restrict ssh user to specific folder in linux

How to Restrict SSH Users to Specific Folder

SSH Login is the most common way for system administrators and software developers to access their Linux systems. But when you are working in a multi-user environment it is advisable to restrict the access of SSH users to their home directories so that one user does not look into the files & folders of another user, without permission. In order to restrict SSH users we need to use chroot (change root) command. In this article, we will learn how to restrict SSH users to specific folder using chroot command. Please note, you need to run all the following commands as root (or as sudo).

How to Restrict SSH Users to Specific Folder

Here are the steps to restrict SSH users to specific folder in Linux.

1. Create Required Folder

Let us say you want to restrict user access to folder /home/data, known as chroot jail folder. So create that folder using mkdir command.

$ sudo mkdir -p /home/data

2. Add Required Files

We need to add at least a set of bare minimum files in our newly created directory to allow users to have an interactive session once they login via SSH. Once we restrict user access to this folder, they will not be able to access or refer to any other file/folder outside this directory.

At the minimum we need to provide a shell, and /dev nodes such as null, zero, stdin stdout, stderr and tty files with the following command.

# sudo mkdir -p /home/data/dev/		
# cd /home/data/dev/
# sudo mknod -m 666 null c 1 3
# sudo mknod -m 666 tty c 5 0
# sudo mknod -m 666 zero c 1 5
# sudo mknod -m 666 random c 1 8

3. Set Required Permission

Next, we need to setup appropriate permissions for the chroot jail folder. We need to ensure that this folder, its subfolders and files are owned by root, and not writable by any other user or group. So run the following commands.

# chown root:root /home/data
# chmod 0755 /home/data
# ls -ld /home/data

4. Setup Interactive Shell for SSH Chroot Jail

We need to create a /bin folder and copy files of /bin/bash to this folder.

# sudo mkdir -p /home/test/bin
# sudo cp -v /bin/bash /home/test/bin/

Also copy shared libs to lib folder. Use ldd command to determine the subfolder where shared libs are located (e.g. /etc/lib64) and then use the cp command to copy files

# ldd /bin/bash
# mkdir -p /home/data/lib64
# cp -v /lib64/{,,,} /home/data/lib64/

5. Create SSH User

Create SSH user with password, using useradd and passwd commands respectively.

# useradd test_user
# passwd test_user

Create /etc general configuration folder and copy contents of /etc/passwd and /etc/group folder here.

# mkdir /home/data/etc
# cp -vf /etc/{passwd,group} /home/data/etc/

6. Update SSH configuration

SSH configuration is located in /etc/ssh/sshd_config file. Open it in a text editor.

$ sudo vi /etc/ssh/sshd_config

Add/Modify the lines beginning with Match User and ChrootDirectory.

#define username to apply chroot jail to
Match User test_user
#specify chroot jail
ChrootDirectory /home/data

Restart SSHD services.

# systemctl restart sshd
# service sshd restart

7. Test SSH with Restriction

Log into your server via SSH using the following command. Replace your_server_ip with your server’s IP address.

# ssh test_user@your_server_ip

After login, if you try running any command, you will notice that you are allowed to run only those commands present in bash shell such as pwd, history, echo but not commands like ls, date, etc that are located outside the folder. So login to your server as root or sudo user, create a /bin folder to store commands and copy those commands from /bin folder.

# mkdir -p /home/data/bin
# chown -R test_user:test_user /home/data/bin
# chmod -R 0700 /home/data/bin
# cp -v /bin/ls /home/data/bin/
# cp -v /bin/date /home/data/bin/
# cp -v /bin/mkdir /home/data/bin/

8. Test SFTP Login

Currently, you can login via SSH but not SFTP. But if you want to log in via SFTP and not SSH then add the following line to ssh_config file.

#Enable sftp to chrooted jail 
ForceCommand internal-sftp

Save and close the file. Restart SSHD service.

# systemctl restart sshd
# service sshd restart

Now if you try logging in via SSH you will not be allowed.

# ssh test_user@your_server_ip
test_user@your_server_ip's password:
This service allows sftp connections only

But if you try logging in via SFTP, you will be allowed.

# sftp test_user@your_server_ip
test_user@your_server_ip's password:

That’s it. In this article, we have learnt how to restrict SSH user to specific folder.

Also read:

How to Monitor Log Files in Real time
Tail command to check logs in Linux
How to Remove Unused packages in Linux
How to Configure Master-Slave DNS Server
How to Restrict SFTP Users to Specific Folder in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *