Role Detail

geerlingguy.ssh-chroot-jail

Simple SSH chroot jail management.
Downloads
502
Type Ansible
Minimum Ansible Version 2.2
Installation $ ansible-galaxy install geerlingguy.ssh-chroot-jail
Tags
access
chroot
jail
lockdown
security
ssh
system
Last Commit
Last Imported
Version History
Version Release Date
1.3.1
1.3.0
1.2.3
1.2.2
1.2.1
1.2.0
1.1.0
1.0.3
1.0.2
1.0.1
1.0.0
OS Platforms
Platform Version
Debian buster
Debian etch
Debian jessie
Debian lenny
Debian sid
Debian squeeze
Debian stretch
Debian wheezy
EL 7
Ubuntu artful
Ubuntu bionic
Ubuntu lucid
Ubuntu maverick
Ubuntu natty
Ubuntu oneiric
Ubuntu precise
Ubuntu quantal
Ubuntu raring
Ubuntu saucy
Ubuntu trusty
Ubuntu utopic
Ubuntu vivid
Ubuntu wily
Ubuntu xenial
Ubuntu yakkety
Ubuntu zesty
Last 10 Imports
Completed Status
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS
SUCCESS

Ansible Role: SSH chroot jail config

Build Status

Configures a chroot jail specifically for the purpose of limiting a set of SSH users to the jail. Useful if you have a server where you need to allow very limited access to a very limited amount of functionality.

Requirements

Requires OpenSSH server. Doesn't require geerlingguy.security, but that role (or one like it) is highly recommended to help lock down your server as much as possible.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

ssh_chroot_jail_path: /var/jail

The path to the root of the chroot jail.

ssh_chroot_jail_group_name: ssh_jailed

The group into which jailed users should be added.

ssh_chroot_jail_users:
  - name: foo
    homedir: /home/foo
    shell: /bin/bash

A list of users who should be in the chroot jail. Leave set to the default ([]) if you would like to manage users on your own.

ssh_chroot_jail_dirs:
  - bin
  - dev
  - etc
  - lib
  - lib64
  - usr/bin
  - usr/lib
  - usr/lib64
  - home

Base directories that should exist in the jail.

ssh_chroot_jail_devs:
  - { dev: 'null', major: '1', minor: '3' }
  - { dev: 'random', major: '5', minor: '0' }
  - { dev: 'urandom', major: '1', minor: '5' }
  - { dev: 'zero', major: '1', minor: '8' }

Devices that should exist in the jail.

ssh_chroot_bins:
  - /bin/cp
  - /bin/sh
  - /bin/bash
  - /bin/ls
  ...
  - /usr/bin/tail
  - /usr/bin/head
  - /usr/bin/awk
  - /usr/bin/wc
  ...
  - bin: /usr/bin/which
    l2chroot: no

A list of binaries which should be copied over to the jail. Each binary will also have its library dependencies copied into the jail using l2chroot; you can skip that task by setting the bin key explicitly and setting l2chroot: no as in the last example above.

ssh_chroot_l2chroot_url: https://www.cyberciti.biz/files/lighttpd/l2chroot.txt
ssh_chroot_l2chroot_path: /usr/local/bin/l2chroot

The download URL and path into which l2chroot should be installed.

ssh_chroot_copy_extra_items:
  - /etc/hosts
  - /etc/passwd
  - /etc/group
  - /etc/ld.so.cache
  - /etc/ld.so.conf
  - /etc/nsswitch.conf

Extra items which should be copied into the jail.

ssh_chroot_sshd_chroot_jail_config: |
  Match group {{ ssh_chroot_jail_group_name }}
      ChrootDirectory {{ ssh_chroot_jail_path }}
      X11Forwarding no
      AllowTcpForwarding no

Configuration to add to the server's sshd_config controlling how users in the chroot jail group are handled.

Dependencies

None.

Example Playbook

- hosts: servers
  roles:
    - geerlingguy.security
    - geerlingguy.ssh-chroot-jail

Inside vars/main.yml:

ssh_chroot_jail_users:
  - name: janedoe
    homedir: /home/janedoe
    shell: /bin/bash

License

MIT (Expat) / BSD

Author Information

This role was created in 2017 by Jeff Geerling, author of Ansible for DevOps.

Special thanks to Acquia for sponsoring the initial development of this role.

None