Jailkit not locking down SFTP, working for SSH
Posted
by
doublesharp
on Server Fault
See other posts from Server Fault
or by doublesharp
Published on 2012-10-20T08:09:16Z
Indexed on
2012/10/20
11:04 UTC
Read the original article
Hit count: 232
I installed jailkit on my CentOS 5.8 server, and configured it according to the online guides that I found. These are the commands that were executed as root:
mkdir /var/jail
jk_init -j /var/jail extshellplusnet
jk_init -j /var/jail sftp
adduser testuser; passwd testuser
jk_jailuser -j /var/jail testuser
I then edited /var/jail/etc/passwd
to change the login shell for testuser
to be /bin/bash
to give them access to a full bash shell via SSH.
Next I edited /var/jail/etc/jailkit/jk_lsh.ini
to look like the following (not sure if this is correct)
[testuser]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server, /usr/bin/sftp
The testuser is able to connect via SSH and is limited to only view the chroot jail directory, and is also able to log in via SFTP, however the entire file system is visible and can be traversed.
SSH Output:
> ssh testuser@server
Password:
Last login: Sat Oct 20 03:26:19 2012 from x.x.x.x
bash-3.2$ pwd
/home/testuser
SFTP Output:
> sftp testuser@server
Password:
Connected to server.
sftp> pwd
Remote working directory: /var/jail/home/testuser
What can be done to lock down SFTP access to the jail?
FWIW, I mostly used this as a guide: http://digitalpatch.blogspot.com.ar/2010/03/openssh-daemon-hardening-part-3-setup.html
© Server Fault or respective owner