Howto chroot sftp with RSSH on FreeBSD 6.x

I was able running rssh with FreeBSD 4.11 once, since upgrading to FreeSBD 6.1, I found it has different way to control the process of system files.

INSTALLATION

You can install rssh as usual, mine from source install version 2.3.2. This howto based on install rssh with --prefix=/usr/local.

CREATE GLOBAL CHROOTBASE

Decide the services and chrootpath in /usr/local/etc/rssh.conf. You can change whatever service or path you want, but make sure to change it accordingly.

...
allowsftp
chrootpath = "/home/chrootbase"
...

Minimum system files required

/dev
No more using the legacy mknod(8).
Add to /etc/rc.conf the devfs ruleset coming from /etc/defaults/rc.conf.
```
devfs_set_rulesets="/home/chrootbase/dev=devfsrules_jail"
```
Insert this to rc.conf assume you want this special device path will be available on next boot. And you must edit /etc/fstab like below so reboot will auto mount and not complain being unable to set ruleset.
```
none	/home/chrootbase/dev	devfs	rw	0	0
```
Now continue making our device filesystem
```
# mkdir -p /home/chrootbase/dev
# mount_devfs devfs /home/chrootbase/dev
```
Without rebooting, and activate the device, run as follow

# /etc/rc.d/devfs restart

Note, to unmount simply run: umount /home/chrootbase/dev

rssh_chroot_helper

# mkdir -p /home/chrootbase/usr/local/libexec
# scp -p /usr/local/libexec/rssh_chroot_helper /home/chrootbase/usr/local/libexec

/bin/sh

# mkdir -p /home/chrootbase/bin
# cp /bin/sh /home/chrootbase/bin/
# ldd /bin/sh

Copy the dependencies of /bin/sh to chroot directory, mine as follow:

# mkdir /home/chrootbase/lib
# cp /lib/libedit.so.5 /home/chrootbase/lib/
# cp /lib/libncurses.so.6 /home/chrootbase/lib/
# cp /lib/libc.so.6 /home/chrootbase/lib/

Dynamic linker

# mkdir /home/chrootbase/libexec
# cp /libexec/ld-elf.so.1 /home/chrootbase/libexec/

/home (optional, otherwise user will drop to / inside jail).
Create /home (inside jail) for chrooted users
```
# mkdir /home/chrootbase/home
```
Just a note when create user, you should make the home directory inside this /home/chrootbase/home. Example /home/chrootbase/home/username, thus, the /etc/passwd will contain this path. You can make this directory totally empty.
Example of applying this user into rssh.conf
```
user=username:011:00010:/home/chrootbase
```

sftp-server

As I enable allowsftp in rssh.conf, we need to install sftp-server inside jail.

# mkdir -p /home/chrootbase/usr/libexec
# cp /usr/libexec/sftp-server /home/chrootbase/usr/libexec/
# ldd /usr/libexec/sftp-server

So now we know the dependencies of sftp-server, mine as in /usr/lib and /lib

# mkdir -p /home/chrootbase/usr/lib
# cp /usr/lib/libssh.so.3 /home/chrootbase/usr/lib
# cp /lib/libcrypt.so.3 /home/chrootbase/lib
# cp /lib/libcrypto.so.4 /home/chrootbase/lib
# cp /lib/libz.so.3 /home/chrootbase/lib
# cp /lib/libc.so.6 /home/chrootbase/lib
# cp /usr/lib/libgssapi.so.8 /home/chrootbase/usr/lib
# cp /usr/lib/libkrb5.so.8 /home/chrootbase/usr/lib
# cp /usr/lib/libasn1.so.8 /home/chrootbase/usr/lib
# cp /usr/lib/libcom_err.so.3 /home/chrootbase/usr/lib
# cp /lib/libmd.so.3 /home/chrootbase/lib
# cp /usr/lib/libroken.so.8 /home/chrootbase/usr/lib

With above configuration, chroot environtment works for me, hopefully yours too. Good luck!

Tea One

t
e
a
o
n
e
@
a
r
t
o
f
i
n
d
o
.
c
o
m