Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: How to chroot ssh user using Jailkit

  1. #1
    Join Date
    Jan 2006
    Beans
    48
    Distro
    Ubuntu

    How to chroot ssh users using Jailkit

    After setting up my secure ftp server (vsftpd) I needed a solution to allow users to log in, without giving them access to the entire system.

    This is my first "How To" so i hope it'll be able to help someone .

    In order to set up the ssh enviroment, I used Jailkit. You can get it here.


    Installation
    After downloading it, compile and install it:
    Code:
    tar -zxvf jailkit-2.0.tar.gz
    Code:
    cd jailkit-2.0
    Code:
    ./configure
    Code:
    make
    Code:
    sudo make install

    Setting The "Jail" Up
    After you've installed it, it's time to set up the "root" directory (the directory to which the users will be jailed to).
    Code:
    sudo mkdir /jail
    Code:
    sudo chown root:root /jail

    Creating the Proper Environment
    The following lines will allow the logged in user to use whichever set of programs you won't to allow:
    Code:
    sudo jk_init -v /jail basicshell 
    sudo jk_init -v /jail editors 
    sudo jk_init -v /jail extendedshell 
    sudo jk_init -v /jail netutils 
    sudo jk_init -v /jail ssh 
    sudo jk_init -v /jail sftp

    Creating and Jailing the User
    Code:
    sudo adduser thomas
    Code:
    sudo jk_jailuser -m -j /jail thomas
    In /etc/passwd thomas' line should look something like that:
    Code:
    thomas:x:1001:500::/jail/./home/thomas:/usr/sbin/jk_chrootsh
    Don't forget to set the password while you're at it:
    Code:
    sudo passwd thomas

    Setting Up the Home Directory
    To the users logging in to this secured environment "/jail" will just show up as the "/" directory, so setting up a home directory is also needed:
    Code:
    sudo mkdir -p /jail/home/thomas
    Code:
    chown thomas:thomas /jail/home/thomas

    Passwords
    edit the /jail/etc/passwd and /jail/etc/group files with your favorite editor and add these lines (The numbers mentioned are the user and groups id, which you can check by opening the /etc/passwd file and look for the appropriate user):
    Code:
    sudo vi /jail/etc/group
    
    paste and save this:
    thomas:x:500:
    Code:
    sudo vi /jail/etc/passwd
    
    paste and save this:
    thomas:x:1001:500::/home/thomas:/bin/bash

    One last thing:
    Code:
    sudo cp /home/trawler/.bashrc /jail/home/thomas
    Code:
    sudo chown thomas:thomas /jail/home/thomas/.bashrc
    And that should do it!
    you can check the configuration by "ssh'ing" your machine:
    Code:
    ssh thomas@localhost
    And make sure everything's ok.

    If anything's gone wrong /var/log/auth.log will give you the needed details:
    Code:
    tail /var/log/auth.log
    Last edited by trawler; September 3rd, 2006 at 02:23 PM.

  2. #2
    Join Date
    Jan 2006
    Beans
    48
    Distro
    Ubuntu

    Re: How to chroot ssh user using Jailkit

    Edited:

    Added instructions for adding the .bashrc file to the new home directory... otherwise you get a funky defaultive [bash] prompt...

  3. #3
    Join Date
    Jul 2006
    Beans
    809

    Re: How to chroot ssh user using Jailkit

    Pretty nice looking. How does jailkit compare to just setting up a minimum system in a folder via debootstrap?

  4. #4
    Join Date
    Jan 2006
    Beans
    48
    Distro
    Ubuntu

    Re: How to chroot ssh user using Jailkit

    Never tried debootstrap, so i can't really comment on it, but I like the versatility and simplicitly of jailkit... once you've figured out how to set it, jailing more users with different environments is simply a matter of a couple or more command lines.
    anyway, it works great for me

  5. #5
    Join Date
    Jun 2006
    Location
    Timisoara, Romania
    Beans
    156
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: How to chroot ssh user using Jailkit

    Thanks ALOT! I have been looking for a way to jail sftp users and i have been banging my head with a howto but with no success.
    You're HOWTO worked like a charm! Thanks loads!

  6. #6
    Join Date
    Jan 2006
    Beans
    48
    Distro
    Ubuntu

    Re: How to chroot ssh user using Jailkit

    Thanks a bunch *blush*.
    glad i was able to help.

  7. #7
    Join Date
    Mar 2006
    Beans
    68
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: How to chroot ssh user using Jailkit

    Really excited about this, but it doesn't seem to be working. When I try to run the jk_jailuser command it complains that the shell is missing. Sure enough the entire /jail/usr/sbin directory is missing!

