How To Set Up A Secure Chrooted Jail With RSSH
In this guide I will show you how to install and configure Restricted SSH (rssh) using the default port 22, create a chrooted jail for your users and how to properly secure it all afterwards.
This method is tried and tested as I originally wrote this for my own benefit when building servers at work.
There are 5 steps:
- Installing rssh
- Configuring rssh
- Building the chrooted jail
- Locking it all down
- Adding users with rssh over SCP and/or SFTP access to the jail.
Confirmed compatable with default installations of CentOS 5.2 and Redhat 5.2
During this guide the CentOS/Redhat default webroot of /var/www/html will be used.
Let’s get started!
1. Installing RSSH
In a terminal type:
cd /tmp
wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.i386.rpm
rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm
2. Configuring RSSH
Type (with root privilages):
gedit /etc/rssh.conf
Change the umask from 022 to 002. This will set the default permisions of all SFTP and SCP uploads to 775.
# set the default umask
umask = 002
Uncomment chrootpath and change to to /var/www
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /var/www
Uncomment allowscp and allowsftp
allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync
Save rssh.conf overwriting the original (you do not need to restart any services as rssh will read this file on the fly).
3. Build the Chrooted Jail
In a terminal type the following lines (remember to be root!):
mkdir -p /var/www/{dev,etc,lib,usr,bin}
mkdir -p /var/www/usr/bin
mkdir -p /var/www/libexec/openssh
mknod -m 666 /var/www/dev/null c 1 3
cd /var/www/etc
cp /etc/ld.so.cache .
cp -avr /etc/ld.so.cache .
cp /etc/ld.so.conf .
cp /etc/nsswitch.conf .
cp /etc/passwd .
cp /etc/group .
cp /etc/hosts .
cp /etc/resolv.conf .
gedit passwd
Gedit will open. Delete entire contents of the file and save it and then close the editor.
Then type:
gedit group
Again, delete entire contents of the file and save it and then close the editor.
Back in the terminal, type:
cd /var/www/usr/bin
cp /usr/bin/scp .
cp /usr/bin/rssh .
cp /usr/bin/sftp .
cd /var/www/libexec/openssh/
cp /usr/libexec/openssh/sftp-server .
Now you need to copy the shared library files to the new folder structure. The easiest way to do this is to use a simple script written by Vivek at nixcraft.com
In a terminal type:
cd /sbin
wget -O l2chroot http://www.adamhawkins.net/downloads/l2chroot.txt
chmod +x l2chroot
gedit l2chroot
l2chroot will open with gedit. Find the following line:
BASE=”/webroot”
Change it to:
BASE=”/var/www”
Save the file.
In a terminal type:
l2chroot /usr/bin/scp
l2chroot /usr/bin/rssh
l2chroot /usr/bin/sftp
l2chroot /usr/libexec/openssh/sftp-server
gedit /etc/sysconfig/syslog
Find the line:
SYSLOGD_OPTIONS=”-m 0″
Change it to:
SYSLOGD_OPTIONS=”-m 0 -a /var/www/dev/log”
Save the file
In a terminal type:
/etc/init.d/syslog restart
Finally, move the folder libexec from /var/www/ to /var/www/usr/
4. Permissions
In a terminal type:
cd /var/www
chmod 700 bin -R
chmod 750 dev -R
chmod 700 error -R
chmod 700 etc -R
chmod 700 icons -R
chmod 750 lib -R
chmod 750 usr -R
chmod 700 cgi-bin -R
chmod 755 html
chown root:users usr -R
chown root:users lib -R
chown root:users html
chown root:users dev -R
chown root:users cgi-bin -R
chown root:root icons -R
chown root:root etc -R
chown root:root error -R
chown root:root bin -R
cd /var/www/dev
chmod 770 null
5. Add Users with RSSH over SCP and/or SFTP Access to the Jail
Create a good password eg. D4zf96xpvSma
(goodpassword.com is a good place to start if you cant think of a good one)
Goto System > Administration > Users and Groups
Click Add User
Enter the following:
Username: xxxxxxxxxxx (eg. ahawkins)
Password: xxxxxxxxxxxx
Untick Create a private group for the user.
Press OK
Double-click on the user
Goto the Groups tab
Add the user to other groups depending what they need access to, eg. web_computing. Leave the Primary Group as users.
Press OK
Open a terminal and enter this command to restrict ssh access to sftp and scp only, replacing xxxxxxxx with the required username.
usermod -s /usr/bin/rssh xxxxxxxx
That’s it, you can now start using your new configuration 
