Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

Chrooted SSH/SFTP Tutorial (Debian Etch)

This tutorial describes two ways how to give users chrooted SSH access. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of. The users will also be able to use SFTP in their chroot jails.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

This setup is based on a Debian Etch (Debian 4.0) system.

The first way to set up chrooted SSH is by hand and very similar to the method shown in this tutorial for Debian Sarge: The chrooted SSH will be installed in such a way that it will still use the configuration files of the standard OpenSSH Debian package which are in /etc/ssh/, and you will be able to use the standard OpenSSH Debian init script /etc/init.d/ssh. Therefore you do not have to create your own init script and configuration file.

The second way is to use the script from This setup is different from the first one in that we don’t need to recompile OpenSSH. Instead of /bin/sh or /bin/bash, the chrooted users use /bin/chroot-shell which uses the sudo and chroot commands to chroot the users. This method is also different in that the users don’t have a dot in their homedirs in /etc/passwd (therefore it cannot be used by control panels such as ISPConfig, which is no problem with the first method). Please take a look at to see what this script can do for you and what not.

You should decide for one way – please don’t use both ways at the same time!


2 First Method (By Hand)

2.1 Install The Chrooted OpenSSH

First we install some prerequisites:

cd /tmp
apt-get install libpam0g-dev openssl libcrypto++-dev libssl0.9.7 libssl-dev ssh build-essential bzip2

Then we download the patched OpenSSH sources, and we configure them with /usr as directory for the SSH executable files, with /etc/ssh as the directory where the chrooted SSH will look for configuration files, and we also allow PAM authentication:

tar xvfj openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure –exec-prefix=/usr –sysconfdir=/etc/ssh –with-pam
make install


2.2 Create The Chroot Environment

Next I create a chroot environment under /home/chroot. This is the directory that all chrooted SSH users will get jailed in, i.e. they will not be able to see any files/directories outside /home/chroot.

I have to create some directories in /home/chroot, and I have to copy a few binaries like /bin/bash, /bin/ls, etc. as well as the libraries on which these binaries depend into the chroot environment so that they are available to any chrooted user.

mkdir -p /home/chroot/home/
cd /home/chroot
mkdir -p usr/lib/openssh
mkdir etc
mkdir etc/pam.d/
mkdir bin
mkdir lib
mkdir usr/bin
mkdir dev
mknod dev/null c 1 3
mknod dev/zero c 1 5

chmod 666 dev/null
chmod 666 dev/zero

Now that we have created the necessary directories, we are going to copy some binaries and all the libraries on which they depend into the chroot environment. This is an excerpt of a script that I found on that does this. I’ve modified it a little bit:

vi /usr/local/sbin/create_chroot_env


APPS="/bin/sh /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/dircolors /usr/bin/vi /usr/bin/sftp /usr/lib/openssh/sftp-server"
for prog in $APPS;  do
        mkdir -p ./`dirname $prog` > /dev/null 2>&1
        cp $prog ./$prog

        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir -p ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l  > /dev/null 2>&1

(If you want to make more programs available to your chrooted users, just add these programs to the APPS line.)

Now we make the script executable and run it:

chmod 700 /usr/local/sbin/create_chroot_env

Next we have to copy a few additional files and libraries to the chroot jail:

cp /lib/ /lib/ /lib/ /lib/ /lib/ /lib/ ./lib/

cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/

cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /lib/ lib/
cp /usr/lib/ usr/lib/

Then we do this:

echo ‘#!/bin/bash’ > usr/bin/groups
echo “id -Gn” >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e “^root” > etc/passwd

You should also copy the line of the group in which you will create new users from /etc/group to /home/chroot/etc/group. In this tutorial we will create users in the group users, so we do this:

grep /etc/group -e “^root” -e “^users” > etc/group

and restart OpenSSH:

/etc/init.d/ssh restart


2.3 Create A Chrooted User

Even with the chrooted SSH that we have just installed you can log in without being chrooted (which makes sense if you log in as root, for example). Now, how does the chrooted SSH decide whom to chroot and whom not? That’s easy: the chrooted SSH looks up the user who is trying to log in in /etc/passwd. If the user’s home directory in /etc/passwd has a . (dot) in it, then the user is going to be chrooted.

Example (from /etc/passwd):

user_a:x:2002:100:User A:/home/user_a:/bin/bash

This user will not be chrooted.

user_b:x:2003:100:User B:/home/chroot/./home/user_b:/bin/bash

This user will be chrooted.

Now we create the user testuser with the home directory /home/chroot/./home/testuser and the group users (which is the default group for users on Debian so you do not have to specify it explicitly):

useradd -s /bin/bash -m -d /home/chroot/./home/testuser -c “testuser” -g users testuser

Then we give testuser a password:

passwd testuser

Finally, we have to copy the line for testuser in /etc/passwd to /home/chroot/etc/passwd:

grep /etc/passwd -e “^testuser” >> /home/chroot/etc/passwd

We have already copied the users group line from /etc/group to /home/chroot/etc/group so we do not have to do this here again. If you create a chrooted user in another group than users, add this group to /home/chroot/etc/group:

grep /etc/group -e “^othergroup” >> /home/chroot/etc/group

Now try to log in to SSH or SFTP as testuser. You should be chrooted and not be able to browse files/directories outside /home/chroot.

3 Second Method (Per Script)

There’s a script called on that automates setting up SSH/SFTP chroot jails. It works flawlessly on Debian Etch.

3.1 Get The Script

First, we need to install some prerequisites:

apt-get install sudo debianutils coreutils

Then we download to /usr/local/sbin and make it executable for the root user:

cd /usr/local/sbin
chmod 700 /usr/local/sbin/


3.2 Use

Now we can already use the script. Usage is as follows: username [/path/to/chroot-shell [/path/to/chroot]]

It doesn’t matter if the user is already existing or not. If he’s existing, he will be updated; if not, he will be created. If you don’t specify the path to chroot-shell and the path to the chroot jail, the default values /bin/chroot-shell and /home/jail will be used, e.g.: testuser

I want to use /home/chroot as the chroot jail, therefore I have to specify the path to chroot-shell as well: testuser /bin/chroot-shell /home/chroot

This will create/update the user testuser with the chroot jail /home/chroot.

To update all files/libraries in the chroot jail, run update

or update /bin/chroot-shell /home/chroot

depending on how you created your users.


3.3 ProFTPd

If you use ProFTPd, you should read this:

As mentioned on, you should not add /bin/chroot-shell to /etc/shells because that would allow users to break out of the chroot jail. This is a problem for ProFTPd, because in ProFTPd’s standard configuration, only users with a shell listed in /etc/shells can use ProFTPd. This means, that users that use /bin/chroot-shell cannot use ProFTPd.

To change this, open /etc/proftpd/proftpd.conf and add:

vi /etc/proftpd/proftpd.conf

RequireValidShell               off

Then restart ProFTPd:

/etc/init.d/proftpd restart

Now all users can use ProFTPd, regardless of what shell they have, which again might not be something you want. But the best solution would be to simply use SFTP and drop normal FTP.


  • Chroot Patch For SSH:
  • OpenSSH:
  • Debian: