fuschlberger.net - Howto Setup a chroot-jail for ssh/scp with Linux
Howto Setup a chroot jail for ssh / scp / sftp with Linux
On this page you will a find a short guide and a shell script for setting
up a chroot-jail for ssh/scp/sftp with Linux.
All comments, suggestions etc. are welcome. Please contact me at firstname.lastname@example.org.
I had to set up a chrooted user account with scp-Access to let people upload
files to a server in order not to let them browse the whole filesystem.
So I wrote this Script which does all the work automatically to set up a working chroot-jail.
View the source
Download the file make_chroot_jail.sh.
What this script does:
What this script does not do:
Download the script.
How the script works:
The script must be run by
To create a new chrooted account:
Username is obligatory
If a user account with this name exists, the script exits with an error-message.
A user account with the name given is created, a chroot-jail is per default created in
To update the files in the chroot-jail:
All necessary files that have been copied into the jail when running the script for the first time are being updated.
I received a mail asking whether RSA keys could be used for the chrooted users
to avoid having to enter a password on each login (that this might be a
security risk is quite obvious so I won't explain it in detail). So I copied my
pub-key with scp into the chroot-ed
Do not add
On the other hand, if chroot'ed Users want to use FTP, you have to add
There is a possible exploit, as somebody told me some days ago. If a local user
outside the chroot knows the password of a chroot'ed user, he can get root.
This exploit needs only one little program in C.
If libxcrypt doesn't exist on your system uncomment the necessary lines near the end of the script, then it should work.
If you cannot log in (for example on Debian Sarge) and see a warning like "su:
Module is unknown" then comment out the following line from
After that logging in will work, although I can't explain why the module in
If you are running the system inside a virtual machine watch out if a different
architecture (32bit vs 64 bit) is emulated and copy the necessary libraries for
both into the chroot-directory (/lib and /lib64). A symptom of this may be the
Other documents / scripts about / based on / mentioning my script:
Tutorial for Debian Lenny (no need for a special shell file any more)
modified for Ubuntu 8..04 (in German)
Written 2003-05-15 - last update 2008-04-26
© echo date(Y); ?> by wf