Restrict SSH User Access to Certain Directory Using Chrooted Jail

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

26 Responses

  1. Ravi says:

    I’m getting “Permission denied (publickey).”

  2. Krunal says:

    I followed the all steps. Howerver when I was doing :
    #ssh [email protected]
    it shows .
    /bin/bash permission denied.
    Connection closed.

    I saw in /home/test/bin
    bash has root permission.

  3. gxr says:

    Hello, thanks for this tutorial. However I have an issue when i want to test the /home/test with user via ssh.

    -sh: error while loading shared libraries: cannot open shared object file: No such file or directory

    I tried to find a solution, but all issues on Google are on x86 Ubuntu. I’m on x64 16.04.

    Any suggestion ?


  4. Alex Dup says:

    Got the error : /bin/sh: No such file or directory
    Fix it with that : cp -v /bin/sh /home/test/bin/

  5. Iulian Murgulet says:

    Hello John,

    I can not say for sure it is possible (because I do not has a such case), but I guess, that is possible, because scponly is only a shell like bash. But if you can describe your test case I will try to give more help.

  6. John says:

    Can cronjobs or scripts run for the user configured to use scp only. The user is configured to use sftp/scp only and ssh is not allowed.
    Thank you.

  7. Iulian Murgulet says:

    Thx. @Aaron, I appreciate your remarks!

    The link shared by you for Ahmed could be not useful in these days. At least me, I can not find likewise-open in the default repos for Linux-mint (last version). Maybe I am wrong ;) But for sure Ahmed can use SSSD: “The System Security Services Daemon (SSSD) provides access to different identity and authentication providers”:

    # apt install sssd-ldap sssd-ad sssd-krb5 sssd-ipa

    After that he can integrate any LINUX desktop/server, in any LDAP/AD(ldap)/IPA(ldap), and maybe more others …. ! Then the rest of the tutorial(without the likewise-open part) can be used. And with SSSD, you can also have cache credential for any authenticated user, even if the AD/LDAP server is DOWN for some time. As a final word, I think that likewise-open is discontinued (if I remember correctly). In my case likewise-open has fail many years ago!

  8. Iulian Murgulet says:

    Hello, this tutorial is ok to show how a chroot can be use. But from practical point of view is complicated, and does not scale.

    For a scp run in a jail, is more simple to use scponly. For your test case, a webserver, we can use any container technology (lxc is one possibility ), or even better kvm. But you know, each solution have good points, and bad points.

    Any Linux admin must think what is the best for his particular case. This is the most important for me is ok the solution A or B? How I can reduce the risk for A and for B? I have the skills for A/B? I have the proper resources for A/B (time, servers, storage, and so on)?

    • Aaron Kili says:


      Your are right, from a practical point of view, implementing this may by be complicated especially when used with ssh, scp and other related commands. And also when you need to install additional commands for users and create a PATH for them to run commands without specifying the absolute path to the commands.

      Therefore, it would effectively and reliably work in test cases for testing certain programs in an isolated environment on the system. Thanks for sharing your thoughts with us.

  9. Ahmed says:

    When I test SFTP connection.

    "subsystem request failed on channel 0
    Couldn't read packet: Connection reset by peer"

    logs – /var/log/secure:

    "error: subsystem: cannot stat /usr/libexec/openssh/sftp-server: No such file or directory
    subsystem request for sftp failed, subsystem not found"

    When I change sshd_config: ( )

    "# override default of no subsystems
    Subsystem	sftp	internal-sftp
    ForceCommand internal-sftp"

    It’s work for me. But, why user see all folder/files from jail ? ex: bin/etc/dev ?
    “cd /” move him to /home/test.

    And How Can I run this Jail with LDAP/geten passwd user from LDAP ?

  10. Ldap says:

    Can I please auth with ldap ?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.