Populating OpenSSH chroot on OpenBSD

I need to confine the user jrlodden to his home directory on this OpenBSD 4.9/i386 system, but give him a shell prompt and access to a couple of specific commands. While the SFTP server has built-in chroot support, a shell environment is more complicated. The /etc/ssh/sshd_config part is pretty simple…

...
#ChrootDirectory none
...
Match User jrlodden
ChrootDirectory %h

This chroot directory is nonfunctional. I must create device nodes and add necessary programs. Start by creating the the user account with adduser(8), creating standard device nodes, and removing unnecessary nodes.

# cd ~jrlodden
# mkdir dev
# cd dev
# /dev/MAKEDEV std
# ls
arandom klog ksyms null stdin tty zero
console kmem mem stderr stdout xf86
# rm console klog kmem ksyms mem xf86
# ls
arandom null stderr stdin stdout tty zero

He’ll need a statically-linked shell, such as /bin/ksh.

# cd ~jrlodden
# mkdir bin
# cd bin/
# file /bin/ksh
/bin/ksh: ELF 32-bit LSB executable, Intel 80386, version 1, for OpenBSD, statically linked, stripped
# cp /bin/ksh .

A chrooted user should not have write access to his own root directory. He will need a home directory in the chroot, however.

# chown root:wheel /home/jrlodden/
# mkdir -p /home/jrlodden/home/jrlodden
# chown jrlodden:jrlodden home/jrlodden

Now he can log in:

# ssh jrlodden@chroothost
ksh: No controlling tty (open /dev/tty: Device not configured)
ksh: warning: won't have full job control
$

jrlodden is logged in and cannot access anything beyond his cell. While I’d like to clean up the /dev/tty warning, I can’t seem to create /dev/ttypc in the chroot’ed /dev. For now, I can copy statically-linked versions of his necessary programs into /home/jrlodden/bin and get on with my life.

3 Replies to “Populating OpenSSH chroot on OpenBSD”

  1. Another option would be to write a small script/program and use that as the shell for that user. That could be a good choice if you only have to provide the user with a simple, shell-like, set of limited commands.

    I’ve done something similar in this article: http://blog.e-shell.org/288

    There, I wrote a small (3 lines) python script that will ask the user for commands and it will exit when the user provides the “exit” command. It would be easy to add some code to match some other commands, process the user input and perform the needed operations in the background.

    Of course there is no chroot in that setup, but you would be able to provide ssh access to the box and allow the user to execute the needed parameters without giving him/her a “real” shell access.

  2. I should add: thanks for providing this example. Information on setting up chroot environments is surprisingly sparse on the web. Why isn’t this standard FAQ material? The whole concept of limited shells and sandboxed login environments is power aspect of UNIX like systems.

Comments are closed.