When you have jails on your FreeBSD server, the classical way to log into the jail is to set up a SSH server inside the jail. If you have several SSH servers in several jails and only one IP, you must use a different port for each SSH server.

The pam_jail module is derived from the mod_chroot module and allows to use only one SSH server running within the base system, and dropping users in a specific jail once logged. For the user, everything works as if the SSH server were inside the jail.

Benefits :

  • only one SSH server for all the jails
  • SSH server running on standard ssh port (tcp/22).
  • allow to control user allowed to connect through SSH and logs from outside of the jail, which adds some security.

Drawbacks :

  • if password authentication is used, users won't be able to change their passwords : you'd better use ssh keys with pam_jail.
  • as the SSH server runs within the base system, there's a very small amount of time where newly open session runs outside of the jail. It may add security risk if a component running after successed authorization and before pam_jail has a security weakness.


The jail model has substancially changed in FreeBSD 7. So, FreeBSD 6 version of pam_jail may also work with previous version, and FreeBSD 7 with future one.

Download port file for FreeBSD 6

Download port file for FreeBSD 7

Quick help

The jail service module for PAM put users into a jail derived from their home directory.  If a user's home directory as specified in the passwd structure returned by getpwnam(3) contains the string "/./", the user is put into the jail having the portion of the directory name to the left of the string "/./" as its root, and the portion to the right will be the current working directory inside the jail.  Otherwise, the directories specified by the dir and cwd options (see below) are used.

PAM parameters :

  • also_root : Do not hold user ID 0 exempt from the jail requirement.
  • always : Report a failure if a root directory could not be derived from the user's home directory, and the dir option was not specified.
  • cwd=directory : Specify the directory to chdir(2) into after a successful jail_attach(2) call.
  • dir=directory : Specify the root directory of the jail to use if one could not be derived from the user's home directory.

Sample line to add in /etc/pam.d/sshd:

session   required   /usr/local/lib/pam_jail.so   dir=/jails/untrusted-users/