How to Set Up a Secure Chrooted Jail with RSSH

In this guide I will show you how to install and configure Restricted SSH (rssh) using the default port 22, create a chrooted jail for your users and how to properly secure it all afterwards.

This method is tried and tested as I originally wrote this for my own benefit when building servers at work.

There are 5 steps:

  1. Installing rssh
  2. Configuring rssh
  3. Building the chrooted jail
  4. Locking it all down
  5. Adding users with rssh over SCP and/or SFTP access to the jail.

Confirmed compatable with default installations of CentOS 5.2 and Redhat 5.2

During this guide the CentOS/Redhat default webroot of /var/www/html will be used.

Let’s get started!

1. Installing RSSH

In a terminal type:
cd /tmp


rpm -ivh rssh-2.3.2-1.2.el5.rf.i386.rpm


2. Configuring RSSH

Type (with root privilages):
gedit /etc/rssh.conf
Change the umask from 022 to 002. This will set the default permisions of all SFTP and SCP uploads to 775.
# set the default umask

umask = 002
Uncomment chrootpath and change to to /var/www

# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /var/www
Uncomment allowscp and allowsftp




Save rssh.conf overwriting the original (you do not need to restart any services as rssh will read this file on the fly).

3. Build the Chrooted Jail

In a terminal type the following lines (remember to be root!):
mkdir -p /var/www/{dev,etc,lib,usr,bin}

mkdir -p /var/www/usr/bin

mkdir -p /var/www/libexec/openssh

mknod -m 666 /var/www/dev/null c 1 3
cd /var/www/etc

cp /etc/ .

cp -avr /etc/ .

cp /etc/ .

cp /etc/nsswitch.conf .

cp /etc/passwd .

cp /etc/group .

cp /etc/hosts .

cp /etc/resolv.conf .
gedit passwd
Gedit will open. Delete entire contents of the file and save it and then close the editor.

Then type:
gedit group
Again, delete entire contents of the file and save it and then close the editor.

Back in the terminal, type:
cd /var/www/usr/bin

cp /usr/bin/scp .

cp /usr/bin/rssh .

cp /usr/bin/sftp .

cd /var/www/libexec/openssh/

cp /usr/libexec/openssh/sftp-server .
Now you need to copy the shared library files to the new folder structure. The easiest way to do this is to use a simple script written by Vivek at

In a terminal type:
cd /sbin

wget -O l2chroot

chmod +x l2chroot

gedit l2chroot
l2chroot will open with gedit. Find the following line:
Change it to:
Save the file.

In a terminal type:
l2chroot /usr/bin/scp

l2chroot /usr/bin/rssh

l2chroot /usr/bin/sftp

l2chroot /usr/libexec/openssh/sftp-server

gedit /etc/sysconfig/syslog
Find the line:


Change it to:

SYSLOGD_OPTIONS=”-m 0 -a /var/www/dev/log”

Save the file

In a terminal type:
/etc/init.d/syslog restart
Finally, move the folder libexec from /var/www/ to /var/www/usr/

4. Permissions

In a terminal type:
cd /var/www

chmod 700 bin -R

chmod 750 dev -R

chmod 700 error -R

chmod 700 etc -R

chmod 700 icons -R

chmod 750 lib -R

chmod 750 usr -R

chmod 700 cgi-bin -R

chmod 755 html
chown root:users usr -R

chown root:users lib -R

chown root:users html

chown root:users dev -R

chown root:users cgi-bin -R

chown root:root icons -R

chown root:root etc -R

chown root:root error -R

chown root:root bin -R

cd /var/www/dev

chmod 770 null


5. Add Users with RSSH over SCP and/or SFTP Access to the Jail

Create a good password eg. D4zf96xpvSma
( is a good place to start if you cant think of a good one)

Goto System > Administration > Users and Groups

Click Add User

Enter the following:

Username: xxxxxxxxxxx (eg. ahawkins)
Password: xxxxxxxxxxxx

Untick Create a private group for the user.

Press OK

Double-click on the user

Goto the Groups tab

Add the user to other groups depending what they need access to, eg. web_computing. Leave the Primary Group as users.

Press OK

Open a terminal and enter this command to restrict ssh access to sftp and scp only, replacing xxxxxxxx with the required username.

usermod -s /usr/bin/rssh xxxxxxxx

That’s it, you can now start using your new configuration.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s