run the script mkchroot.sh using the following line:

./mkchroot.sh /users/

If there is an error related to linux-gate.so.1, don’t worry, it isn’t unexpected.

6. By entering “ldd /usr/bin/sftp”, we will get the list of libraries that SFTP needs to run:

linux-gate.so.1 =>  (0xffffe000)
libresolv.so.2 => /lib/tls/libresolv.so.2 (0x4001d000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0x40030000)
libutil.so.1 => /lib/tls/libutil.so.1 (0x4016a000)
libz.so.1 => /usr/lib/libz.so.1 (0x4016e000)
libnsl.so.1 => /lib/tls/libnsl.so.1 (0x40182000)
libcrypt.so.1 => /lib/tls/libcrypt.so.1 (0x40199000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x401c7000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x401e3000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x4025f000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x40284000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x40287000)
libedit.so.2 => /usr/lib/libedit.so.2 (0x4028d000)
libncurses.so.5 => /lib/libncurses.so.5 (0x402a8000)
libc.so.6 => /lib/tls/libc.so.6 (0x402e9000)
libdl.so.2 => /lib/tls/libdl.so.2 (0x4041b000)
/lib/ld-linux.so.2 (0x40000000)

The script mkchroot.sh has copied many libraries into the chroot (e. g., /usr/lib/libz.so.1 has been copied to /users/usr/lib/libz.so.1). How ever, some of them hasn’t been copied and we will have to do it manually. They are the following:

/lib/ld-linux.so.2
/lib/libnss_compat.so.2
/lib/libcrypt.so.1
/usr/lib/libedit.so.2
/lib/libncurses.so.5

Nevertheless, it is very convenient to double check that all libraries has been copied inside the chroot properly, because their existence is vital for a proper running.

7. Enter:

add-shell /usr/bin/rssh

8. Set the users that are going to use chroot in the configuration file /etc/passwd, using the following format:

user_name:x:1001:500::/users/home/user_name:/usr/bin/rssh

We are indicating the absolute path for their chroot folder, and that they should use /usr/bin/rssh as their bash.

9. Give user permission to rssh_chroot_helper:

chmod u+s /usr/lib/rssh/rssh_chroot_helper

10. Now it is the time to test your server:

sftp user_name@your_server.com

11. If you get the error message “Connection closed”, don’t give up! Probably it will be fixed entering:

mknod -m 666 /users/dev/null c 1 3

Cross your fingers and reconnect, it should work now… If the line displayed looks like “sftp>”, it is very possible that everything is working properly. Enter “pwd” to check that the user is actually chrooted (it should return “/home/user_name” instead of “/users/home/user_name”).

If “pwd” return /users/home/user_name, check that the user’s bash is configured in passwd file as “/etc/bin/rssh”, not “/bin/bash”. If negative, the system is working without rssh and with no connection restrictions.

The last check: enter “ssh user_name@your_sever.com” to check that the connection is refused. It should not allow you to connect; in fact, that’s why we came throuhg all this. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *