Skip to content

2i3r/linux-jailed-ssh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
README.md
README.md
 
 
example_mounts.txt
example_mounts.txt
 
 
l2chroot
l2chroot
 
 

Repository files navigation

How to create jailed ssh session:

1- create group and user:

groupadd sshjailedusers
useradd -g sshjailedusers newuser

2- create jailed root structure

root=/home/jailedroot
mkdir ${root}
mkdir -p ${root}/{dev,etc,lib,usr,bin,proc,sys,home}
mkdir ${root}/usr/bin
mkdir ${root}/dev/pts
chown root:root ${root}

3- mount proc. sys, dev and optionally run

cd ${root}/
mount -t proc proc proc/
mount -o bind /sys sys/
mount -o bind /dev dev/
mount -o bind /dev/pts dev/pts/
mount -o bind /run run/

Instead of full dev bind making only "null, zero, stdin, stdout, stderr, random, tty" may be sufficient, by something like this:

mknod -m 666 ${root}/dev/null c 1 3
mknod -m 666 ${root}/dev/tty c 5 0
mknod -m 666 ${root}/dev/zero c 1 5
mknod -m 666 ${root}/dev/random c 1 8
...
..
.

4- fill up etc directory with minimum files:

cd ${root}/etc
cp /etc/ld.so.cache .
cp /etc/ld.so.conf .
cp /etc/nsswitch.conf .
cp /etc/hosts .

(↓↓ optional, for newuser profile and info ↓↓)

cp /etc/profile{,.d} .
cp /etc/passwd .
cp /etc/group .

5- copy some binaries for command you want to ${root}/usr/bin and also to ${root}/bin bash, cp, head, less, ls, mv, tail, tty, whoami are some examples

6- using l2chroot, you can copy needed libraries for each binary replace "BASE" variable initialization in "l2chroot" bash file with your jailed root path

cd /sbin

then for each binary you copied, do:

l2chroot [command_name]

7- l2chroot may not copy all the needed files, you need to "strace" each binary and look at "open" addresses, and copy those file it they has not: for example for bash:

strace bash -c ";" 2>&1 | grep -e "^open"

8- now everything should be there, configure /etc/ssh/sshd_config add these lines to /etc/ssh/sshd_config

Match Group sshusers
    AllowUsers newuser
    ChrootDirectory /home/jailedroot
    #ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

9- restart sshd service

systemctl restart sshd

10- Optionally create home directories for newuser

cd ${root}/home
mkdir newuser
cp /etc/skel newuser/.bashrc
chmod -R 755 newuser/
chown -R newuser:sshjaileduser newuser/
NOTE:

This might be much more than needed (full sys, dev) for limited applications perhaps with restricted user, it may not be a serious problem. should look more into it. any commit and issue is appreciated.

About

This is a how to for creating jailed ssh session

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages