# chroot help with OpenSSH



## Mike Z (Apr 25, 2015)

One security measure I'd like to implement in my ssh build is way to lock my user account to the directories with the data it needs to access. I was thinking I would use chroot, however, my limited understanding of this command leads me to believe that it only locks a user account to its home directory. This won't work in my case because the user's home directory is on another drive with a completely different directory from the drive and directories where the data is stored. How would I be able to lock down that user account to the data directories? Basically, If I'm connecting remotely to my user account, I only want the account to see those select directories with the data on them, not the entire directory tree as it is able to currently. I figured since remote root login is disabled, if an intruder were to access my user account, he would not be able to see the entire system (easily) if I can implement this measure.

Thanks for all the help, and hopefully this thread is in the right place (this seemed to be the most "security" related forum) please inform me otherwise.


----------



## asteriskRoss (Apr 26, 2015)

You could use nullfs(5) to mount the data directories under the user's home directory in addition to where they are normally mounted; see the mount_nullfs(8) man page.  You would need to do this from outside the chroot(8) environment.

However, I suspect this is not really what you need, since I imagine you still want to have access to utilities in /usr/bin for example.  What on the system are you concerned about an attacker seeing if not the directories with your data?  Does your user account have and need access to those files?  Could you change the file permissions to deny your user read access?  If you have complex permissions, have you considered Access Control Lists?  Running any system, particularly connected to the Internet, comes with risk.  Have you considered strengthening other security measures such as:

Using a firewall to restrict access to your server (or at least the SSH daemon) from the IP address ranges of your clients
Improving authentication security by using key based SSH authentication, perhaps combined with another factor using security/pam_google_authenticator?


----------



## storvi_net (Apr 26, 2015)

What do you want to achieve? 
What MUST the users be able to do?

Regards
Markus


----------



## gkontos (Apr 26, 2015)

You need to add the following in sshd.conf:

```
Match User username
ChrootDirectory %h
```
Then, you need to make sure that the user's home directory has the following permissions inside --> root:username


----------



## Mike Z (May 11, 2015)

Thanks gkontos. I'm trying to give users accounts as few permissions as possible. The data I'm storing is not sensitive, however, if my user account becomes compromised, I don't want an attacker to be able to view my entire directory structure. Thanks for the input guys!


----------



## Oko (May 11, 2015)

I didn't pay attention to this thread. OpenSSH comes with built in chroot for sftp transfers.

http://undeadly.org/cgi?action=article&sid=20080220110039

I run one of those sftp servers. The key snippet of the code from my /etc/ssh/sshd_config


```
Match User oko
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp
  ChrootDirectory /home/oko
```

The account doesn't have a private user group. Rather it is a member of sftp-only group.

The only thing I can do with above account is upload and download files and use cd inside my chroot.


----------

