Jail (Chroot) SSH Users

Situation: I wanted to back up the files of one remote server to another, but wanted to give that connection as little privilege as necessary to complete the job. The backup job was going to be scripted, so the process had to be passwordless. (Hence, the jitters over security.)

Solution: For locking down what a particular key can do on a server, Arabesque had a pretty good post about that called Restricting Public Keys. From that, I got this line to add to the authorized_keys line for the key that was going to be used:

from="[domain|ip]",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-pty,no-user-rc ...

This limits my backup server to only recognize the key if coming from the server being backed up, and disables forwarding, tty, and .bashrc processing.

Allan Feid had a pretty damn good article called Creating a Chroot Jail for SSH Access. However, as noted by his use of OpenSSH 5.1p1, the article is growing stale. Of particualr note is the unification of bins to /usr/bin and libs to /usr/lib since he wrote the article. NB: As of the writing of this article, OpenSSH is up to 6.4p1 in Arch Linux.

Being the tool for automation that I am, I prefer that location for the jail be abstracted so that (1) the user decides where they go and (2) the user can create more than one. Learning from previous encounters, I’ve put this code up on GitHub.

First, modify /etc/ssh/sshd_config on the server and add these lines:

Match [user|group] [username|groupname]
  ChrootDirectory /var/jail/
  X11Forwarding no
  AllowTcpForwarding no

Next, grab mkminchroot and cp2chroot from my GitHub repo.

wget http://raw.github.com/BrainwreckedTech/Brainwrecked-Scripts/master/mkminchroot
wget http://raw.github.com/BrainwreckedTech/Brainwrecked-Scripts/master/cp2chroot

Running mkminchroot [dir] will create a chroot environment with the bare essentials.

mkminchroot /srv/jails/test

Running cp2chroot [dir] [bin] will copy [bin] to the chroot [dir] and all of the dependencies required.

If you want the jailed user to be able to do anything, even if they’re denied a TTY, they need bash.

cp2chroot /srv/jails/test /usr/bin/bash

If you’re doing backups, you probably want rsync:

cp2chroot /srv/jails/test /usr/bin/rsync

And since rsync need to be able to change ownership and file permissions:

chmod u+s /srv/jails/test/usr/bin/rsync

Now, in the event that the server that is being backed up is compromised, the worst the attacker can do is blow out the current backup from this staging area.