SecureShell and chroot environments

Jump to: navigation, search


The following article describe how to setup HP-UX SecureShell on a chroot environment on versions A.05.00.24 (11.11) | A.05.00.25 (11.23) | A.05.00.26 (11.31).

SecureShell on chroot environment have change from previous versions and this article tries to fill the gap.


HP-UX Secure Shell version A.05.00 supports chroot functionality for ssh,sftp and scp . chroot functionality is mainly used as an added security measure It forces the root directory to become something other than its default.

chroot is a directory "jail". It allows an application to start in a specified directory and allows all its users to accessing that directory and the directories below it, but prevents the users from doing a cd above that specified directory. It is intended to allow restricted file and directory access to users of that application "while they are in the application". This is not an end-user feature.

The system administrator is required to do the necessary setup to enable chroot for an application, and all users of that application will automatically be subject to the restrictions imposed by chroot. The administrator will need to create new directories, and copy the "relevant" set of files into those newly created directories, in order for chroot to take effect.

Configuring chroot environment for new users[edit]

Setting the chroot environment for a new user involves the following steps.

The chroot directory location has to be decided for the specific user. This is the directory that the user are restricted within. In the example below, newroot is the chroot directory, and appuser is a sample userid.

1. Add / Create the new user [and group] on the system with the chroot directory location as the home directory for the user.
# /usr/sbin/useradd -g users -d /home/appuser -s /bin/sh appuser
2. Configure the user password.
# passwd appuser
Changing password for appuser
New password:
3. Create the chroot directory and the user home directory under the chroot directory , as shown (In the example, the newroot directory is under /).
# /sbin/mkdir -m 755 /newroot/
# /sbin/mkdir -p -m 755 /newroot/home/appuser
# /sbin/chown appuser:users /newroot/home/appuser

Configuring chroot environment for existing users[edit]

1. Verify that /etc/passwd file shows the normal user path, no the chroot directory/home directory. Since SSH will perform the chroot, no special changes are require on this file.

# cat /etc/passwd

2. Move user home directory to the chroot directory

# mv /home/appuser /newroot/home/appuser

Configuring chroot[edit]

Use /opt/ssh/utils/ script[edit]

Once the new chroot directory has been created as in [[SecureShell and chroot environments] or SecureShell and chroot environments, do the following if the newroot is not already created.


         Select one of the option below

         1.Configure a chroot enviroment


         Enter your choice : 1
         Chroot setup

         User name (Maximum eight chars) : appuser

         chroot setup checks for user details

         Enter the new root directory for appuser with absolute path (or press r
eturn for default(/newroot)):
         Select chroot secure shell option
         1 sftp
         2 ssh & sftp & scp
         press return key to skip this step

         Option : 2

         Now configuring the chroot environment for ssh & sftp & scp...finished


         Chroot-ed user : appuser

         Chroot-ed user's new root directory : /newroot

         Secure Shell configuration : SSH & SFTP & SCP

         press Return key

         Select one of the option below

         1.Configure a chroot enviroment


         Enter your choice : 2

Change permissions of /newroot/tmp directory[edit]

# /sbin/chmod 666  /newroot/tmp

Modify /newroot/etc/passwd[edit]

Change "/newroot/etc/passwd" to only contain the users that will use the chroot enviroment.

# cat /newroot/etc/passwd
appuser:.GCKj25rq04UY:114:20:chrooted user:/home/appuser:/bin/sh

Modify /opt/ssh/etc/sshd_config[edit]

Add a Match statement to /opt/ssh/etc/sshd_config configuration file to made userapp to chroot into newroot directory when login. For example:

Match User appuser
    ChrootDirectory /newroot
  • Note: Alternative, if you need to do this for a large number of users, is easier to set with a "Match group" statement. Users should belong to your match group. For example:
Match group sshonly
    ChrootDirectory /newroot

Restart SecureShell[edit]

Restarting SecureShell daemon will enforce the Match

# /sbin/init.d/secsh stop
HP-UX Secure Shell stopped

# /sbin/init.d/secsh start
HP-UX Secure Shell started

Test login[edit]

# ssh appuser@localhost
Last successful login:       Wed Sep 17 20:01:11 CDT 2008 localhost
Last login: Wed Sep 17 20:01:11 2008 from localhost
$ echo $HOME
$ cd /
$ ls
bin   dev   etc   home  opt   sbin  tmp   usr   var

Example using Putty terminal emulator:

Putty chroot.jpg


  • <Webpage Title> <URL>