Scp Setup Jailed Chroot On CentOS7
Dear all
I’m looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc… Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server.
Does anybody have a link or list valid for CentOS7
Thanks Regards Adrian
6 thoughts on - Scp Setup Jailed Chroot On CentOS7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
—–“CentOS” wrote: —–To: CentOS mailing list
From: Rainer Duffner Sent by: “CentOS”
Date: 10/20/2017 08:00PM
Subject: Re: [CentOS] scp setup jailed chroot on CentOS7
Can’t you use SFTP?
AFAIK, sftp automatically chroots a user with no valid shell (provided the home directory is owned by root and not writeable by the user and you use Subsystem internal-sftp).
—–Original Message—
—–Original Message—
Am 2017-10-24 12:19, schrieb Adrian Jenzer:
AFAIK, for scp you need a proper shell.
I’ve done that exactly once (chrooted ssh) and it was such a pain that I
vowed to never do it again.
The problem is that inside the chroot, you need:
– nameresolution
– a minimal passwd/shadow/group file (or ldap)
– maybe for scp, you can get away with a rather minimal device-tree –
but for actual SSH access, I needed a fairly complete device tree inside the chroot (ttys …).
– that was with FreeBSD 10, I never tried it with anything else (due to its history with jails, creating functional, limited chroot-environments is somewhat in its genes, so to speak)
Somebody sent me the link to these scripts:
https://github.com/codelibre-net/schroot
Maybe you can use those scripts – I’ve never tried them.
Also, there’s scp-only:
https://github.com/scponly/scponly/wiki
Haven’t used that in years, either. Concern over that one seemed to be that it’s “another” shell and nobody had apparently done a thorough audit of it.
That’s correct, forgot to mention it. We ended up using SFTP (or at least offering it to external).
—–Original Message—