Contents: Securing Network ServicesProxiesSpecific Examples

About this document

4. chrooting Your Users (and/or sshd)

In addition to chrooting services/daemons, one can also chroot users! This is not really practical for a system on which users require access to a variety of installed applications, but is ideal for a secure gateway machine — which is open to the world and used as a stepping stone into less open systems.

4.1. chrsh


4.2. chrooting OpenSSH

Quite a bit of work...

4.3. SSHjail

4.4. PAMChroot

4.5. ChrootSSH

CHrootSSH is an excellent alternative to attempting to chroot OpenSSH; it's much less work. Software and documentation is available from

After downloading, compiling, installing and starting ChrootSSH, set up your users' home-directories in say /chroot/home/<username> and enter corresponding entries in /etc/passwd:

        # ...notice the "." in the home-dir path...
When henrietta logs in, she will have /chroot/home/henrietta as home directory and be restricted to /chroot on the system — seeing /chroot as /.

Key-authentication can be used with ChrootSSH in the normal way — but remember to install keys in /chroot/home/<username>/.ssh/, not in /home/<username>/.ssh!

...previousup (conts)next...