Since OpenSSH 4.8p1, chroot functionality has been built directly into the SSH daemon through the ChrootDirectory configuration directive. This eliminates the need for external patches that were previously required. The modern method provides better security and easier maintenance.
Here's how to implement selective chrooting in Debian (tested on Etch and newer):
# /etc/ssh/sshd_config
Match Group restricted-users
ChrootDirectory /var/chroot/%u
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
For each restricted user (in this example 'jailuser'):
# Create chroot directory
sudo mkdir -p /var/chroot/jailuser
sudo chown root:root /var/chroot/jailuser
sudo chmod 755 /var/chroot/jailuser
# Create minimal dev nodes
sudo mkdir -p /var/chroot/jailuser/dev
sudo mknod -m 666 /var/chroot/jailuser/dev/null c 1 3
sudo mknod -m 666 /var/chroot/jailuser/dev/zero c 1 5
sudo mknod -m 666 /var/chroot/jailuser/dev/random c 1 8
sudo mknod -m 666 /var/chroot/jailuser/dev/urandom c 1 9
# Create essential directories
sudo mkdir -p /var/chroot/jailuser/bin
sudo mkdir -p /var/chroot/jailuser/lib
sudo mkdir -p /var/chroot/jailuser/etc
# Copy basic binaries
sudo cp /bin/bash /var/chroot/jailuser/bin/
sudo cp /bin/ls /var/chroot/jailuser/bin/
sudo cp /bin/mkdir /var/chroot/jailuser/bin/
# Copy required libraries
ldd /bin/bash | grep '/lib' | awk '{print $3}' | while read lib; do
sudo cp $lib /var/chroot/jailuser/lib/
done
For proper functionality, you'll need to set up password and group files inside the chroot:
# Copy minimal passwd and group files
grep ^jailuser /etc/passwd > /var/chroot/jailuser/etc/passwd
grep ^jailuser /etc/group > /var/chroot/jailuser/etc/group
# Set permissions
sudo chmod 644 /var/chroot/jailuser/etc/passwd
sudo chmod 644 /var/chroot/jailuser/etc/group
For more granular control, consider these additional settings:
Match User user1,user2
ChrootDirectory /custom/chroot/path
ForceCommand internal-sftp
Match User !adminuser
ChrootDirectory /var/chroot/%u
PermitTTY no
If users can't log in, check these common problems:
- Chroot directory must be owned by root and not writable by others
- All parent directories must also be root-owned with strict permissions
- The chroot environment must contain essential binaries and libraries
- SSH keys must be placed in /var/chroot/username/home/username/.ssh/
Remember to restart SSH after configuration changes: sudo /etc/init.d/ssh restart
Modern OpenSSH versions (5.4+) natively support chroot functionality without requiring source patches. For Debian Etch systems, we can leverage this built-in capability through sshd_config directives. The key advantage over older approaches is maintaining system integrity while isolating specific users.
# Verify OpenSSH version
ssh -V
# Check for required directories
ls -ld /home/chroot/{bin,lib,lib64,dev,etc}
Edit /etc/ssh/sshd_config with these critical directives:
Match Group restricted
ChrootDirectory /home/chroot
X11Forwarding no
AllowTcpForwarding no
PermitTTY yes
Create a minimal Unix environment for SSH users:
mkdir -p /home/chroot/{bin,dev,etc,lib,lib64,home}
mknod -m 666 /home/chroot/dev/null c 1 3
cp /etc/{passwd,group} /home/chroot/etc/
cp /bin/bash /home/chroot/bin/
# Identify and copy required libraries
ldd /bin/bash | awk '{print $3}' | xargs -I {} cp {} /home/chroot/lib/
For selective restriction, combine Match blocks with user/group conditions:
Match User user1,user2
ChrootDirectory /home/chroot/users/%u
ForceCommand internal-sftp
Match Group developers
ChrootDirectory /home/chroot/dev_env
PermitTunnel yes
Always verify configurations before restarting sshd:
sshd -t
systemctl restart ssh
# Test connection as restricted user:
ssh restricted-user@localhost -v
- Use bind mounts for shared resources:
mount --bind /shared /home/chroot/shared - Implement per-user home directories within the chroot
- Consider SELinux/AppArmor integration for additional security layers