A proper way to create a chrooted SSH on CentOS 7 [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers.

Closed 9 years ago.

Improve this question

There are a lot of tutorials of how to create a chrooted SFTP, but I would like to use SSH, because it is much faster to simply wget, unzip, mysql and mysqldump than tossing around the FTP and phpMyAdmin. The method should be also clean (without the manual ldd magic) and extensible, so I can add and upgrade packages easily.

If your question would be closed as off-topic, I suggest to try it again on unix.stackexchange.com . — peterh, Commented Jun 17, 2015 at 13:04

amq · Accepted Answer · 2015-06-19 11:41:12Z

Luckily, I was able to come up with a way to do that.

Step 1: Add a group for chrooted users

groupadd chrootusers

Step 2: Configure SSH

nano /etc/ssh/sshd_config

Replace

Subsystem     sftp    /usr/libexec/openssh/sftp-server

With

Subsystem     sftp    internal-sftp

Paste at the End

Match Group chrootusers
  ChrootDirectory /home/%u

Run

systemctl restart sshd
systemctl status sshd

Step 3: Add a user

Change peter to your desired user name.

export NEW_USER_NAME=peter

useradd ${NEW_USER_NAME}
usermod -G chrootusers -d / ${NEW_USER_NAME}
passwd ${NEW_USER_NAME}

Step 4: Install packages and create the necessary directory structure

yum --installroot=/home/${NEW_USER_NAME} --releasever=7 --nogpg --disablerepo='*' --enablerepo=base install centos-release openssh-clients wget vi nano zip unzip tar mariadb findutils iputils bind-utils rsync

Step 5: Mount proc and dev

echo "none /home/${NEW_USER_NAME}/proc proc defaults 0 0" >> /etc/fstab
echo "/dev /home/${NEW_USER_NAME}/dev none bind 0 0" >> /etc/fstab

Run

mount -a

Step 6: Configure the DNS servers

echo "nameserver 8.8.8.8" >> /home/${NEW_USER_NAME}/etc/resolv.conf
echo "nameserver 8.8.4.4" >> /home/${NEW_USER_NAME}/etc/resolv.conf

That's all.

Keep in mind that $NEW_USER_NAME is bound to the current session!

Start from Step 3 when adding another user.

To install more packages later use the same command as in Step 4.

When logging in using SSH you will get messages like cannot find name for user ID x. They are safe to ignore, but if you'd like to get rid of them, you will need to duplicate the user in chroot:

export NEW_USER_ID=$(id -u ${NEW_USER_NAME})
export NEW_USER_GROUP_ID=$(id -g ${NEW_USER_NAME})

chroot /home/${NEW_USER_NAME} /bin/bash -c 'useradd -u ${NEW_USER_ID} ${NEW_USER_NAME}'
chroot /home/${NEW_USER_NAME} /bin/bash -c 'groupadd -g ${NEW_USER_GROUP_ID} chrootusers'

What would the bare minimum package list be, if I only needed to have capability of SFTP to drop or retrieve files? — a coder, Commented Aug 19, 2016 at 13:35
I found a way to do this without providing all of these extra packages for the chrooted user: serverfault.com/a/797967/98791 — a coder, Commented Aug 19, 2016 at 18:18

Stack Exchange Network

A proper way to create a chrooted SSH on CentOS 7 [closed]

1 Answer 1

Not the answer you're looking for? Browse other questions tagged
linux
centos
ssh
sftp
chroot
.

Linked

Hot Network Questions

A proper way to create a chrooted SSH on CentOS 7 [closed]

1 Answer 1

Not the answer you're looking for? Browse other questions tagged linuxcentossshsftpchroot.

Linked

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
centos
ssh
sftp
chroot
.