Installing Jailkit on a fresh Ubuntu

Use this tutorial on YOUR OWN RISK!

OK!, I’m following the instructions found on Askubuntu – Simple & easy way to jail users to install Jailkit.

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar -zxvf jailkit-2.14.tar.gz
cd jailkit-2.14
./configure
make #IGNORE THIS LINE - this will give us an error see bellow -

On make, I some errors errors.

make[1]: Entering directory '/tmp/jailkit-2.14/src'
gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o jk_socketd.o jk_socketd.c
gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o jk_lib.o jk_lib.c
gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o utils.o utils.c
gcc -g -O2 -Wall -pipe -DINIPREFIX=\"/etc/jailkit\" -c -o iniparser.o iniparser.c
gcc -lpthread -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o
jk_socketd.o: In function `main':
/tmp/jailkit-2.14/src/jk_socketd.c:474: undefined reference to `pthread_create'
collect2: error: ld returned 1 exit status
Makefile:73: recipe for target 'jk_socketd' failed
make[1]: *** [jk_socketd] Error 1
make[1]: Leaving directory '/tmp/jailkit-2.14/src'
Makefile:41: recipe for target 'all' failed
make: *** [all] Error 2

How I solved this Makefile:41: recipe for target ‘all’ failed error – found the solution on AskUbuntu How to Install Jailkit.

make clean
export LDFLAGS="-pthread"
./configure && make

Then

make install

OK!
We got it installed. Let’s now setup jailkit.

Lets create the jail.

mkdir /home/jail
chown root:root /home/jail

Lets now copy the required files using jk_init.

jk_init -v /home/jail basicshell
jk_init -v /home/jail netutils
jk_init -v /home/jail ssh
jk_init -v /home/jail jk_lsh

Create the user user with a home directory and bash shell, and set the password:

useradd -d /home/testuser -m testuser -s /bin/bash
passwd testuser

Now it’s time to jail this user, use the following command:

jk_jailuser -m -j /home/jail testuser

Verify if your /etc/passwd has something like this:

testuser:x:1001:1001::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh

Enable bash

Copy the  bash libraries usng jk_cp:

jk_cp -v -f /home/jail /bin/bash

Verify if your/home/jail/etc/passwd has something like this!

testuser:x:1001:1001::/home/testuser:/bin/bash

OK!

Every should be working now!
Lets SSH the server with our jailed user.

ssh testuser@serverip

YAH! I’v managed to get in but connection was closed in a few nano-seconds.

This is how my /var/log/auth.log looks like…

Sep 22 15:09:28 nsXXXXXX sshd[723]: Accepted password for testuser from 84.91.XXX.XXX port 54827 ssh2
Sep 22 15:09:28 nsXXXXXX sshd[723]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 22 15:09:28 nsXXXXXX systemd-logind[883]: New session c314 of user testuser.
Sep 22 15:09:28 nsXXXXXX systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Sep 22 15:09:28 nsXXXXXX jk_chrootsh[789]: now entering jail /home/jail for user testuser (1001) with arguments
Sep 22 15:09:29 nsXXXXXX sshd[788]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user
Sep 22 15:09:29 nsXXXXXX sshd[723]: pam_unix(sshd:session): session closed for user testuser
Sep 22 15:09:29 nsXXXXXX systemd-logind[883]: Removed session c314.

OK!
The line entry on /home/jail/etc/passwd was f*cking it all.
I had

testuser:x:1001:1001::/home/testuser:/usr/sbin/jk_lsh

Should reallllly be (remember this!, I will mention the following line again)

testuser:x:1001:1001::/home/testuser:/bin/bash

Lets put it that way and try again

ssh testuser@serverip

Connection was also closed in a few nano-seconds!

Sep 22 15:14:41 nsXXXXXX sshd[1032]: Accepted password for testuser from 84.91.XXX.XXX port 54848 ssh2
Sep 22 15:14:41 nsXXXXXX sshd[1032]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 22 15:14:41 nsXXXXXX systemd-logind[883]: New session c315 of user testuser.
Sep 22 15:14:41 nsXXXXXX systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)
Sep 22 15:14:41 nsXXXXXX jk_chrootsh[1098]: now entering jail /home/jail for user testuser (1001) with arguments
Sep 22 15:14:41 nsXXXXXX jk_chrootsh[1098]: ERROR: failed to execute shell /bin/bash/ for user testuser (1001), check the permissions and libraries of /home/jail//bin/bash/
Sep 22 15:14:41 nsXXXXXX sshd[1097]: Received disconnect from 84.91.XXX.XXX: 11: disconnected by user
Sep 22 15:14:41 nsXXXXXX sshd[1032]: pam_unix(sshd:session): session closed for user testuser
Sep 22 15:14:41 nsXXXXXX systemd-logind[883]: Removed session c315.

WHY?
My /home/jail/etc/passwd had a ending /… like…

testuser:x:1001:1001::/home/testuser:/bin/bash/

I’v removed that last / and and tested the ssh connections and IT WORKED!

I was able to login via SSH.

And what about SFTP?

What I really need…!

— BELLOW HERE (SFTP) ISN’T WORKING ON MY SERVER —

I’v tried to connect via SFTP and connection was refused…
This is the log..

Sep 22 16:46:47 nsXXXXXX sshd[5730]: Accepted password for testuser from 84.91.XXX.XXX port 56229 ssh2
Sep 22 16:46:47 nsXXXXXX sshd[5730]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Sep 22 16:46:47 nsXXXXXX systemd-logind[883]: New session c320 of user testuser.
Sep 22 16:46:48 nsXXXXXX jk_chrootsh[5793]: now entering jail /home/jail for user testuser (1001) with arguments -c /usr/lib/openssh/sftp-server
Sep 22 16:46:48 nsXXXXXX sshd[5792]: Received disconnect from 84.91.XXX.XXX: 11:
Sep 22 16:46:48 nsXXXXXX sshd[5730]: pam_unix(sshd:session): session closed for user testuser
Sep 22 16:46:48 nsXXXXXX systemd-logind[883]: Removed session c320.

OK!
Lets run the following commands

jk_init -v -j /home/jail sftp scp
jk_init -v -j /home/jail jk_lsh

Take note of sftp-server’s path, that will be outputted to use later.

On my /home/jail/etc/passwd i’v added the following /usr/sbin/jk_lsh.

testuser:1001:1001::/home/testuser:/bin/bash:/usr/sbin/jk_lsh

Then I’v edited /home/jail/etc/jailkit/jk_lsh.ini, according to Oliver from jailkit tutorial, and to this post added

[testuser]
comment = ssh secure ftp
executables = /usr/lib/openssh/sftp-server #outputted sftp-server path
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

 

 

 

 

 

 

Resources
http://olivier.sessink.nl/jailkit/
http://askubuntu.com/questions/93411/simple-easy-way-to-jail-users
http://askubuntu.com/questions/92856/how-to-install-jailkit
http://www.binarytides.com/setup-jailed-shell-jailkit-ubuntu/

http://lists.gnu.org/archive/html/jailkit-users/2013-03/msg00005.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.