GNU/Linux

This official Debian manual explains how to set up an SSH server in a chroot. However, and although it was last modified in March 2009, the manual appeared incomplete to me. Here are a few additional steps to consider:

The manual uses makejail (and the config /usr/share/doc/makejail/examples/sshd.py) to automatically set up /var/chroot/sshd; the script uses ldd calls to find and copy the necessary libraries and files. However, its work is incomplete: You can’t launch the chroot’s Bash. Even /bin/ls doesn’t work. Using ldd I found out that /lib64/ld-linux-x86-64.so.2 is missing in the chroot.

To use an elegant /etc/init.d/ssh-chroot script to control the chroot’ed daemon from the host system, you need to make /sbin/start-stop-daemon available in the chroot. You can then use /etc/init.d/ssh as basis for your init-script. Note that the chroot-SSH takes its config from /var/chroot/sshd/etc/ssh/sshd_config; it is possible to have both the native and the chroot’ed SSH daemon listen on port 22, but on different IPs.

The manual mentions that proc must be mounted in the chroot as well and that syslogd should also lay a sock in there. But it doesn’t mention that devpts must be mounted in /var/chroot/sshd/dev/pts. Add this to the host’s /etc/fstab with the options noexec,nosuid,gid=5,mode=620; make the tty group available in /var/chroot/sshd/etc/group!

If you make strace work in the chroot, you can find out via

and looking into /var/log/auth.log that the /etc/pam.d/common-* stuff is missing.

Having considered this, login should finally work if you have users and groups in /var/chroot/sshd/etc/{passwd,shadow,group}. You might need the coreutils in the chroot; you can install them using the makejail config mentioned above.