{"id":16060807,"url":"https://github.com/geerlingguy/ansible-role-ssh-chroot-jail","last_synced_at":"2025-04-06T21:14:42.082Z","repository":{"id":27316959,"uuid":"111031834","full_name":"geerlingguy/ansible-role-ssh-chroot-jail","owner":"geerlingguy","description":"Ansible Role - SSH chroot jail config","archived":false,"fork":false,"pushed_at":"2025-01-31T03:25:49.000Z","size":54,"stargazers_count":76,"open_issues_count":0,"forks_count":33,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-30T20:11:10.509Z","etag":null,"topics":["ansible","chroot","jail","role","security","sftp","ssh","user-management","users"],"latest_commit_sha":null,"homepage":"https://galaxy.ansible.com/geerlingguy/ssh-chroot-jail/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/geerlingguy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"geerlingguy","patreon":"geerlingguy"}},"created_at":"2017-11-16T23:00:08.000Z","updated_at":"2025-02-19T12:02:31.000Z","dependencies_parsed_at":"2024-01-25T05:23:04.399Z","dependency_job_id":"2df4720a-381c-44f1-a1b2-955db1a6108a","html_url":"https://github.com/geerlingguy/ansible-role-ssh-chroot-jail","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-ssh-chroot-jail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-ssh-chroot-jail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-ssh-chroot-jail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/geerlingguy%2Fansible-role-ssh-chroot-jail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/geerlingguy","download_url":"https://codeload.github.com/geerlingguy/ansible-role-ssh-chroot-jail/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247550689,"owners_count":20956987,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","chroot","jail","role","security","sftp","ssh","user-management","users"],"created_at":"2024-10-09T04:06:35.464Z","updated_at":"2025-04-06T21:14:42.061Z","avatar_url":"https://github.com/geerlingguy.png","language":"Shell","funding_links":["https://github.com/sponsors/geerlingguy","https://patreon.com/geerlingguy"],"categories":[],"sub_categories":[],"readme":"# Ansible Role: SSH chroot jail config\n\n[![CI](https://github.com/geerlingguy/ansible-role-ssh-chroot-jail/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-ssh-chroot-jail/actions/workflows/ci.yml)\n\nConfigures a chroot jail specifically for the purpose of limiting a set of SSH users to the jail. Useful if you have a server where you need to allow very limited access to a very limited amount of functionality.\n\n## Requirements\n\nRequires OpenSSH server. Doesn't require `geerlingguy.security`, but that role (or one like it) is highly recommended to help lock down your server as much as possible.\n\n## Role Variables\n\nAvailable variables are listed below, along with default values (see `defaults/main.yml`):\n\n    ssh_chroot_jail_path: /var/jail\n\nThe path to the root of the chroot jail.\n\n    ssh_chroot_jail_group_name: ssh_jailed\n\nThe group into which jailed users should be added.\n\n    ssh_chroot_jail_users:\n      - name: foo\n        home: /home/foo\n        shell: /bin/bash\n\nA list of users who should be in the chroot jail. Leave set to the default (`[]`) if you would like to manage users on your own.\n\n    ssh_chroot_jail_dirs:\n      - bin\n      - dev\n      - etc\n      - lib\n      - lib64\n      - usr/bin\n      - usr/lib\n      - usr/lib64\n      - home\n\nBase directories that should exist in the jail.\n\n    ssh_chroot_jail_devs:\n      - { dev: 'null', major: '1', minor: '3' }\n      - { dev: 'random', major: '5', minor: '0' }\n      - { dev: 'urandom', major: '1', minor: '5' }\n      - { dev: 'zero', major: '1', minor: '8' }\n\nDevices that should exist in the jail.\n\n    ssh_chroot_bins:\n      - /bin/cp\n      - /bin/sh\n      - /bin/bash\n      - /bin/ls\n      ...\n      - /usr/bin/tail\n      - /usr/bin/head\n      - /usr/bin/awk\n      - /usr/bin/wc\n      ...\n      - bin: /usr/bin/which\n        l2chroot: false\n\nA list of binaries which should be copied over to the jail. Each binary will also have its library dependencies copied into the jail using the `l2chroot` script included with this role; you can skip that task by setting the `bin` key explicitly and setting `l2chroot: false` as in the last example above.\n\n    ssh_chroot_l2chroot_template: l2chroot.j2\n    ssh_chroot_l2chroot_path: /usr/local/bin/l2chroot\n\nThe download URL and path into which `l2chroot` should be installed.\n\n    ssh_chroot_copy_extra_items:\n      - /etc/hosts\n      - /etc/passwd\n      - /etc/group\n      - /etc/ld.so.cache\n      - /etc/ld.so.conf\n      - /etc/nsswitch.conf\n\nExtra items which should be copied into the jail.\n\n    ssh_chroot_sshd_chroot_jail_config: |\n      Match group {{ ssh_chroot_jail_group_name }}\n          ChrootDirectory {{ ssh_chroot_jail_path }}\n          X11Forwarding no\n          AllowTcpForwarding no\n\nConfiguration to add to the server's `sshd_config` controlling how users in the chroot jail group are handled.\n\n    ssh_chroot_jail_dirs_recurse: true\n\nWhen adding jail directories, whether the directory addition should be done recursively or not. If you have many directories with thousands of files, and/or have the directories on a slow filesystem, this should be set to `false`.\n\n## Dependencies\n\nNone.\n\n## Example Playbook\n\n    - hosts: servers\n      become: yes\n      roles:\n        - geerlingguy.security\n        - geerlingguy.ssh-chroot-jail\n\n*Inside `vars/main.yml`*:\n\n    ssh_chroot_jail_users:\n      - name: janedoe\n        home: /home/janedoe\n        shell: /bin/bash\n\n## License\n\nMIT (Expat) / BSD\n\n## Author Information\n\nThis role was created in 2017 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).\n\nSpecial thanks to [Acquia](https://www.acquia.com) for sponsoring the initial development of this role.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeerlingguy%2Fansible-role-ssh-chroot-jail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgeerlingguy%2Fansible-role-ssh-chroot-jail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgeerlingguy%2Fansible-role-ssh-chroot-jail/lists"}