On my server I want to create accounts that can do SSH in a chroot environment. On the internet I searched for tools and I found Jailkit. In this post I will tell how I installed Jailkit on Ubuntu server 9.10, created a jail and how users are added to the jail. Note that most commands in this tutorial should be executed as su or sudo.
Jailkit installation
First I installed Jailkit by using the following commands:
# cd /tmp # wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz # tar -zxvf jailkit-2.11.tar.gz # cd jailkit-2.11 # ./configure # make # make install
Setting up the jail
Now it’s time to set up the jail directory. Jailed users will see this directory as the root directory of the server. I chose to use /home/jail:
# mkdir /home/jail # chown root:root /home/jail
By using the jk_init command you can set up the jail. In this tutorial the basicshell, netutils, ssh and limited shell are installed:
# jk_init -v /home/jail basicshell # jk_init -v /home/jail netutils # jk_init -v /home/jail ssh # jk_init -v /home/jail jk_lsh
Add a user
Add a new user with a home directory and bash shell, and don’t forget to change the password:
# useradd -d /home/testuser -m testuser -s /bin/bash # passwd testuser
Now it’s time to jail this user, use the following command:
# jk_jailuser -m -j /home/jail testuser
Your /etc/passwd should contain something like this now:
testuser:x:1003:1004::/home/jail/./home/testuser:/usr/sbin/jk_chrootsh
Enable bash
By using jk_cp the bash libraries are be copied to the jail:
# jk_cp -v -f /home/jail /bin/bash
Now edit the /home/jail/etc/passwd file and make sure it contains something like this:
testuser:x:1003:1004::/home/testuser:/bin/bash
Also make sure the group exists in /home/jail/etc/group:
testuser:x:1004:
Now try to login with testuser. Look for errors in /var/log/auth.log.
Maintenance
By using jk_update updates on the real system can be updated in the jail. A dry-run will show what’s going on:
# jk_update -j /home/jail -d
Without the -d argument the real update is performed. More maintenance operations can be found here.
Troubleshooting
Make sure the jailed user has a home directory in /home/jail/home. If not create one:
# mkdir -p /home/jail/home/testuser # chown testuser:testuser /home/jail/home/testuser
Jessie
Feb 19, 2015 -
I found out my problem. I remvoed the original thing in the passwd and added testuser:x:1003:1004::/home/testuser:/bin/bash. I originally had two things going at the same time and that’s what made me instantly logoff. I’m still a beginner with this linux stuff, but I’m glad you took the time to make this amazing write up. It works great.
Daniele
Mar 23, 2015 -
Sorry for the delay. Yes, I have problems with other coommn commands too. Did I limit the users too much? I can’t seem to run anything from within the jail. How can I go about adding these commands to the jail?