How does openssh container remove preauth "chroot" from ssh-server? "fatal: chroot("/run/sshd"): Operation not permitted [preauth]"

Hi, I am new to this forum and I recently start working with container. I am trying to setup a container as a ssh server on my device so I can provide the remote users the ability to ssh into the container rather than my device directly.

I tried to create a container from a ubuntu 18.04 base image and install openssh-server inside the container so that I can ssh into the container. However, my seccomp rule does not allow syscal “chroot” (I cannot add it due to security issue) and I get this error log “fatal: chroot(”/run/sshd"): Operation not permitted [preauth]" from /var/log/auth.log. This error indicates that ssh-server tries to run “chroot” before authentication (ssh client log shows “connection reset” before authentication) but failed because of permission issue.
I can workaround this issue by adding “chroot” to seccomp as an allowed sys_call but as I mentioned, this is not an acceptable solution.

I also tried openssh container image without providing “chroot” in seccomp and ssh works well and it has no same issue. I access into the openssh container as root and tried to manually run “chroot” and I have no permission to do that. This tells me that ssh-server inside openssh container does not run “chroot” when establishing the connection.

Here are my questions:

  1. Why does openssh-server try to chroot to /run/sshd before authentication inside ubuntu container? This “chroot” before authentication is different from the “chroot” that could be ran after authentication for the ssh user and can be configed inside /etc/ssh/sshd_config file.

  2. What is the change that ssh-server, inside openssh container, have made to avoid calling “chroot”?