Jailkit not locking down SFTP, working for SSH

Posted by doublesharp on Server Fault See other posts from Server Fault or by doublesharp
Published on 2012-10-20T08:09:16Z Indexed on 2012/10/20 11:04 UTC
Read the original article Hit count: 232

Filed under:
|
|
|
|

I installed jailkit on my CentOS 5.8 server, and configured it according to the online guides that I found. These are the commands that were executed as root:

mkdir /var/jail
jk_init -j /var/jail extshellplusnet
jk_init -j /var/jail sftp 
adduser testuser; passwd testuser
jk_jailuser -j /var/jail testuser

I then edited /var/jail/etc/passwd to change the login shell for testuser to be /bin/bash to give them access to a full bash shell via SSH.

Next I edited /var/jail/etc/jailkit/jk_lsh.ini to look like the following (not sure if this is correct)

[testuser]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server, /usr/bin/sftp

The testuser is able to connect via SSH and is limited to only view the chroot jail directory, and is also able to log in via SFTP, however the entire file system is visible and can be traversed.

SSH Output:

> ssh testuser@server
Password: 
Last login: Sat Oct 20 03:26:19 2012 from x.x.x.x
bash-3.2$ pwd
/home/testuser

SFTP Output:

> sftp testuser@server
Password: 
Connected to server.
sftp> pwd
Remote working directory: /var/jail/home/testuser

What can be done to lock down SFTP access to the jail?

FWIW, I mostly used this as a guide: http://digitalpatch.blogspot.com.ar/2010/03/openssh-daemon-hardening-part-3-setup.html

© Server Fault or respective owner

Related posts about centos

Related posts about ssh