Secure SSH with Jailed Users

TL;DR

This guide shows you how to set up a bastion host that lets multiple users SSH securely without sharing your private key. We’ll use SSH keys, jailed environments (chroot), and limited shell access.

1. Set Up the Bastion Host

Start with a clean server image. Ubuntu Server is a good choice. Ensure it’s fully updated:

sudo apt update && sudo apt upgrade -y

2. Create User Accounts

1. Create each user account. Avoid using passwords; we’ll rely on SSH keys.

   sudo adduser username1

2. Repeat for each user (username2, username3, etc.).

3. Configure SSH Key Authentication

1. On the *client* machine (the computer you’ll be connecting from), generate an SSH key pair for each user:

   ssh-keygen -t rsa -b 4096 -f ~/.ssh/username1_id_rsa

   (Repeat for username2, etc., changing the filename accordingly.)

2. Copy the *public* key to the bastion host for each user. Use `ssh-copy-id` or manually append it to the authorized keys file.

   ssh-copy-id -i ~/.ssh/username1_id_rsa username1@bastion_host_ip

   (Repeat for all users.)

3. Disable password authentication on the bastion host. Edit `/etc/ssh/sshd_config`:

   sudo nano /etc/ssh/sshd_config

   Find and change these lines:

   • PasswordAuthentication no
   • ChallengeResponseAuthentication no
4. Restart the SSH service:

   sudo systemctl restart sshd

4. Create Jailed Environments (Chroot)

1. For each user, create a chroot directory:

   sudo mkdir /home/chroot/username1

   (Repeat for all users.)

2. Create the basic file structure within the chroot. A minimal setup includes `bin`, `lib`, and `tmp` directories.

   sudo mkdir -p /home/chroot/username1/{bin,lib,tmp}

   (Repeat for all users.)

3. Copy essential binaries into the chroot’s `bin` directory. Use `ldd` to find dependencies and copy those too.

   sudo cp /bin/bash /home/chroot/username1/bin

   sudo cp /lib64/ld-linux-x86-64.so.2 /home/chroot/username1/lib

   (Adjust paths based on your system architecture.)

4. Create a `start` script inside each user’s chroot directory to launch the shell:

   sudo nano /home/chroot/username1/start

   Add this content (adjusting for username):

   #!/bin/bash
   bash -c 'while true; do echo "Welcome to your jailed environment"; read -r line; done'

   Make the script executable:

   sudo chmod +x /home/chroot/username1/start

5. Configure SSH for Chroot

1. Edit `/etc/ssh/sshd_config` again.

   sudo nano /etc/ssh/sshd_config

2. Add a `Match User` block for each user:

   Match User username1
     ChrootDirectory /home/chroot/%u
     ForceCommand internal-sftp
     AllowTcpForwarding no
     X11Forwarding no

   (Repeat the `Match User` block for each user, changing the username.)

3. Restart the SSH service:

   sudo systemctl restart sshd

6. Test Your Setup

Try connecting with each user’s key pair:

ssh -i ~/.ssh/username1_id_rsa username1@bastion_host_ip

You should be logged in to a restricted shell within the chroot environment. Verify you can’t access files outside of `/home/chroot/username1`.

7. Further Security Considerations

• Limit Resource Usage: Use `ulimit` inside the `start` script to restrict CPU, memory, and file size limits within the chroot environment.
• Regular Updates: Keep your bastion host’s operating system and SSH software up-to-date.
• Firewall Rules: Configure a firewall (e.g., `ufw`) to only allow SSH access from trusted IP addresses.
• Monitoring: Monitor the logs for suspicious activity.