# Lock ssh user to his/her homedir (but allow shell access)

## rowdy

I'm trying to lock a certain user(group) into his/her homedir. They should be able to logon using ssh, and they are allowed to edit files, however they are not allowed to wander around the filesystem.

User not belonging to that usergroup should be able to wander around offcourse...

I've tried this, but it just kicks users with the group locked after they have entered their password...  :Sad: 

```
(file /etc/ssh/sshd_config)

Match Group locked

    ChrootDirectory %h
```

Anobosy a idea, or have some pointers to search for on Google?

("gentoo sshd lock user homedir" and queries like that pops up only to disallow ssh access...  :Sad: )

Forgotten; I'm using OpenSSH 5.3_p1-r1 on Gentoo-sources.2.6.32-r7...  :Smile: 

----------

## Jimini

I've never tried this, but perhaps you can deny the access to /home/ for the users.

Best regards,

Jimini

----------

## malern

Best place to search is the man page

```
ChrootDirectory

Specifies a path to chroot(2) to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

The path may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.

The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ``sftp'', no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details).
```

I'm not sure you want to use "ChrootDirectory %h" either. As that would mean you'd have to make all their home dirs root-owned and not writable by the actual user. You'd also have to create another home dir within their home dir, so you'd end up with dirs like /home/user/home/user, which would be a bit weird.

A more normal way to do it is to use "ChrootDirectory /chroot", and then create your chrooted environment within that directory with all the home dirs you need. If you really need to separate each user then you could use "ChrootDirectory /chroot/%u", but you'd have to create a separate chroot environment for each user.

----------

## phajdan.jr

 *rowdy wrote:*   

> I'm trying to lock a certain user(group) into his/her homedir. They should be able to logon using ssh, and they are allowed to edit files, however they are not allowed to wander around the filesystem.

 

The security implications of that are not obvious. Do you trust these users?

Shell access is a bit more than just "wandering around". If they are evil, they can compile a kernel exploit and possibly get root access (and then break out of the chroot, etc). They may also be able to see processes of other users (including root).

I'd recommend rethinking the purpose of providing users a shell access, and possibly implementing additional mitigation techniques, for example Trusted Path Execution from the grsecurity patchset (so they can't run their exploits that easily).

----------

## rowdy

Yeah, I trust them, however, I just don't want them to wander around...  :Smile: 

So I need to create a chroot enviroment...? Let's read into that...

I hoped it was something simple, like a parameter or so. 

(Just like in ProFTPD I can set a parameter that locks the user in the logged in location...)

----------

