digg

Facebook Connect Join Digg About

Chrooted SSH HowTo

howtoforge.com This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.

Who dugg this? Made popular Jan 30, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

10 Comments

show profanity settings
expand all
  • LoDown, on 10/12/2007, -0/+1Another option is to use a Linux app known as "Jail". Homepage is: http://www.jmcresearch.com/projects/jail/

    Just something for you to check out.
  • sheetrock, on 10/12/2007, -0/+1Here's some good companion reading: http://www.bpfh.net/simes/computing/chroot-break.html

    SSH+Chroot wouldn't be enough of a partition for me to feel comfortable with untrusted users on my system. It might be better used in conjunction with setting up a separate machine or at least a UML environment as the SSH server -- where breaking a firewall or the virtualization adds another layer of difficulty to an attacker.
  • krux, on 10/12/2007, -0/+1using the scponly shell with ssh is a lot easier.
  • Whatchamacallit, on 10/12/2007, -0/+1chroot and jail are well proven and trusted ways to isolate users on a shared host. i.e. big ISP's and webhosts use this all the time. ISP's for their ftp and webhosts are doing the ssh chroot thing if they offer shell access. It works perfectly...

    /home/user1
    /home/user2/
  • anotherbob, on 10/12/2007, -0/+0Root jails don't create a false sense of security. Bonehead admins create a false sense of security.

    When it comes down to it, the best security tool is a security policy. And root jails can be a valuable element of that policy. But mocking or glorifying jails, IDS's, crypto algorithms, etc. misses the point.

    +dugg
  • firestorm, on 10/12/2007, -0/+0Or Rsh (restricted shell)


  • veracon, on 10/12/2007, -0/+0My host (Site5) uses jail for SSH access, though you can request to be unjailed if you have a good reason (like when I wanted to install PHP5).
  • sakibomb, on 10/12/2007, -0/+0this is a debian specific howto. hausmasta should have said as much in his description.
  • fac3less, on 10/12/2007, -0/+0The problem is even this creates a false sense of security on a webserver.
    In most cases apache (or the httpd) runs as 'nobody' (with most of-used panels) and thus anyone with php can just 'cat' any file they want and grab the information they need. Database details/logins, etc. ;)
  • SuperSloth, on 10/12/2007, -1/+0In other news, Linux security is only as good as the idiot managing the box.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.