from small one page howto to huge articles all in one place

search text in:




Other .linuxhowtos.org sites: www.linuxhowtos.org
toolsntoys.linuxhowtos.org



Last additions:
How to make X listen on port 6000

How to make X listen on port 6000

words:

34

views:

86625

userrating:

average rating: 1.2 (52 votes) (1=very good 6=terrible)


May, 25th 2007:
April, 26th 2007:
Apr, 10th. 2007:
Druckversion . pdf icon
You are here: Tutorials per portage category->net-misc->openssh

Create a chrooted ssh user

This tutorial explains how to install and configure a chroot enviroment for an ssh user. This setup enables you to give out ssh accounts without having to fear that this user can see all files on the system.

Installing ssh

First you need to have a patched version of the sshd server. Luckily these patches can be enabled with the use flag "chroot" in the sshd use flags.
#echo "net-misc/openssh chroot" >> /etc/portage/package.use
#emerge openssh

creating the chroot enviroment

We will create our chroot enviroment in /home/chroot.
To make the chroot work, run the following commands to make the needed directories and devices for the chrooted user.
mkdir /home/chroot/
mkdir /home/chroot/home/
cd /home/chroot
mkdir etc
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

Now we need to populate the directories with some binaries.
copy the following script into a file. If you need more apps, add them
to the APPS line.

APPS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors"
for prog in $APPS; do
cp $prog ./$prog

# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS; do
mkdir ./`dirname $l` > /dev/null 2>&1
cp $l ./$l
done
fi
done

After you have run the script, your chroot enviroment is almost done.
run

cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 ./lib/
echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
to copy some libraries and user information into the chroot.
You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:
grep /etc/group -e "^root" -e "^users" > etc/group

and restart SSH:
/etc/init.d/ssh restart

Creating chrooted users

ssh decides which user should be chrooted and which not by the "home directory" entry in the /etc/passwd.
Example for a non-chrooted user:
user_a:x:2002:100:User A:/home/user_a:/bin/bash
This user will be chrooted:
user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash
Now lets add a testuser to the chrooted user list:
useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c "testuser" -g users testuser

Then we give testuser a password:
passwd testuser

Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:
grep /etc/passwd -e "^testuser" >> /home/chroot/etc/passwd


Now log in as testuser and see if everything worked.

Have fun
back



Support us on Content Nation

New Packages

- as rdf newsfeed
- as rss newsfeed
- as Atom newsfeed
2026-07-07
roundcube - 1.6.17
Ebuild name:

mail-client/roundcube-1.6.17

Description

Browser-based multilingual IMAP client with an application-like user i

Added to portage

2026-07-07

vanilla-sources - 6.12.95
Ebuild name:

sys-kernel/vanilla-sources-6.12.95

Description

Full sources for the Linux kernel

Added to portage

2026-07-07

2026-07-06
citus - 12.1.13
Ebuild name:

dev-db/citus-12.1.13

Description

Open-source postgresql extension for clustering/multi-node setups

Added to portage

2026-07-06

cloudflared - 2026.6.1
Ebuild name:

net-vpn/cloudflared-2026.6.1

Description

A command-line client and tunneling daemon for Cloudflare Tunnel

Added to portage

2026-07-06

containerd - 2.2.5-r1
Ebuild name:

app-containers/containerd-2.2.5-r1

Description

A daemon to control runC

Added to portage

2026-07-06

containerd - 2.3.2-r1
Ebuild name:

app-containers/containerd-2.3.2-r1

Description

A daemon to control runC

Added to portage

2026-07-06

dbus-python - 1.4.0-r1
Ebuild name:

dev-python/dbus-python-1.4.0-r1

Description

Python bindings for the D-Bus messagebus

Added to portage

2026-07-06

dulwich - 1.2.8
Ebuild name:

dev-python/dulwich-1.2.8

Description

Pure-Python implementation of the Git file formats and protocols

Added to portage

2026-07-06

dxvk - 3.0.1
Ebuild name:

app-emulation/dxvk-3.0.1

Description

Vulkan-based implementation of D3D9, D3D10 and D3D11 for Linux / Wine

Added to portage

2026-07-06

firecracker-bin - 1.16.0
Ebuild name:

app-emulation/firecracker-bin-1.16.0

Description

Secure and fast microVMs for serverless computing (static buil

Added to portage

2026-07-06

gawk - 5.4.0e
Ebuild name:

sys-apps/gawk-5.4.0e

Description

GNU awk pattern-matching language

Added to portage

2026-07-06

gcc - 17.0.0_p20260705
Ebuild name:

sys-devel/gcc-17.0.0_p20260705

Description

The GNU Compiler Collection

Added to portage

2026-07-06

getmail - 6.20.00
Ebuild name:

net-mail/getmail-6.20.00

Description

A mail retriever with reliable Maildir and mbox delivery

Added to portage

2026-07-06

ggml - 0.15.3-r1
Ebuild name:

sci-ml/ggml-0.15.3-r1

Description

Tensor library for machine learning

Added to portage

2026-07-06

git-sources - 7.2_rc2
Ebuild name:

sys-kernel/git-sources-7.2_rc2

Description

The very latest -git version of the Linux kernel

Added to portage

2026-07-06

gst-plugins-sndio - 1.24.0
Ebuild name:

media-plugins/gst-plugins-sndio-1.24.0

Description

Sndio audio sink and source for GStreamer

Added to portage

2026-07-06

haproxy - 3.0.25
Ebuild name:

net-proxy/haproxy-3.0.25

Description

A TCP/HTTP reverse proxy for high availability environments

Added to portage

2026-07-06

haproxy - 3.2.21
Ebuild name:

net-proxy/haproxy-3.2.21

Description

A TCP/HTTP reverse proxy for high availability environments

Added to portage

2026-07-06

haproxy - 3.3.12
Ebuild name:

net-proxy/haproxy-3.3.12

Description

A TCP/HTTP reverse proxy for high availability environments

Added to portage

2026-07-06

haproxy - 3.4.2
Ebuild name:

net-proxy/haproxy-3.4.2

Description

A TCP/HTTP reverse proxy for high availability environments

Added to portage

2026-07-06

khard - 0.21.0
Ebuild name:

app-misc/khard-0.21.0

Description

Console vCard address book

Added to portage

2026-07-06

lmdb - 1.0.0
Ebuild name:

dev-db/lmdb-1.0.0

Description

An ultra-fast, ultra-compact key-value embedded data store

Added to portage

2026-07-06

mcrypt - 2.6.8-r3
Ebuild name:

app-crypt/mcrypt-2.6.8-r3

Description

Replacement of the old unix crypt(1)

Added to portage

2026-07-06

md5deep - 4.4
Ebuild name:

app-crypt/md5deep-4.4

Description

Expanded md5sum program with recursive and comparison options

Added to portage

2026-07-06

md6sum - 1.0-r3
Ebuild name:

app-crypt/md6sum-1.0-r3

Description

A C implementation of MD6

Added to portage

2026-07-06

mhash - 0.9.9.9-r4
Ebuild name:

app-crypt/mhash-0.9.9.9-r4

Description

Library providing a uniform interface to a large number of hash algorith

Added to portage

2026-07-06

micawber - 0.7.0
Ebuild name:

dev-python/micawber-0.7.0

Description

A small library for extracting rich content from urls

Added to portage

2026-07-06

minisign - 0.12
Ebuild name:

app-crypt/minisign-0.12

Description

Dead simple tool to sign files and verify signatures

Added to portage

2026-07-06

mit-krb5 - 1.22.2-r2
Ebuild name:

app-crypt/mit-krb5-1.22.2-r2

Description

MIT Kerberos V

Added to portage

2026-07-06

mit-krb5-appl - 1.0.3-r4
Ebuild name:

app-crypt/mit-krb5-appl-1.0.3-r4

Description

Kerberized applications split from the main MIT Kerberos V distrib

Added to portage

2026-07-06

mit-krb5-appl - 1.0.3-r5
Ebuild name:

app-crypt/mit-krb5-appl-1.0.3-r5

Description

Kerberized applications split from the main MIT Kerberos V distrib

Added to portage

2026-07-06

mkp224o - 1.7.0
Ebuild name:

app-crypt/mkp224o-1.7.0

Description

Vanity address generator for v3 Tor hidden service addresses

Added to portage

2026-07-06

munt-mt32emu - 2.8.3
Ebuild name:

media-libs/munt-mt32emu-2.8.3

Description

Library for emulating the Roland MT-32, CM-32L, CM-64 and LAPC-I

Added to portage

2026-07-06

nnn - 5.2
Ebuild name:

app-misc/nnn-5.2

Description

The missing terminal file browser for X

Added to portage

2026-07-06

ollama - 0
Ebuild name:

acct-group/ollama-0

Description

A group for ollama

Added to portage

2026-07-06

ollama - 0
Ebuild name:

acct-user/ollama-0

Description

A user for ollama

Added to portage

2026-07-06

ollama - 0.31.1-r1
Ebuild name:

sci-ml/ollama-0.31.1-r1

Description

Get up and running with Llama 3, Mistral, Gemma, and other language models.

Added to portage

2026-07-06

packer - 1.15.4
Ebuild name:

dev-util/packer-1.15.4

Description

A tool to create identical machine images for multiple platforms

Added to portage

2026-07-06

pip - 26.1.2-r1
Ebuild name:

dev-python/pip-26.1.2-r1

Description

The PyPA recommended tool for installing Python packages

Added to portage

2026-07-06

portage - 3.0.81.1
Ebuild name:

sys-apps/portage-3.0.81.1

Description

The package management and distribution system for Gentoo

Added to portage

2026-07-06

roundcube - 1.7.2
Ebuild name:

mail-client/roundcube-1.7.2

Description

A browser-based multilingual IMAP client with an application-like user

Added to portage

2026-07-06

runc - 1.3.6
Ebuild name:

app-containers/runc-1.3.6

Description

runc container cli tools

Added to portage

2026-07-06

rust - 1.96.1
Ebuild name:

dev-lang/rust-1.96.1

Description

Systems programming language originally developed by Mozilla

Added to portage

2026-07-06

rust-bin - 1.96.1
Ebuild name:

dev-lang/rust-bin-1.96.1

Description

Added to portage

2026-07-06

rust-common - 1.96.1
Ebuild name:

dev-lang/rust-common-1.96.1

Description

Common files shared between multiple slots of Rust

Added to portage

2026-07-06

rust-std - 1.96.1
Ebuild name:

sys-devel/rust-std-1.96.1

Description

Rust standard library, standalone (for crossdev)

Added to portage

2026-07-06

seedfiles - 1.7
Ebuild name:

sys-apps/seedfiles-1.7

Description

Portable drop-in reimplementation of systemd-tmpfiles

Added to portage

2026-07-06

signxml - 5.1.0
Ebuild name:

dev-python/signxml-5.1.0

Description

Python XML Signature and XAdES library

Added to portage

2026-07-06

telegram-desktop-bin - 6.9.3
Ebuild name:

net-im/telegram-desktop-bin-6.9.3

Description

Official desktop client for Telegram (binary package)

Added to portage

2026-07-06

tibs - 0.12.0
Ebuild name:

dev-python/tibs-0.12.0

Description

A sleek Python library for your binary data

Added to portage

2026-07-06

rdf newsfeed | rss newsfeed | Atom newsfeed
Copyright 2004-2025 Sascha Nitsch Unternehmensberatung GmbH
- Copyright and legal notices -
Time to create this page: 56.6 ms