On my server I want to create accounts that can do SSH in a chroot environment. On the internet I searched for tools and I found Jailkit. In this post I will tell how I installed Jailkit on Ubuntu server 9.10, created a jail and how users are added to the jail. Note that most commands in this tutorial should be executed as su or sudo.
Jailkit installation
First I installed Jailkit by using the following commands:
|
1 2 3 4 5 6 7 |
# cd /tmp # wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz # tar -zxvf jailkit-2.11.tar.gz # cd jailkit-2.11 # ./configure # make # make install |
Setting up the jail
Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:
|
1 2 |
# mkdir /home/jail # chown root:root /home/jail |
By using the jk_init command you can set up the jail. In this tutorial the basicshell, netutils, ssh and limited shell are installed:
|
1 2 3 4 |
# jk_init -v /home/jail basicshell # jk_init -v /home/jail netutils # jk_init -v /home/jail ssh # jk_init -v /home/jail jk_lsh |
Add a user
Add a new user with a home directory and bash shell, and don’t forget to change the password:
|
1 2 |
# useradd -d /home/testuser -m testuser -s /bin/bash # passwd testuser |
Now it’s time to jail this user, use the following command:
|
1 |
# jk_jailuser -m -j /home/jail testuser |
Your /etc/passwd should contain something like this now:
|
1 |
testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh |
Enable bash
By using jk_cp the bash libraries are be copied to the jail:
|
1 |
# jk_cp -v -f /home/jail /bin/bash |
Now edit the /home/jail/etc/passwd file and make sure it contains something like this:
|
1 |
testuser:x:1003:1004::/home/testuser:/bin/bash |
Also make sure the group exists in /home/jail/etc/group:
|
1 |
testuser:x:1004: |
Now try to login with testuser. Look for errors in /var/log/auth.log.
Maintenance
By using jk_update updates on the real system can be updated in the jail. A dry-run will show what’s going on:
|
1 |
# jk_update -j /home/jail -d |
Without the -d argument the real update is performed. More maintenance operations can be found here.
Troubleshooting
Make sure the jailed user has a home directory in /home/jail/home. If not create one:
|
1 2 |
# mkdir -p /home/jail/home/testuser # chown testuser:testuser /home/jail/home/testuser |
typo error here
testuser:x:1003:1004::/home/jail/./home/testuser:/user/sbin/jk_chrootsh
it should be as:
testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh
note not -> /user/sbin/jk_chrootsh
it’s
/usr/sbin/jk_chrootsh
Thanks, fixed!
Followed this step-by-step, but when logging in as the user, i’m immediately kicked out. I can’t see what’s causing it at all.
I’m also having the same problem as Corey. The auth.log shows nothing, and I was sure to follow the steps in your troubleshooting..
Very strange problem, I haven’t seen it before. I read on a forum that all the directories inside the jail (i.e. bin, dev, etc, home, lib, usr, var) must have root as owner. Good luck and let me know if it works!
I found out my problem. I removed the original thing in the passwd and added testuser:x:1003:1004::/home/testuser:/bin/bash. I originally had two things going at the same time and that’s what made me instantly logoff. I’m still a beginner with this linux stuff, but I’m glad you took the time to make this amazing write up. It works great.
Hi , I test our tutorial and is work for one part , on other part I have some question .
This step
jk_jailuser -m -j /home/jail testuser is ok
/home/testuser moved to /home/jail/home
And this :
Your /etc/passwd should contain something like this now:
testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh is ok same lines .
And this jk_cp -v -f /home/jail /bin/bash is ok .
But on this step :
Now edit the /home/jail/etc/passwd file and make sure it contains something like this:
testuser:x:1003:1004::/home/testuser:/bin/bash
Is not like this but is like as :
testuser:x:1002:1002::/home/testuser:/usr/sbin/jk_lsh
And I need to edit it to set /bin/bash by hand ?
This step is ok tha same line exist .
Also make sure the group exists in /home/jail/etc/group:
testuser:x:1004:
And the second question is , if I add other user on jail and login with first or second user with ssh I can to see others users directory on /home/jail/home/ not problem , I can change it but I can see all files ? I know if I set is read only by user is ok chmod 750 , but if is web server and public_html or other files need to be readable by system ? How I set it .
Thank you .
Hi linuxman,
Yes you can set /bin/bash by hand, jk_lsh is a limited shell (see this page for details). It depends on your needs which shell is best for a specific user.
About your second question, you can use chmod to prevent users access other users home directories indeed. For a webserver I have actually no idea. This is not only a jailkit issue so there are probably forums or sites describing this problem for non jailed users.
Hello! I’m just trying this now to be able to give web users SSH access [if, say, they want to edit a ruby application on my servers]. I managed to get the the initial steps done, but when I try to these steps:
# jk_init -v /home/jail basicshell
# jk_init -v /home/jail netutils
# jk_init -v /home/jail ssh
# jk_init -v /home/jail jk_lsh
I’m not having any luck. I get an error that says /home/jail is writable by group or other and that it’s not safe. Am I doing something wrong?
Thanks!
Hi, I’ve never seen this error. Maybe you should contact the Jailkit mailinglist: http://olivier.sessink.nl/jailkit/index.html#contact
Hei man, thanks! help-me very much….
When I try execute: jk_init -v /home/jail ssh
nothing doing… when I change permission of jail/ to 750 jk_init work.
I followed these directions exactly. The account is created fine and I can login, but I can also traverse all the way up to the root of the hard drive (/). How can I lock a user into his directory?
be very, very careful with # jk_cp -v -f /home/jail /bin/bash
It destroy m,e everything!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629534
When I login into the system with jailed user I get “I have no name!@server:~$ insted of a real username. Any ideas how to solve this problem?
I haven’t seen this problem before, I don’t know how to fix it.
Thanks a lot for the write up, it helped me out a lot. I am new to all of this and am trying to setup a local server for student access. Everything seems to be working for “testuser” but I keep receiving these five lines of output after certain commands, but not all of them. Any ideas? This was inside of /home/jail/home/ while logged in as testuser
testuser@rails /$ ls
testuser testfolder
bash: dirname: command not found
bash: dirname: command not found
bash: [: =: unary operator expected
bash: basename: command not found
bash: basename: command not found
Hi, maybe these commands are not part of the bash library, do you have problems with other common commands?
Sorry for the delay. Yes, I have problems with other common commands too. Did I limit the users too much? I can’t seem to run anything from within the jail. How can I go about adding these commands to the jail?
Are you sure you executed the “Enable bash” section of my post?
The problem is, jk_lsh doesn’t like to work, if you put /bin/bash or similar in it will allow you to connect.