Ubuntu Forums ubuntu.com - launchpad.net - ubuntu help  

Go Back   Ubuntu Forums > The Ubuntu Forum Community > Other Community Discussions > Tutorials & Tips
Register Reset Password Forum Help Forum Council Today's Posts

Tutorials & Tips
The place to find Ubuntu related Tips & Tricks.

 
Thread Tools Display Modes
Old September 1st, 2006   #1
trawler
Just Give Me the Beans!
 
Join Date: Jan 2006
Beans: 48
Ubuntu
How to chroot ssh users using Jailkit

After setting up my secure ftp server (vsftpd) I needed a solution to allow users to log in, without giving them access to the entire system.

This is my first "How To" so i hope it'll be able to help someone .

In order to set up the ssh enviroment, I used Jailkit. You can get it here.


Installation
After downloading it, compile and install it:
Code:
tar -zxvf jailkit-2.0.tar.gz
Code:
cd jailkit-2.0
Code:
./configure
Code:
make
Code:
sudo make install

Setting The "Jail" Up
After you've installed it, it's time to set up the "root" directory (the directory to which the users will be jailed to).
Code:
sudo mkdir /jail
Code:
sudo chown root:root /jail

Creating the Proper Environment
The following lines will allow the logged in user to use whichever set of programs you won't to allow:
Code:
sudo jk_init -v /jail basicshell 
sudo jk_init -v /jail editors 
sudo jk_init -v /jail extendedshell 
sudo jk_init -v /jail netutils 
sudo jk_init -v /jail ssh 
sudo jk_init -v /jail sftp

Creating and Jailing the User
Code:
sudo adduser thomas
Code:
sudo jk_jailuser -m -j /jail thomas
In /etc/passwd thomas' line should look something like that:
Code:
thomas:x:1001:500::/jail/./home/thomas:/usr/sbin/jk_chrootsh
Don't forget to set the password while you're at it:
Code:
sudo passwd thomas

Setting Up the Home Directory
To the users logging in to this secured environment "/jail" will just show up as the "/" directory, so setting up a home directory is also needed:
Code:
sudo mkdir -p /jail/home/thomas
Code:
chown thomas:thomas /jail/home/thomas

Passwords
edit the /jail/etc/passwd and /jail/etc/group files with your favorite editor and add these lines (The numbers mentioned are the user and groups id, which you can check by opening the /etc/passwd file and look for the appropriate user):
Code:
sudo vi /jail/etc/group

paste and save this:
thomas:x:500:
Code:
sudo vi /jail/etc/passwd

paste and save this:
thomas:x:1001:500::/home/thomas:/bin/bash

One last thing:
Code:
sudo cp /home/trawler/.bashrc /jail/home/thomas
Code:
sudo chown thomas:thomas /jail/home/thomas/.bashrc
And that should do it!
you can check the configuration by "ssh'ing" your machine:
Code:
ssh [email protected]
And make sure everything's ok.

If anything's gone wrong /var/log/auth.log will give you the needed details:
Code:
tail /var/log/auth.log

Last edited by trawler; September 3rd, 2006 at 09:23 AM..
trawler is offline   Reply With Quote
Old September 2nd, 2006   #2
trawler
Just Give Me the Beans!
 
Join Date: Jan 2006
Beans: 48
Ubuntu
Re: How to chroot ssh user using Jailkit

Edited:

Added instructions for adding the .bashrc file to the new home directory... otherwise you get a funky defaultive [bash] prompt...
trawler is offline   Reply With Quote
Old September 2nd, 2006   #3
peabody
Extra Foam Sugar Free Ubuntu
 
peabody's Avatar
 
Join Date: Jul 2006
Beans: 809
Re: How to chroot ssh user using Jailkit

Pretty nice looking. How does jailkit compare to just setting up a minimum system in a folder via debootstrap?
peabody is offline   Reply With Quote
Old September 2nd, 2006   #4
trawler
Just Give Me the Beans!
 
Join Date: Jan 2006
Beans: 48
Ubuntu
Re: How to chroot ssh user using Jailkit

Never tried debootstrap, so i can't really comment on it, but I like the versatility and simplicitly of jailkit... once you've figured out how to set it, jailing more users with different environments is simply a matter of a couple or more command lines.
anyway, it works great for me
trawler is offline   Reply With Quote
Old September 19th, 2006   #5
denver
A Carafe of Ubuntu
 
Join Date: Jun 2006
Location: Timisoara, Romania
Beans: 153
Ubuntu 9.04 Jaunty Jackalope
Re: How to chroot ssh user using Jailkit

Thanks ALOT! I have been looking for a way to jail sftp users and i have been banging my head with a howto but with no success.
You're HOWTO worked like a charm! Thanks loads!
denver is offline   Reply With Quote
Old September 30th, 2006   #6
trawler
Just Give Me the Beans!
 
Join Date: Jan 2006
Beans: 48
Ubuntu
Re: How to chroot ssh user using Jailkit

Thanks a bunch *blush*.
glad i was able to help.
trawler is offline   Reply With Quote
Old October 20th, 2006   #7
Clochard
Just Give Me the Beans!
 
Join Date: Mar 2006
Beans: 68
Ubuntu 9.10 Karmic Koala
Re: How to chroot ssh user using Jailkit

Really excited about this, but it doesn't seem to be working. When I try to run the jk_jailuser command it complains that the shell is missing. Sure enough the entire /jail/usr/sbin directory is missing!

Code:
[email protected]:~$ sudo adduser community
Adding user `community'...
Adding new group `community' (1003).
Adding new user `community' (1003) with group `community'.
The home directory `/home/community' already exists. Not copying from `/etc/skel'
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for community
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [y/N] y
So then the failure...
Code:
[email protected]:~$ sudo jk_jailuser -m -j /jail community
invalid shell, /jail/usr/sbin/jk_lsh does not exist
enter jail directory:
aborted..
[email protected]:~$
[email protected]:~$ ls -l /jail
total 2
drwxr-xr-x 2 root root  896 2006-10-19 23:13 bin
drwxr-xr-x 2 root root   96 2006-10-19 23:13 dev
drwxr-xr-x 4 root root  408 2006-10-19 23:13 etc
drwxr-xr-x 2 root root   48 2006-10-19 23:12 home
drwxr-xr-x 3 root root 1040 2006-10-19 23:13 lib
drwxr-xr-x 5 root root  120 2006-10-19 23:13 usr
[email protected]:~$
I've seen no errors other than this following the HOWTO - why is my sbin not being copied over and/or created properly? Any ideas?
Clochard is offline   Reply With Quote
Old October 20th, 2006   #8
tintax
First Cup of Ubuntu
 
Join Date: Apr 2006
Beans: 7
Re: How to chroot ssh user using Jailkit

Please bear in mind I have only enough knowledge of jailkit to be dangerous - and anything security related should be properly researched - but try:

Code:
sudo jk_init -v /jail jk_lsh
This ought to copy the 'limited shell' and any associated libraries into your jail. Hope this helps.
tintax is offline   Reply With Quote
Old October 21st, 2006   #9
trawler
Just Give Me the Beans!
 
Join Date: Jan 2006
Beans: 48
Ubuntu
Re: How to chroot ssh user using Jailkit

Another workaround is to follow the tutorial :)

Quote:
sudo vi /jail/etc/passwd

paste and save this:
thomas:x:1001:500::/home/thomas:/bin/bash
the default line would be thomas:x:1001:1001:,,,:/home/thomas:/usr/sbin/jk_lsh

which needs to be changed to:
thomas:x:1001:1001:,,,:/home/thomas:/bin/bash
trawler is offline   Reply With Quote
Old October 21st, 2006   #10
Clochard
Just Give Me the Beans!
 
Join Date: Mar 2006
Beans: 68
Ubuntu 9.10 Karmic Koala
Re: How to chroot ssh user using Jailkit

Indeed, that did the trick - I was able to run the comand and get a new error message! But when I try a second time with no changes it lists the user as already jailed. I suppose the only way to test this is to log in as the user and try to get out? But that doesn't sound very robust.

Code:
[email protected]:~$ sudo jk_init -v /jail jk_lsh
Password:
/jail/lib/libnsl.so.1 exists
/jail/lib/libnss_compat.so.2 exists
/jail/lib/libnss_files.so.2 exists
/jail/etc/nsswitch.conf exists
creating directory /jail/usr/sbin
copying /usr/sbin/jk_lsh to /jail/usr/sbin/jk_lsh
/jail/lib/tls/i686/cmov/libc.so.6 exists
/jail/lib/ld-linux.so.2 exists
creating directory /jail/etc/jailkit
copying /etc/jailkit/jk_lsh.ini to /jail/etc/jailkit/jk_lsh.ini
user root exists in /jail/etc/passwd
group root exists in /jail/etc/group
[email protected]:~$ sudo jk_jailuser -m -j /jail community
Traceback (most recent call last):
  File "/usr/sbin/jk_jailuser", line 297, in ?
    main()
  File "/usr/sbin/jk_jailuser", line 288, in main
    jailuser(jail, username, movehome, config)
  File "/usr/sbin/jk_jailuser", line 177, in jailuser
    shutil.copy(oldhome, newhome)
  File "/usr/lib/python2.4/shutil.py", line 81, in copy
    copyfile(src, dst)
  File "/usr/lib/python2.4/shutil.py", line 47, in copyfile
    fsrc = open(src, 'rb')
IOError: [Errno 21] Is a directory
[email protected]:~$ sudo jk_jailuser -m -j /jail community
Password:
home directory /jail/./home/community is already inside the jail
[email protected]:~$
Clochard is offline   Reply With Quote

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 11:09 PM.


vBulletin ©2000 - 2012, Jelsoft Enterprises Ltd. Ubuntu Logo, Ubuntu and Canonical © Canonical Ltd. Tango Icons © Tango Desktop Project. bilberry