How to create a chroot ssh user in Ubuntu

On my server I want to create accounts that can do SSH in a chroot environment. On the internet I searched for tools and I found Jailkit. In this post I will tell how I installed Jailkit on Ubuntu server 9.10, created a jail and how users are added to the jail. Note that most commands in this tutorial should be executed as su or sudo.

Jailkit installation

First I installed Jailkit by using the following commands:

Setting up the jail

Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:

By using the jk_init command you can set up the jail. In this tutorial the basicshell, netutils, ssh and limited shell are installed:

Add a user

Add a new user with a home directory and bash shell, and don’t forget to change the password:

Now it’s time to jail this user, use the following command:

Your /etc/passwd should contain something like this now:

Enable bash

By using jk_cp the bash libraries are be copied to the jail:

Now edit the /home/jail/etc/passwd file and make sure it contains something like this:

Also make sure the group exists in /home/jail/etc/group:

Now try to login with testuser. Look for errors in /var/log/auth.log.

Maintenance

By using jk_update updates on the real system can be updated in the jail. A dry-run will show what’s going on:

Without the -d argument the real update is performed. More maintenance operations can be found here.

Troubleshooting

Make sure the jailed user has a home directory in /home/jail/home. If not create one:

References

21 thoughts on “How to create a chroot ssh user in Ubuntu

  1. typo error here
    testuser:x:1003:1004::/home/jail/./home/testuser:/user/sbin/jk_chrootsh

    it should be as:
    testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh

    note not -> /user/sbin/jk_chrootsh
    it’s
    /usr/sbin/jk_chrootsh

  2. Followed this step-by-step, but when logging in as the user, i’m immediately kicked out. I can’t see what’s causing it at all.

  3. I’m also having the same problem as Corey. The auth.log shows nothing, and I was sure to follow the steps in your troubleshooting..

  4. Very strange problem, I haven’t seen it before. I read on a forum that all the directories inside the jail (i.e. bin, dev, etc, home, lib, usr, var) must have root as owner. Good luck and let me know if it works!

  5. I found out my problem. I removed the original thing in the passwd and added testuser:x:1003:1004::/home/testuser:/bin/bash. I originally had two things going at the same time and that’s what made me instantly logoff. I’m still a beginner with this linux stuff, but I’m glad you took the time to make this amazing write up. It works great.

  6. Hi , I test our tutorial and is work for one part , on other part I have some question .
    This step
    jk_jailuser -m -j /home/jail testuser is ok
    /home/testuser moved to /home/jail/home
    And this :
    Your /etc/passwd should contain something like this now:

    testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh is ok same lines .

    And this jk_cp -v -f /home/jail /bin/bash is ok .

    But on this step :
    Now edit the /home/jail/etc/passwd file and make sure it contains something like this:

    testuser:x:1003:1004::/home/testuser:/bin/bash

    Is not like this but is like as :
    testuser:x:1002:1002::/home/testuser:/usr/sbin/jk_lsh

    And I need to edit it to set /bin/bash by hand ?

    This step is ok tha same line exist .
    Also make sure the group exists in /home/jail/etc/group:

    testuser:x:1004:

    And the second question is , if I add other user on jail and login with first or second user with ssh I can to see others users directory on /home/jail/home/ not problem , I can change it but I can see all files ? I know if I set is read only by user is ok chmod 750 , but if is web server and public_html or other files need to be readable by system ? How I set it .
    Thank you .

  7. Hi linuxman,
    Yes you can set /bin/bash by hand, jk_lsh is a limited shell (see this page for details). It depends on your needs which shell is best for a specific user.
    About your second question, you can use chmod to prevent users access other users home directories indeed. For a webserver I have actually no idea. This is not only a jailkit issue so there are probably forums or sites describing this problem for non jailed users.

  8. Hello! I’m just trying this now to be able to give web users SSH access [if, say, they want to edit a ruby application on my servers]. I managed to get the the initial steps done, but when I try to these steps:

    # jk_init -v /home/jail basicshell
    # jk_init -v /home/jail netutils
    # jk_init -v /home/jail ssh
    # jk_init -v /home/jail jk_lsh

    I’m not having any luck. I get an error that says /home/jail is writable by group or other and that it’s not safe. Am I doing something wrong?

    Thanks!

  9. I followed these directions exactly. The account is created fine and I can login, but I can also traverse all the way up to the root of the hard drive (/). How can I lock a user into his directory?

  10. When I login into the system with jailed user I get “I have no name!@server:~$ insted of a real username. Any ideas how to solve this problem?

  11. Thanks a lot for the write up, it helped me out a lot. I am new to all of this and am trying to setup a local server for student access. Everything seems to be working for “testuser” but I keep receiving these five lines of output after certain commands, but not all of them. Any ideas? This was inside of /home/jail/home/ while logged in as testuser

    testuser@rails /$ ls
    testuser testfolder
    bash: dirname: command not found
    bash: dirname: command not found
    bash: [: =: unary operator expected
    bash: basename: command not found
    bash: basename: command not found

  12. Hi, maybe these commands are not part of the bash library, do you have problems with other common commands?

  13. Sorry for the delay. Yes, I have problems with other common commands too. Did I limit the users too much? I can’t seem to run anything from within the jail. How can I go about adding these commands to the jail?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">