Use this tutorial on YOUR OWN RISK!
OK!, I’m following the instructions found on Askubuntu – Simple & easy way to jail users to install Jailkit.
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz tar -zxvf jailkit-2.14.tar.gz cd jailkit-2.14 ./configure make
#IGNORE THIS LINE - this will give us an error see bellow -
On make, I some errors errors.
make[1]: Entering directory '/tmp/jailkit-2.14/src' gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o jk_socketd.o jk_socketd.c gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o jk_lib.o jk_lib.c gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o utils.o utils.c gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o iniparser.o iniparser.c gcc -lpthread -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o jk_socketd.o: In function `main': /tmp/jailkit-2.14/src/jk_socketd.c:474: undefined reference to `pthread_create' collect2: error: ld returned 1 exit status Makefile:73: recipe for target 'jk_socketd' failed make[1]: *** [jk_socketd] Error 1 make[1]: Leaving directory '/tmp/jailkit-2.14/src' Makefile:41: recipe for target 'all' failed make: *** [all] Error 2
How I solved this Makefile:41: recipe for target ‘all’ failed error – found the solution on AskUbuntu How to Install Jailkit.
make clean
export LDFLAGS="-pthread"
./configure && make
Then
make install
OK!
We got it installed. Let’s now setup jailkit.
Lets create the jail.
mkdir /home/jail
chown root:root /home/jail
Lets now copy the required files using jk_init.
jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh
Create the user user with a home directory and bash shell, and set the password:
useradd -d /home/testuser -m testuser -s /bin/bash
passwd testuser
Now it’s time to jail this user, use the following command:
jk_jailuser -m -j /home/jail testuser
Verify if your /etc/passwd has something like this:
testuser:x:1001:1001::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh
Enable bash
Copy the bash libraries usng jk_cp:
jk_cp -v -f /home/jail /bin/bash
Verify if your/home/jail/etc/passwd has something like this!
testuser:x:1001:1001::/home/testuser:/bin/bash
OK!
Every should be working now!
Lets SSH the server with our jailed user.
ssh testuser@serverip
YAH! I’v managed to get in but connection was closed in a few nano-seconds.
This is how my /var/log/auth.log looks like…
Sep 22 15:09:28 nsXXXXXX sshd[723]: Accepted password for testuser from 84.91.XXX.XXX port 54827 ssh2 Sep 22 15:09:28 nsXXXXXX sshd[723]: pam_unix(sshd:session): session opened for user testuser by (uid=0) Sep 22 15:09:28 nsXXXXXX systemd-logind[883]: New session c314 of user testuser. Sep 22 15:09:28 nsXXXXXX systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0) Sep 22 15:09:28 nsXXXXXX jk_chrootsh[789]: now entering jail /home/jail for user testuser (1001) with arguments Sep 22 15:09:29 nsXXXXXX sshd[788]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user Sep 22 15:09:29 nsXXXXXX sshd[723]: pam_unix(sshd:session): session closed for user testuser Sep 22 15:09:29 nsXXXXXX systemd-logind[883]: Removed session c314.
OK!
The line entry on /home/jail/etc/passwd was f*cking it all.
I had
testuser:x:1001:1001::/home/testuser:/usr/sbin/jk_lsh
Should reallllly be (remember this!, I will mention the following line again)
testuser:x:1001:1001::/home/testuser:/bin/bash
Lets put it that way and try again
ssh testuser@serverip
Connection was also closed in a few nano-seconds!
Sep 22 15:14:41 nsXXXXXX sshd[1032]: Accepted password for testuser from 84.91.XXX.XXX port 54848 ssh2
Sep 22 15:14:41 nsXXXXXX sshd[1032]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 22 15:14:41 nsXXXXXX systemd-logind[883]: New session c315 of user testuser.
Sep 22 15:14:41 nsXXXXXX systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Sep 22 15:14:41 nsXXXXXX jk_chrootsh[1098]: now entering jail /home/jail for user testuser (1001) with arguments
Sep 22 15:14:41 nsXXXXXX jk_chrootsh[1098]: ERROR: failed to execute shell /bin/bash/ for user testuser (1001), check the permissions and libraries of /home/jail//bin/bash/
Sep 22 15:14:41 nsXXXXXX sshd[1097]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user
Sep 22 15:14:41 nsXXXXXX sshd[1032]: pam_unix(sshd:session): session closed for user testuser
Sep 22 15:14:41 nsXXXXXX systemd-logind[883]: Removed session c315.
WHY?
My /home/jail/etc/passwd had a ending /… like…
testuser:x:1001:1001::/home/testuser:/bin/bash/
I’v removed that last / and and tested the ssh connections and IT WORKED!
I was able to login via SSH.
And what about SFTP?
What I really need…!
— BELLOW HERE (SFTP) ISN’T WORKING ON MY SERVER —
I’v tried to connect via SFTP and connection was refused…
This is the log..
Sep 22 16:46:47 nsXXXXXX sshd[5730]: Accepted password for testuser from 84.91.XXX.XXX port 56229 ssh2 Sep 22 16:46:47 nsXXXXXX sshd[5730]: pam_unix(sshd:session): session opened for user testuser by (uid=0) Sep 22 16:46:47 nsXXXXXX systemd-logind[883]: New session c320 of user testuser. Sep 22 16:46:48 nsXXXXXX jk_chrootsh[5793]: now entering jail /home/jail for user testuser (1001) with arguments -c /usr/lib/openssh/sftp-server Sep 22 16:46:48 nsXXXXXX sshd[5792]: Received disconnect from 84.91.XXX.XXX: 11: Sep 22 16:46:48 nsXXXXXX sshd[5730]: pam_unix(sshd:session): session closed for user testuser Sep 22 16:46:48 nsXXXXXX systemd-logind[883]: Removed session c320.
OK!
Lets run the following commands
jk_init -v -j /home/jail sftp scp jk_init -v -j /home/jail jk_lsh
Take note of sftp-server’s path, that will be outputted to use later.
On my /home/jail/etc/passwd i’v added the following /usr/sbin/jk_lsh.
testuser:1001:1001::/home/testuser:/bin/bash:/usr/sbin/jk_lsh
Then I’v edited /home/jail/etc/jailkit/jk_lsh.ini, according to Oliver from jailkit tutorial, and to this post added
[testuser]
comment = ssh secure ftp
executables = /usr/lib/openssh/sftp-server #outputted sftp-server path
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
Resources
http://olivier.sessink.nl/jailkit/
http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users
http://askubuntu.com/questions/92856/how-to-install-jailkit
http://www.binarytides.com/setup-jailed-shell-jailkit-ubuntu/
http://lists.gnu.org/archive/html/jailkit-users/2013-03/msg00005.html