Parameter ChrootDirectory in /etc/ssh/sshd_config allows the specification of a chroot target directory which will then be used for all ssh and sftp sessions to this server. The target directory definition can utilize the %u and %h tokens to customize the target directory based on the username or the users home directory. Below are various scenarious and their configuration steps.
Case 1 : One common chroot directory for all users
In this example we will configure one target directory which will be used for all users. This is the simplest setup. We will use the directory /export/home/chroot in this example.
1. Create the chroot area by using the ftpconfig command:
# ftpconfig -d /export/home/chroot Creating directory /export/home/chroot Updating directory /export/home/chroot
2. Create the user and assign a password:
# useradd -d /export/home/chroot testuser # passwd testuser New Password: Re-enter new Password: passwd: password successfully changed for testuser
3. Add the following chroot option to the file /etc/ssh/sshd_config
# vi /etc/ssh/sshd_config ChrootDirectory /export/home/chroot
4. Restart the ssh service to activate the configuration changes:
# svcadm restart ssh
Case 2 : One common chroot directory for all users, but each user has its own home directory inside this area
In this example we will configure one target directory which will be used for chroot but each user has its own home directory inside this area. After a login the user will find himself inside the home directory but can still navigate inside the entire chroot area. The user is therefore not restricted to his own home directory. We will use /export/home/chroot as the common chroot directory.
1. Create the chroot area by using the ftpconfig command:
# ftpconfig -d /export/home/chroot Creating directory /export/home/chroot Updating directory /export/home/chroot
2. Create the user with its own home directory inside the chroot area and assign a password to the user:
# useradd -d /export/home/chroot/testuser -m testuser # passwd testuser New Password: Re-enter new Password: passwd: password successfully changed for testuser
3. Change the users home directory to make it valid and relative inside the chroot area. In this example it would be /testuser
# usermod -d /testuser testuser
4. Add the following chroot option to the file /etc/ssh/sshd_config file.
# vi /etc/ssh/sshd_config ChrootDirectory /export/home/chroot
5. Restart the ssh service to activate the configuration change:
# svcadm restart ssh
Case 3 : Each user has a separate chroot environment
In this example we will setup an individual chroot area for each user. Please note that this needs more disk space than the first two options as each area needs to be populated with a few required files. We will setup the user home directories under /export/home/chroot where each user will have its own full populated environment.
1. Create the target chroot environment by using the ftpconfig command:
# mkdir /export/home/chroot # ftpconfig -d /export/home/chroot/testuser Creating directory /export/home/chroot/testuser Updating directory /export/home/chroot/testuser
2. Create the user and assign a password:
# useradd -d /export/home/chroot/testuser testuser # passwd testuser New Password: Re-enter new Password: passwd: password successfully changed for testuser
3. Add the following chroot configuration line to the file /etc/ssh/sshd_config:
# vi /etc/ssh/sshd_config ChrootDirectory %h
4. Restart the ssh service to activate the configuration change:
# svcadm restart ssh