Chrooting SSH/SFTP

Brandon Hutchinson provides a concise howto for chrooting SSH. For recent distributions of Red Hat Enterprise Linux (like CentOS), the following may also be needed in addition to Hutchinson’s Fedora Core procedures:

  $ cp /lib/ /chrootedpath/lib/.
  $ chmod 666 /chrootedpath/dev/null
  $ chmod 666 /chrootedpath/dev/zero

Running ldd on the sshd binary executable will display the executable’s shared library dependencies. The first item on the list addresses a possible dependency that was omitted in Hutchinson’s howto. The absence of this file is a possible cause for a “/bin/sh: No such file or directory” error message to be displayed when connecting as the chrooted user.

Attempting to SFTP as the chrooted user may result in the connection being immediately closed. After logging in as the chrooted user, executing /usr/local/libexec/sftp-server may also result in a “Couldn’t open /dev/null: Permission denied” error message to be outputted. This is fixed by applying the second item of the preceding list.

Hutchinson’s shell script can be modified to incorporate the additional steps that are presented above.

A personal copy of the howto for future reference is found here.

Leave a Reply