How to set chroot jail for sshd service properly?

Question

on the server side on my debian8,the commands were run :

adduser --home /home/user1 user1
nano /etc/ssh/sshd_config
Match User user1
ChrootDirectory /home/user1   #two lines were  added

service sshd restart

On the client side ,

ssh [email protected]
[email protected]'s password: 
Write failed: Broken pipe

Why can't set chroot jail on the /home/user1 ?

Answer 1

What is probably happening is that sshd issues the chroot() system call, but then when the system tries to start your shell (which is probably something like /bin/bash), it doesn't exist...because you've chrooted, so there is no /bin directory.

You can copy your shell into /home/user1/bin/bash, but you would also need to copy in any required shared libraries. You can get this by running ldd /bin/bash:

# ldd /bin/bash
linux-vdso.so.1 =>  (0x00007ffc3eff5000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f21ceb47000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f21ce943000)
libc.so.6 => /lib64/libc.so.6 (0x00007f21ce586000)
/lib64/ld-linux-x86-64.so.2 (0x00007f21ced71000)

You could copy each of these into the appropriate place in your chroot environment, but if you wanted to run any other command, you would need to repeat the above process.

And you may find that some libraries are loaded dynamically, and you would need to copy these as well.

And any required configuration files from /etc. And possibly some device nodes from /dev. Etc.

In other words, it's not really worth the effort unless your goal really is to limit access to a single command.