CHROOT JAIL WITH OPENSSH 6
This was done on Centos 6.3:
Install base packages:
yum install gcc wget unzip make perl xauth telnet
Install and Configure Zlib:
cd /tmp
mkdir -p /opt/zlib
wget http://zlib.net/zlib127.zip
unzip zlib127.zip
cd zlib-1.2.7
./configure –prefix=/opt/zlib
make
make install prefix=/opt/zlib
Install Openssl:
cd /tmp
mkdir -p /opt/openssl
wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
tar xvzf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config –prefix=/opt/openssl –openssldir=/opt/openssl
make
make test
make install
Download Openssh:
cd /tmp
mkdir -p /opt/openssh
wget http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
tar xvzf openssh-openssh-6.1p1.tar.gz
cd openssh-6.1p1
Install Openssh:
./configure –prefix=/opt/openssh –with-ssl-dir=/opt/openssl –with-xauth=/usr/bin/xauth –with-zlib=/opt/zlib
make
make install
Create custom /etc/init.d/sshd script:
# Some functions to make the below more readable
KEYGEN=/opt/openssh/bin/ssh-keygen
SSHD=/opt/openssh/sbin/sshd
RSA1_KEY=/opt/openssh/etc/ssh_host_key
RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key
Check it Works:
/etc/init.d/sshd restart
telnet localhost 22
(if not check iptables)
Edit /opt/openssh/etc/sshd_config – replace this:
Subsystem sftp /opt/openssh/libexec/sftp-server
With This:
Subsystem sftp internal-sftp
And add this to the bottom:
Match Group sftponly
ChrootDirectory /home/jail/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Add SFTPOnly Group:
groupadd sftponly
mkdir /home/jail
chown root:root /home/jail
chmod 755 /home/jail
Add SFTPOnly User:
useradd –home /home/jail/sftp sftp
usermod -g sftponly sftp
usermod -s /sbin/nologin sftp
passwd sftp
Change the permissions to make CHRoot Jail work:
chmod 755 /home/jail/sftp
chown root:root /home/jail/sftp
mkdir /home/jail/sftp/public_html
chown sftp:sftponly /home/jail/sftp/public_html
You should now be done!
You should not be able to ssh but you should be able to sftp to /home/jail/sftp only, and write/execute/delete to /home/jail/sftp/public_home only