Makejail – limited SSH account on Ubuntu

Jail Cell in the Rock by hadsie, on Flickr
Creative Commons Attribution-Noncommercial-Share Alike 2.0 Generic License  photo by  hadsie 

Previous I had covered how to setup scponly as a restricted fileserver environment. While this works well, it is very limited and didn’t allow for rsync to run (without heroics beyond what I was willing to do). Using makejail seems to be a better solution for my needs, and it turns out to be quite easy to setup on Ubuntu 12.04. On the journey here I had also tried out rssh which I also decided wasn’t a good fit.

You’ll of course need sshd installed which I’ll assume you have, and makejail which we can install easily:

$ sudo apt-get install makejail

Now we need to modify our openssh configuration by editing /etc/ssh/sshd_config, there are two changes we need to make. Modify the yes setting for UsePrivilegeSeparation:

# Disable Privilege Separation to allow chroot
UsePrivilegeSeparation no

and at the bottom of the configuration file we’ll add:

Match User frank
ChrootDirectory /home/frank
AllowTCPForwarding no
X11Forwarding no
PasswordAuthentication no

Of course, for each restricted user you need to specify the username and home directory. You may have noticed that for the restricted users I’ve disabled password authentication, this is because changing the password is broken in the ‘jailed’ environment so we just avoid the issue by insisting on the use of keys (yes, you’ll need the restricted user to send you their public key to install in the .ssh/authorized_keys file of the restricted user).

Next we need to create a simple python script file that we can pass to makejail as a configuration file. I called mine jailconf.py and the contents look like:

chroot = "/home/frank"
testCommandsInsideJail = ["bash", "ls", "touch", "rm", "rmdir", "less", "cat", "rsync" ]

Then execute makejail with this configuration file.

$ sudo makejail jailconf.py

For some reason, I needed to run makejail twice initially before it ran without errors – but it is something you can run multiple times with no serious side effects, this is handy if you want to add more commands later.

That’s it, now if you take a peek at the filesystem structure that’s been created – it’s a chroot environment. You’ll probably want to go in and create a /home/frank/stuff directory and assign ownership to the user so they can stick files there.

$ sudo ls -l /home/frank
total 36
drwxr-xr-x 2 root root 4096 Sep 19 22:59 bin
drwxr-xr-x 2 root root 4096 Sep 19 22:55 dev
drwxr-xr-x 3 root root 4096 Sep 19 22:56 etc
drwxrwxrwx 4 frank frank 4096 Sep 19 23:28 stuff
drwxr-xr-x 4 root root 4096 Sep 19 22:55 lib
drwxr-xr-x 2 root root 4096 Sep 19 22:55 root
drwxr-xr-x 2 root root 4096 Sep 19 22:59 sbin
drwxr-xr-x 2 root root 4096 Dec 5 2009 selinux
drwxr-xr-x 5 root root 4096 Sep 19 22:55 usr

Now once you sort out the public key login (and remember to make sure the permissions on the .ssh directory and authorized keys are correct), the user frank will be able to log in and see the directory tree /home/frank as if it were the root of the filesystem. Only commands listed in the configuration file (jailconf.py) will be available to that user. Of course, if the filesystem is writeable (and executable) then they could always upload copies of the commands they want to run – but hopefully these are people you trust to some level.

References: I came to this solution initially through this article. There was a serverfault post that helped with the ssh configuration changes related to disabling password authentication.

In my case this is one component in allowing a friend to use my system as a remote (encrypted) backup site using rsync. I’ll post more details on that in the future.

2 thoughts on “Makejail – limited SSH account on Ubuntu”

  1. I found this very helpful, thanks. One point of clarification that might be useful to other users: when you SSH/RSYNC in from a remote host with this setup, the “stuff” directory will not be accessible at just “./stuff” (in the default CWD) but instead must be referenced as “/stuff” (since it’s at the root of the jailed filesystem).

    Chris

  2. Thanks Andrew! This was a great help! 🙂 Note to others (and possibly myself) remember to restart the sshd service after you’ve made any changes to /etc/ssh/sshd_config

Leave a Reply

Your email address will not be published.