1) Prerequisites:
We are using the latest CentOS 7 server with minimal packages installation. Let’s open the command line terminal and login to the root user and make sure that Open-SSH is installed and its service is running and your are connected to network.
Run the command below to check the version of installed SSH package in your system.
# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
Then enable and start SSH services if its not already and to make sure that its enabled at boot level.
# systemctl enable sshd
# systemctl start sshd
You also confirm the status of SSH and its port on which its listening by running the below command.
# netstat -anp | grep sshd
2) Creating Chroot Directory:
Create a new directory that will be used for chroot jail or you can also choose the existing directory to be used for chroot jail. We are going to two directories to increase the security level by using the following command.
# mkdir -p /SECURE/Jail
The Jail directories can only be owned by the root so that no user can break the jail and that’s only possible if we give it the ownership or permissions to do so. You change the ownership and permissions using below commands.
chown root:root /SECURE/Jail
chmod 755 /SECURE/Jail
3) Creating Dev Node Entries:
There are some necessary files that we called as device nodes for ssh users access, which are required for any user process to execute in the jailed area. Let’s run the following commands to assign them or create nodes pointing to that directory useing ‘mknod’ commands shown below.
# mkdir -p /SECURE/Jail/dev/
# mknod -m 666 /SECURE/Jail/dev/null c 1 3
# mknod -m 666 /SECURE/Jail/dev/tty c 5 0
# mknod -m 666 /SECURE/Jail/dev/zero c 1 5
# mknod -m 666 /SECURE/Jail/dev/random c 1 8
4) Bash Installation:
We need to install bash in the jailed directory that we have created earlier by checking the dependency of shell using below ‘ldd’ command.
# cd /SECURE/Jail/
# ldd /bin/bash
Now give the following command to create and install bash in the jailed directory.
# mkdir -p /SECURE/Jail/bin
# cp -v /bin/bash /SECURE/Jail/bin
# mkdir -p /SECURE/Jail/lib64/
cp /usr/lib64/libtinfo.so.5 /SECURE/Jail/lib64/
cp /usr/lib64/ld-linux-x86-64.so.2 /SECURE/Jail/lib64/
cp /usr/lib64/libdl.so.2 /SECURE/Jail/lib64/
cp /usr/lib64/libc.so.6 /SECURE/Jail/lib64/
5) SSH Users Setup to CHroot
Run the following command to simply move the users information of your already created users into the chroot directory.
# cp -vf /etc/{passwd,group} /SECURE/Jail/etc/
Then open SSH configuration file and restart its services after adding the following lines in it.
vi /etc/ssh/sshd_config
Match User username
ChrootDirectory /SECURE/Jail
ForceCommand internal-sftp #This is option if you want to give access only to Sftp
In the above configurations you need to mention the user or the group that you want chroot. Saving the configurations file and restart ssh services.
systemctl restart sshd.service
Now you can connect to the allowed user_name using sftp, here you will be directed towards the chroot jailed environment.
# sftp user@localhostThe authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
ECDSA key fingerprint is 49:8a:9c:8f:35:e1:09:dd:rf:31:w3:a1:e1:9d:70:53.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
Authorized uses only. All activity may be \ monitored and reported.
kash@localhost’s password:
Connected to localhost.
sftp>lssftp>exit