Chrooting SSH

This guide explains how to chroot users that login to the ssh server.

Creating user and ssh group

First, we create the group ssh that all ssh users must belong to.

# groupadd ssh

If the user account does not already exist, we must create it with adduser or useradd.

# useradd -m -G ssh -s /bin/ksh $USER
# passwd $USER

Replace $USER with the actual user. We set the default shell to ksh.

If the user account already exists, make sure the user is a member of the ssh group:

# usermod -G ssh $USER

We then append this block to sshd_config:

Match Group ssh
	PasswordAuthentication yes
	ChrootDirectory %h
	DisableForwarding yes
	PermitTunnel no
	PermitTTY no

We then reload the configuration:

# pkill -HUP sshd

In sshd_config(5), it states:

             Specifies the pathname of a directory to chroot(2) to after
             authentication.  At session startup sshd(8) checks that all
             components of the pathname are root-owned directories which are
             not writable by group or others.  After the chroot, sshd(8)
             changes the working directory to the user's home directory.

sshd(8) requires that the chroot directory be owned by root, and not writeable by group or others. Since the chroot directory is the user's home folder, we run:

# chown root:wheel /home/$USER
# ls -ld /home/$USER       
drwxr-xr-x  4 root  wheel   512B Jun 17 12:56 /home/$USER

Inside the home directory, we create the user's home folder, and populate it with files from /etc/skel:

# mkdir -p /home/$USER/home/$USER
# cp -R /etc/skel/.* /home/$USER/home/$USER/
# chown -R $USER:$USER /home/$USER/home/$USER

The shell requires a few device nodes and the shell itself:

# cd /home/$USER
# /dev/MAKEDEV std
# rm console klog kmem ksyms mem xf86

Copy the shell inside the chroot:

# mkdir /home/$USER/bin
# cp /bin/ksh /home/$USER/bin/

Create the etc folder:

# mkdir -p /home/$USER/etc

Create /home/$USER/etc/passwd and /home/$USER/etc/group:

# cat /home/$USER/etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
# cat /home/$USER/etc/group

Next, you'll probably want to add programs that the shell can call. For example, see instructions on how to add openrsync.


The default syslog.conf will record any authentication information messages in /var/log/authlog:

Jun 17 12:49:01 $USER sshd[60020]: fatal: bad ownership or modes for chroot directory component "/home/$USER/"

This error message indicates an error in file permissions.