    Code:
    kirk@Spontaneity:~$ sudo adduser community
    Adding user `community'...
    Adding new group `community' (1003).
    Adding new user `community' (1003) with group `community'.
    The home directory `/home/community' already exists. Not copying from `/etc/skel'
    Enter new UNIX password:
    Retype new UNIX password:
    passwd: password updated successfully
    Changing the user information for community
    Enter the new value, or press ENTER for the default
            Full Name []:
            Room Number []:
            Work Phone []:
            Home Phone []:
            Other []:
    Is the information correct? [y/N] y
    So then the failure...
    Code:
    kirk@Spontaneity:~$ sudo jk_jailuser -m -j /jail community
    invalid shell, /jail/usr/sbin/jk_lsh does not exist
    enter jail directory:
    aborted..
    kirk@Spontaneity:~$
    kirk@Spontaneity:~$ ls -l /jail
    total 2
    drwxr-xr-x 2 root root  896 2006-10-19 23:13 bin
    drwxr-xr-x 2 root root   96 2006-10-19 23:13 dev
    drwxr-xr-x 4 root root  408 2006-10-19 23:13 etc
    drwxr-xr-x 2 root root   48 2006-10-19 23:12 home
    drwxr-xr-x 3 root root 1040 2006-10-19 23:13 lib
    drwxr-xr-x 5 root root  120 2006-10-19 23:13 usr
    kirk@Spontaneity:~$
    I've seen no errors other than this following the HOWTO - why is my sbin not being copied over and/or created properly? Any ideas?

  8. #8
    Join Date
    Apr 2006
    Beans
    7

    Re: How to chroot ssh user using Jailkit

    Please bear in mind I have only enough knowledge of jailkit to be dangerous - and anything security related should be properly researched - but try:

    Code:
    sudo jk_init -v /jail jk_lsh
    This ought to copy the 'limited shell' and any associated libraries into your jail. Hope this helps.

  9. #9
    Join Date
    Jan 2006
    Beans
    48
    Distro
    Ubuntu

    Re: How to chroot ssh user using Jailkit

    Another workaround is to follow the tutorial :)

    sudo vi /jail/etc/passwd

    paste and save this:
    thomas:x:1001:500::/home/thomas:/bin/bash
    the default line would be thomas:x:1001:1001:,,,:/home/thomas:/usr/sbin/jk_lsh

    which needs to be changed to:
    thomas:x:1001:1001:,,,:/home/thomas:/bin/bash

  10. #10
    Join Date
    Mar 2006
    Beans
    68
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: How to chroot ssh user using Jailkit

    Indeed, that did the trick - I was able to run the comand and get a new error message! But when I try a second time with no changes it lists the user as already jailed. I suppose the only way to test this is to log in as the user and try to get out? But that doesn't sound very robust.

    Code:
    kirk@Spontaneity:~$ sudo jk_init -v /jail jk_lsh
    Password:
    /jail/lib/libnsl.so.1 exists
    /jail/lib/libnss_compat.so.2 exists
    /jail/lib/libnss_files.so.2 exists
    /jail/etc/nsswitch.conf exists
    creating directory /jail/usr/sbin
    copying /usr/sbin/jk_lsh to /jail/usr/sbin/jk_lsh
    /jail/lib/tls/i686/cmov/libc.so.6 exists
    /jail/lib/ld-linux.so.2 exists
    creating directory /jail/etc/jailkit
    copying /etc/jailkit/jk_lsh.ini to /jail/etc/jailkit/jk_lsh.ini
    user root exists in /jail/etc/passwd
    group root exists in /jail/etc/group
    kirk@Spontaneity:~$ sudo jk_jailuser -m -j /jail community
    Traceback (most recent call last):
      File "/usr/sbin/jk_jailuser", line 297, in ?
        main()
      File "/usr/sbin/jk_jailuser", line 288, in main
        jailuser(jail, username, movehome, config)
      File "/usr/sbin/jk_jailuser", line 177, in jailuser
        shutil.copy(oldhome, newhome)
      File "/usr/lib/python2.4/shutil.py", line 81, in copy
        copyfile(src, dst)
      File "/usr/lib/python2.4/shutil.py", line 47, in copyfile
        fsrc = open(src, 'rb')
    IOError: [Errno 21] Is a directory
    kirk@Spontaneity:~$ sudo jk_jailuser -m -j /jail community
    Password:
    home directory /jail/./home/community is already inside the jail
    kirk@Spontaneity:~$

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •