Chroot sftp/scp user on MacOS X 10.4.x (Tiger)

Introduction

The standard OpenSSH included in Mac OS X Panther does not support chroot. Largely, two ways are known as a chroot solution. The first is scponly (http://www.sublimation.org/scponly/) and the other is the chrootssh patch (http://chrootssh.sourceforge.net/). The directions below are for installing the "scponly" on Mac OS X 10.4.2 with Developer Tools (Xcode 2.1) installed (for compatibility with newer versions of Mac OS X, read the notes in the section "About this page"). I originally followed these directions in an attempt to get SFTP working, but they weren't quite right for Tiger. With advice from people at macosxhints.com I re-wrote the directions to make more sense and switched to the scponly method, as it happens to be much easier to set up.

Installing scponly allows the chroot functionality by using the following characters '//' in the home directory path of the user you wish to chroot. The home directory path can be specified in NetInfo Manager for each user you would like to chroot, the string of characters being similar to wu-ftpd. Scponly is also able to define where a user is placed after logging in. If the home directory of user godzilla is defined as /Users/godzilla//Sites, godzilla will be chrooted to /Users/godzilla and the initial directory displayed upon logging in via SFTP will be /Users/godzilla/Sites. If the home directory in NetInfo Manager is defined as /Users//godzilla, godzilla will be chrooted to /Users and the initial directory displayed upon logging in via SFTP will be /Users/godzilla. Finally, if the home directory for godzilla is defined as /Users/godzilla, godzilla won't be chrooted, and the initial directory displayed upon logging in via SFTP will be /Users/godzilla.

Keep in mind... It is a security risk to chroot a user to their home folder where they may have access to their own ".ssh" file. My advice is to chroot each user to a folder inside their home folder. In my case, I am chrooting users to their Sites folder, as I want them to be able to login securely without getting access to their .ssh file. In addition, each chroot'd user will have access to view their "usr" folder, described below. They will be able to download content from this folder, as it will be readable, but they will not be able to modify its contents.

About this page

I wanted a complete set of instructions for performing a ssh chroot in Mac OS X. After I googled this requent and could not find a complete useable set of instructions, I set out to solve the void. I use this in real life, so I intend to keep this updated as Apple updates Mac OS X. The steps below were performed on a TiBook running Mac OS X 10.4.2 with Developer Tools (Xcode 2.1) installed. At the time I tried this, scponly 4.1 was the current version and is used for the instructions below...

Special thanks to Mitch Bray, University of California - San Francisco, for tidying up issues with the Tiger bundled OpenSSL library and for finding another SFTP-server dependency. Thanks to Em Adespoton for finding a bug in the code.

These directions are only applicable to systems running Mac OS X 10.4 to 10.4.2. Apple changed the OpenSSL libraries in 10.4.3 and I have not found a way to install it on systems with 10.4.3 or newer, yet. But, if you install these directions to enable scponly on a stock 10.4 through 10.4.2 system, you can upgrade using Software Update, and scponly will continue to function as described in this document (I'm running 10.4.4 and everything appears fine).

Download the latest scponly package

Download and unpack the following files

These directions assume you will be downloading to your "desktop". Open Terminal.app and at the prompt, type the following:


$ cd desktop
$ curl -O http://www.sublimation.org/scponly/scponly-4.1.tgz
$ tar zxvf scponly-4.1.tgz
$ cd scponly-4.1

Configure and install scponly package

In the same Terminal window from the instructions above, type the following


$ ./configure --enable-chrooted-binary
$ make
$ sudo make install
(enter your password when prompted)
$ sudo pico /etc/shells

When pico opens the "shells" file, enter the following on the bottom line of the text file and add a carriage return after this line:


/usr/local/sbin/scponlyc

Close the file by pressing "Control" and "x". Press "Return" to save your changes.

Copy files scp/sftp service relies on.

This example is for chrooting a user to the /Users directory. Follow along with these directions even if you'd like to chroot a user somewhere else, as you'll be able to drag and drop what we make here for each user you'd like to chroot.


$ cd /Users
$ sudo mkdir -p usr/lib/system usr/libexec usr/local/sbin
$ sudo cp /usr/lib/dyld						usr/lib
$ sudo cp /usr/lib/libncurses.5.dylib           usr/lib
$ sudo cp /usr/lib/libSystem.B.dylib            usr/lib
$ sudo cp /usr/lib/libmx.A.dylib				usr/lib
$ sudo cp /usr/lib/libresolv.9.dylib            usr/lib
$ sudo cp /usr/lib/libz.1.dylib                 usr/lib
$ sudo cp /usr/lib/libcrypto.0.9.7.dylib        usr/lib
$ sudo cp /usr/lib/system/libmathCommon.A.dylib usr/lib/system
$ sudo cp /usr/local/sbin/scponlyc usr/local/sbin
$ exit

Next we need to configure an sftp-server to use in chroot jail. The standard sftp-server shipped with Tiger depends on too many files to use in a chroot jail, so we will build a new one. Again, open a new terminal window and type the following:


$ cd desktop
$ curl -O http://www.openssl.org/source/openssl-0.9.7g.tar.gz
$ tar zxvf openssl-0.9.7g.tar.gz
$ sudo mv /usr/include/openssl/opensslv.h /usr/include/openssl/opensslv.h.old
$ sudo cp ./openssl-0.9.7g/include/openssl/opensslv.h /usr/include/openssl
$ curl -O ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.0p1.tar.gz
$ tar zxvf openssh-4.0p1.tar.gz
$ cd openssh-4.0p1
$ ./configure; make
$ strip scp sftp-server
$ sudo cp sftp-server /Users/usr/libexec
$ sudo rm /usr/include/openssl/opensslv.h
$ sudo mv /usr/include/openssl/opensslv.h.old /usr/include/openssl/opensslv.h

Configure users to be chroot'd

Configuring scp and sftp-server to jail users to their own home directory*

After completing the steps above for compiling scponlyc and sftp-server in the /Users directory, I wanted to jail each user to their own home folder where the root level was turned into their web directory (to do this, I deleted the "Library", "Pictures", "Music", etc folders). I created all the users I wanted in "System Preferences -> Accounts". Then, I copied the "usr" folder that we created in the "Users" folder to each user's home directory that I planned to jail. If you have problems logging in after following these instructions, it could be your "usr" folder. Copy this one and see if it works for you.

In NetInfo Manager.app I changed a couple items for each user. The "Home" path (for a user named godzilla) was changed to "/Users/godzilla//". This will confine the user "godzilla" to his own home directory and when he logs in using an sftp client, he'll end up in the same directory. He won't be able to move up another directory level to see the rest of the users.

Lastly, you need to set the "shell" field in NetInfo Manager for each user you wish to chroot. The shell field should be changed to "/usr/local/sbin/scponlyc". Here's an example of one of my users in NetInfo.

Thats it!

Chroot sftp/scp user on Mac OS X 10.4.2 (Tiger)