How to chroot ssh user using Jailkit

[trawler]

After setting up my secure ftp server (vsftpd) I needed a solution to allow users to log in, without giving them access to the entire system.

This is my first "How To" so i hope it'll be able to help someone .

In order to set up the ssh enviroment, I used Jailkit. You can get it here.


Installation
After downloading it, compile and install it:

Code:

tar -zxvf jailkit-2.0.tar.gz

Code:

cd jailkit-2.0

Code:

./configure

Code:

make

Code:

sudo make install

Setting The "Jail" Up
After you've installed it, it's time to set up the "root" directory (the directory to which the users will be jailed to).

Code:

sudo mkdir /jail

Code:

sudo chown root:root /jail

Creating the Proper Environment
The following lines will allow the logged in user to use whichever set of programs you won't to allow:

Code:

sudo jk_init -v /jail basicshell 
sudo jk_init -v /jail editors 
sudo jk_init -v /jail extendedshell 
sudo jk_init -v /jail netutils 
sudo jk_init -v /jail ssh 
sudo jk_init -v /jail sftp

Creating and Jailing the User

Code:

sudo adduser thomas

Code:

sudo jk_jailuser -m -j /jail thomas

In /etc/passwd thomas' line should look something like that:

Code:

thomas:x:1001:500::/jail/./home/thomas:/usr/sbin/jk_chrootsh

Don't forget to set the password while you're at it:

Code:

sudo passwd thomas

Setting Up the Home Directory
To the users logging in to this secured environment "/jail" will just show up as the "/" directory, so setting up a home directory is also needed:

Code:

sudo mkdir -p /jail/home/thomas

Code:

chown thomas:thomas /jail/home/thomas

Passwords
edit the /jail/etc/passwd and /jail/etc/group files with your favorite editor and add these lines (The numbers mentioned are the user and groups id, which you can check by opening the /etc/passwd file and look for the appropriate user):

Code:

sudo vi /jail/etc/group

paste and save this:
thomas:x:500:

Code:

sudo vi /jail/etc/passwd

paste and save this:
thomas:x:1001:500::/home/thomas:/bin/bash

One last thing:

Code:

sudo cp /home/trawler/.bashrc /jail/home/thomas

Code:

sudo chown thomas:thomas /jail/home/thomas/.bashrc

And that should do it!
you can check the configuration by "ssh'ing" your machine:

Code:

ssh thomas@localhost

And make sure everything's ok.

If anything's gone wrong /var/log/auth.log will give you the needed details:

Code:

tail /var/log/auth.log

[trawler]

Edited:

Added instructions for adding the .bashrc file to the new home directory... otherwise you get a funky defaultive [bash] prompt...

[peabody]

Pretty nice looking. How does jailkit compare to just setting up a minimum system in a folder via debootstrap?

[trawler]

Never tried debootstrap, so i can't really comment on it, but I like the versatility and simplicitly of jailkit... once you've figured out how to set it, jailing more users with different environments is simply a matter of a couple or more command lines.
anyway, it works great for me

[denver]

Thanks ALOT! I have been looking for a way to jail sftp users and i have been banging my head with a howto but with no success.
You're HOWTO worked like a charm! Thanks loads!

[trawler]

Thanks a bunch *blush*.
glad i was able to help.

[dutchcowboy]

Hi,

I'm having a problem. I followed the instructions to a T, but when I try to sftp to my ubuntu box it authenticates successfully, but then just closes the connection. Here's what auth.log is showing:

May 29 15:21:19 zasfosftp sshd[11085]: subsystem request for sftp
May 29 15:21:19 zasfosftp jk_chrootsh[11086]: now entering jail /home/Jail for user mmad (1001)
May 29 15:21:19 zasfosftp sshd[11085]: (pam_unix) session closed for user mmad

Ubuntu version 7.04
Jailkit version 2.0

Any one have any ideas as to how I should try to trouble shoot this?

Thanks for your help,

Dutch Cowboy

[ess]

I have followed the instructions provided above and didn't work for me.

I googled and search the net for instructions and was not successful either.

eventually, I visited the the following howto from jailkit and it worked from the first try

http://olivier.sessink.nl/jailkit/ho...oot_shell.html

I am not 100% sure why it didn't work first time around, but it might have something to do with not having created a tmp directory.

Cheers
~E

[Falcon4ever]

I have followed the instructions provided above and didn't work for me.

I googled and search the net for instructions and was not successful either.

eventually, I visited the the following howto from jailkit and it worked from the first try

http://olivier.sessink.nl/jailkit/ho...oot_shell.html

I am not 100% sure why it didn't work first time around, but it might have something to do with not having created a tmp directory.

Cheers
~E

those instructions worked fine here in dapper, but i would like to have some compiler tools available to my users. Is it possible to add those with jailkit?

[frenchn00b]

those instructions worked fine here in dapper, but i would like to have some compiler tools available to my users. Is it possible to add those with jailkit?

Please those you managed to make SFTP work... please could you post

all you have ?
/etc/jailkit content
+ permissions of the folders
+ a complete ls -la of the /home/jail ?

thanks a lot for others who are fighting (like hell with that program) !