Skip to content

gdzien/ansible-role-ssh-chroot-jail

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ansible Role: SSH chroot jail config

Build Status

Configures a chroot jail specifically for the purpose of limiting a set of SSH users to the jail. Useful if you have a server where you need to allow very limited access to a very limited amount of functionality.

Requirements

Requires OpenSSH server. Doesn't require geerlingguy.security, but that role (or one like it) is highly recommended to help lock down your server as much as possible.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

ssh_chroot_jail_path: /var/jail

The path to the root of the chroot jail.

ssh_chroot_jail_group_name: ssh_jailed

The group into which jailed users should be added.

ssh_chroot_jail_users:
  - name: foo
    homedir: /home/foo
    shell: /bin/bash

A list of users who should be in the chroot jail. Leave set to the default ([]) if you would like to manage users on your own.

ssh_chroot_jail_dirs:
  - bin
  - dev
  - etc
  - lib
  - lib64
  - usr/bin
  - usr/lib
  - usr/lib64
  - home

Base directories that should exist in the jail.

ssh_chroot_jail_devs:
  - { dev: 'null', major: '1', minor: '3' }
  - { dev: 'random', major: '5', minor: '0' }
  - { dev: 'urandom', major: '1', minor: '5' }
  - { dev: 'zero', major: '1', minor: '8' }

Devices that should exist in the jail.

ssh_chroot_bins:
  - /bin/cp
  - /bin/sh
  - /bin/bash
  - /bin/ls
  ...
  - /usr/bin/tail
  - /usr/bin/head
  - /usr/bin/awk
  - /usr/bin/wc
  ...
  - bin: /usr/bin/which
    l2chroot: false

A list of binaries which should be copied over to the jail. Each binary will also have its library dependencies copied into the jail using l2chroot; you can skip that task by setting the bin key explicitly and setting l2chroot: false as in the last example above.

ssh_chroot_l2chroot_url: https://www.cyberciti.biz/files/lighttpd/l2chroot.txt
ssh_chroot_l2chroot_path: /usr/local/bin/l2chroot

The download URL and path into which l2chroot should be installed.

ssh_chroot_copy_extra_items:
  - /etc/hosts
  - /etc/passwd
  - /etc/group
  - /etc/ld.so.cache
  - /etc/ld.so.conf
  - /etc/nsswitch.conf

Extra items which should be copied into the jail.

ssh_chroot_sshd_chroot_jail_config: |
  Match group {{ ssh_chroot_jail_group_name }}
      ChrootDirectory {{ ssh_chroot_jail_path }}
      X11Forwarding no
      AllowTcpForwarding no

Configuration to add to the server's sshd_config controlling how users in the chroot jail group are handled.

Dependencies

None.

Example Playbook

- hosts: servers
  roles:
    - geerlingguy.security
    - geerlingguy.ssh-chroot-jail

Inside vars/main.yml:

ssh_chroot_jail_users:
  - name: janedoe
    homedir: /home/janedoe
    shell: /bin/bash

License

MIT (Expat) / BSD

Author Information

This role was created in 2017 by Jeff Geerling, author of Ansible for DevOps.

Special thanks to Acquia for sponsoring the initial development of this role.

About

Ansible Role - SSH chroot jail config

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 100.0%