Chrooted SSH/SCP with public-key on Solaris 10

Posted on Sat 27 August 2011 by Pavlo Khmel

OpenSSH 4.9p1 and higher support user chrooting SSH and SFTP.
Latest stable:
Purpose: shell script sends data to server in secure way without password, and one crooted user on server "phn".

1. Compilation and installation:

gunzip openssh-5.8p2.tar.gz
tar -xvzf openssh-5.8p2.tar
cd openssh-5.8p2
./configure --prefix=/opt/openssh-5.8p2
make install
useradd -g other -d /var/empty/sshd -c ''sshd nonpriv userid'' -s /bin/false sshd

2. Change SMF configuration to manage new SSHD:

In file /lib/svc/method/sshd changes:

#KEYGEN="/usr/bin/ssh-keygen -q"
KEYGEN="/opt/openssh-5.8p2/bin/ssh-keygen -q"
. . .
. . .
#In file /var/svc/manifest/network/ssh.xml changes:
#value=''file://localhost/etc/ssh/sshd_config'' />
value=''file://localhost/opt/openssh-5.8p2/etc/sshd_config'' />
. . .

3. Setup chrooted SSH/SCP

In file /opt/openssh-5.8p2/etc/sshd_config add:

Match user phn
ChrootDirectory /chroot
. . .
Environment for chrooted “phn” user:
mkdir /chroot
chmod 755 /chroot/
groupadd phn
useradd -m -g phn -c "Quality Assurance user" -d /home/phn -s /bin/bash phn
passwd phn
mkdir -p /chroot/home/phn
chmod 775 /chroot/home
chmod 700 /chroot/home/phn
chown phn:phn /chroot/home/phn
cd /chroot
mkdir {bin,etc,lib}
chmod 755 {bin,etc,lib}
cp -p /bin/bash bin/
cp -p /bin/scp bin/
cp -p /lib/{,,,,,,,,,,,,,} lib/
grep phn /etc/passwd > /chroot/etc/passwd
chmod 755 /chroot/etc/passwd

4. Adding public keys

su - phn
cd /home/phn/
mkdir .ssh
chmod 700 .ssh
vi .ssh/authorized_keys
< add new public-key >
chmod 600 .ssh/authorized_keys