Jailkit not locking down SFTP, working for SSH
I installed jailkit on my CentOS 5.8 server, and configured it according to the online guides that I found. These are the commands that were executed as root:
mkdir /var/jail
jk_init -j /var/jail extshellplusnet
jk_init -j /var/jail sftp
adduser testuser; passwd testuser
jk_jailuser -j /var/jail testuser
I then edited /var/jail/etc/passwd
to change the login shell for testuser
to be /bin/bash
to give them access to a full bash shell via SSH.
Next I edited /var/jail/etc/jailkit/jk_lsh.ini
to look like the following (not sure if this is correct)
[testuser]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server, /usr/bin/sftp
The testuser is able to connect via SSH and is limited to only view the chroot jail directory, and is also able to log in via SFTP, however the entire file system is visible and can be traversed.
SSH Output:
> ssh testuser@server
Password:
Last login: Sat Oct 20 03:26:19 2012 from x.x.x.x
bash-3.2$ pwd
/home/testuser
SFTP Output:
> sftp testuser@server
Password:
Connected to server.
sftp> pwd
Remote working directory: /var/jail/home/testuser
What can be done to lock down SFTP access to the jail?
Solution 1:
Although I definitely feel doublesharp's pain (just ran into this problem as well), doublesharp's answer here should not be used (not secure). The problem here is that sshd's internal-sftp is being executed before /usr/sbin/jk_chrootsh can be executed, WHICH NEEDS TO BE EXECUTED FOR SECURITY REASONS. So all you need to do to fix this issue is make sure that your /etc/ssh/sshd_config file has this line...
Subsystem sftp /usr/lib/openssh/sftp-server
... and NOT this line ...
Subsystem sftp internal-sftp
And also make sure you aren't doing any user/group matching in this file either. The big idea here is that if you are going to use jailkit for quarantining users on a Linux system, then you need to force all users through /usr/sbin/jk_chrootsh which can spin up its own sftp functionality if needed.
After you make your changes to /etc/ssh/sshd_config, make sure to restart sshd (method can vary depending on your system).