How to Restrict SSH User Access to a Specific Directory?

There are many reasons for granting user permissions only to certain directories, especially for web servers. But the main reason is security. You can use chroot (change root) to restrict user access to a specific directory.

chroot is used on Unix systems to separate certain user operations from the rest of the Linux system. This replaces the root directory for the currently running user process and its child process with a new root directory called the chrooted jail.

This article will show you how to restrict SSH user access to a given directory in Linux. All commands are run as root. Use the sudo command if you are logged into the server as a normal user.

Create SSH Chroot Jail

  1. Create chroot jail using the mkdir command:
    # mkdir -p /home/test
  2. Then define the required files according to sshd_config. The ChrootDirectory parameter specifies the path to the directory where the chroot is redirected after authentication. The directory must contain the necessary files and directories to support the user's session.
    An interactive session requires at least a shell, shared sh, and basic /dev nodes such as null, zero, stdin, stdout, stderr, and tty devices:
    # ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
  3. Next, create the /dev files as shown below using the mknod command. In the command below, the -m flag is used to specify file permissions, c stands for a character file, and the two numbers are the major and minor numbers that the files point to.
    # mkdir -p /home/test/dev/                   

    # cd /home/test/dev/

    # mknod -m 666 null c 1 3

    # mknod -m 666 tty c 5 0

    # mknod -m 666 zero c 1 5

    # mknod -m 666 random c 1 8
  4. After that, set permission for the chroot jail. Please note that the chroot jail, its subdirectories and subfiles must be owned by the root user and not contain write permissions for any regular user or group:
    # chown root:root /home/test

    # chmod 0755 /home/test

    # ls -ld /home/test

Configure an Interactive Shell for SSH Chroot Jail

  1. First create the bin directory. Then copy the files /bin/bash to the bin directory:
    # mkdir -p /home/test/bin

    # cp -v /bin/bash /home/test/bin/
  2. Now define the shared libraries needed by bash and copy them to the lib directory:
    # ldd /bin/bash

    # mkdir -p /home/test/lib64

    # cp -v /lib64/{libtinfo.so.5,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2} /home/test/lib64/

Create and Configure SSH User

  1. Create an SSH user using the useradd command and set a secure password for the user:
    # useradd username

    # passwd password
  2. Create a common jail chroot configuration directory /home/test/etc and copy the updated account files (/etc/passwd and /etc/group) into this directory as follows:
    # mkdir /home/test/etc

    # cp -vf /etc/{passwd,group} /home/test/etc/
    Every time you add new SSH users to the system, you will need to copy the updated account files to the /home/test/etc directory.

Configure SSH to use chroot jail

Open the sshd_config file.

# vi /etc/ssh/sshd_config

and add or change the lines in the file:

#define username to apply chroot jail to

Match User username

#specify chroot jail

ChrootDirectory /home/test

Save the file, exit and restart SSHD services:

# systemctl restart sshd

or

# service sshd restart

Checking SSH with Chroot Jail

Check if the chroot jail setting is working properly:

# ssh username@192.168.0.10

-bash-4.1$ ls

-bash-4.1$ date

-bash-4.1$ username

The SSH user is locked in a chrooted jail and cannot run any external commands (ls, date, uname, etc.).

The user can only execute bash and its built-in commands like pwd, history, echo, etc.

Create the SSH user home directory and add Linux commands

  1. The user is locked in the root directory. You can create a home directory for the SSH user like this (do it for all users):
    # mkdir -p /home/test/home/username

    # chown -R username:username /home/test/home/username

    # chmod -R 0700 /home/test/home/username
  2. Then install custom commands like ls, date, mkdir to bin directory:
    # cp -v /bin/ls /home/test/bin/

    # cp -v /bin/date /home/test/bin/

    # cp -v /bin/mkdir /home/test/bin/
  3. Check the shared libraries for the commands from the previous point and move them to the chrooted jail libraries directory:
    # ldd /bin/ls

    # cp -v /lib64/{libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0} /home/test/lib64/

SFTP Check with Chroot Jail

  1. Do a final check with sftp. Check if the commands you just installed are working.
    Add the line to the file /etc/ssh/sshd_config:
    #Enable sftp to chrooted jail

    ForceCommand internal-sftp
    Save the file and exit. Then restart SSHD services:
    # systemctl restart sshd

    or

    # service sshd restart
  2. Now check with SSH:
    # ssh username@192.168.0.10
    You will receive an error message.
    Also try using SFTP like this:
    # sftp username@192.168.0.10

 If you have any questions, please create a ticket to technical support.