Scp Setup Jailed Chroot On CentOS7

Home » CentOS » Scp Setup Jailed Chroot On CentOS7
CentOS 6 Comments

Dear all

I’m looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc… Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.

Does anybody have a link or list valid for CentOS7

Thanks Regards Adrian

6 thoughts on - Scp Setup Jailed Chroot On CentOS7

  • Can’t you use SFTP?

    AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).

  • —–“CentOS” wrote: —–To: CentOS mailing list
    From: Rainer Duffner Sent by: “CentOS”
    Date: 10/20/2017 08:00PM
    Subject: Re: [CentOS] scp setup jailed chroot on CentOS7

    Can’t you use SFTP?

    AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).

  • Am 2017-10-24 12:19, schrieb Adrian Jenzer:

    AFAIK, for scp you need a proper shell.

    I’ve done that exactly once (chrooted ssh) and it was such a pain that I
    vowed to never do it again.

    The problem is that inside the chroot, you need:

    – nameresolution
    – a minimal passwd/shadow/group file (or ldap)
    – maybe for scp, you can get away with a rather minimal device-tree –
    but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys …).
    – that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak)

    Somebody sent me the link to these scripts:

    https://github.com/codelibre-net/schroot

    Maybe you can use those scripts – I’ve never tried them.

    Also, there’s scp-only:
    https://github.com/scponly/scponly/wiki

    Haven’t used that in years, either. Concern over that one seemed to be that it’s “another” shell and nobody had apparently done a thorough audit of it.

  • That’s correct, forgot to mention it. We ended up using SFTP (or at least offering it to external).

    —–Original Message—