OpenSSH 4.9p1 and higher support user chrooting SSH and SFTP.
Latest stable: http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.8p2.tar.gz
Purpose: shell script sends data to server in secure way without password, and one crooted user on server "phn".
1. Compilation and installation:
gunzip openssh-5.8p2.tar.gz
tar -xvzf openssh-5.8p2.tar
ls
cd openssh-5.8p2
./configure --prefix=/opt/openssh-5.8p2
make
make install
useradd -g other -d /var/empty/sshd -c ''sshd nonpriv userid'' -s /bin/false sshd
2. Change SMF configuration to manage new SSHD:
In file /lib/svc/method/sshd changes:
#SSHDIR=/etc/ssh
SSHDIR=/opt/openssh-5.8p2/etc
#KEYGEN="/usr/bin/ssh-keygen -q"
KEYGEN="/opt/openssh-5.8p2/bin/ssh-keygen -q"
. . .
#/usr/local/sbin/sshd
/opt/openssh-5.8p2/sbin/sshd
. . .
#In file /var/svc/manifest/network/ssh.xml changes:
#value=''file://localhost/etc/ssh/sshd_config'' />
value=''file://localhost/opt/openssh-5.8p2/etc/sshd_config'' />
. . .
3. Setup chrooted SSH/SCP
In file /opt/openssh-5.8p2/etc/sshd_config add:
Match user phn
ChrootDirectory /chroot
. . .
Environment for chrooted “phn” user:
mkdir /chroot
chmod 755 /chroot/
groupadd phn
useradd -m -g phn -c "Quality Assurance user" -d /home/phn -s /bin/bash phn
passwd phn
mkdir -p /chroot/home/phn
chmod 775 /chroot/home
chmod 700 /chroot/home/phn
chown phn:phn /chroot/home/phn
cd /chroot
mkdir {bin,etc,lib}
chmod 755 {bin,etc,lib}
cp -p /bin/bash bin/
cp -p /bin/scp bin/
cp -p /lib/{libcurses.so.1,libsocket.so.1,libnsl.so.1,libdl.so.1,libc.so.1,libmp.so.2,libmd.so.1,libscf.so.1,libdoor.so.1,libuutil.so.1,libgen.so.1,libm.so.2,nss_files.so.1,ld.so.1} lib/
grep phn /etc/passwd > /chroot/etc/passwd
chmod 755 /chroot/etc/passwd
4. Adding public keys
su - phn
cd /home/phn/
mkdir .ssh
chmod 700 .ssh
vi .ssh/authorized_keys
< add new public-key >
chmod 600 .ssh/authorized_keys