Chrooted ssh: the Nixy way?

Hi everyone,

I’m totally new to Nixos, and may not fully understand how the system works! My apologies if this should be obvious, or if there’s an obvious place this question has been answered before and I haven’t found it.

I’d like to run an ssh server that, for the sake of defense-in-depth, chroots a certain user into a jail on login. There’s a standard sshd_config option (ChrootDirectory) for this, but (unless I’ve missed it), it doesn’t look like there’s an analogous option for services.openssh in the Manual. Furthermore, I’m wondering what you would have to do to provide installed binaries to a chrooted user under Nixos, given that usually everything is soft-linked to the Nix store (if that’s right? Correct me if I’m wrong!)

Anyway, I hope there’s a nice way to do this! Thanks for reading.


Usually, only a subset of options are present in nixos module
options. Often, these options are present because they can be set
through other modules, or used in several modules. Otherwise, they
are present because they are considered common, or useful to have
by whoever implemented the module.

For services like openssh, that has a plethora of options, it
would be quite painful to maintain them all in nixos options. In
these cases, the common practice is to provide a config, or
extraConfig option that accepts plain text configuration to the
service. You can see it as a way to pass a snippet of the config
to the service.

In your case, you want NixOS Search - Loading...


– Layus

Hm, I see. So I should include a separate configuration file. That’s reasonable. What about the problem of providing certain libraries and binaries to a ailed user? I would sort of expect that Nixos has an elegant “correct” way to do this, but of course symlinks aren’t transparent in quite the right way! I don’t know, do I just bind mount the store?

Thanks again!

The above replay was mangled by the email parser. What I wanted to say is that you can use the extraConfig option available at services.openssh.extraconfig

To use it, you just append to that plain string.

  services.openssh.extraConfig = ''
    ChrootDirectory /some/chroot

but you can add any kind of config there, like

  services.openssh.extraConfig = ''
    Match Group sftponly
      ChrootDirectory /home/%u
      ForceCommand internal-sftp
      AllowTcpForwarding no

Now, to give access to binaries inside the chroot, you could bind-mount the store, or copy only the few paths you want in a fake store rooted there. What would you do with another distro ?

1 Like

Got it, that extraConfig setting is not too burdensome. As for access to resources outside the jail, that’s exactly what I would do in another distro. It’s a bit of a pain, if you ask me. I hoped Nixos might have a slicker solution, but I can live with it!

Thanks, Layus!