I have run up against another issue in trying to set up a jailkit chroot jail in which a user can run rsync (only). The jail is on a 'central server' host named CS (for example).
I run this command as the user trying to rsync to the CS:
rsync some_local_file address@hidden:. The attempt gets this error: rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4]
On host CS, the /var/log/auth.log shows (date/time has been removed to shorten): CS sshd[6238]: Accepted publickey for CSUSER from 192.168.2.190 port 50934 ssh2 CS sshd[6238]: pam_unix(sshd:session): session opened for user CSUSER by (uid=0)
CS jk_chrootsh[6247]: now entering jail /usr/local/chroot_jail for user CSUSER (1002) CS sshd[6238]: pam_unix(sshd:session): session closed for user CSUSER
If I try (as root on host CS): chroot /usr/local/chroot_jail rsync /home/CSUSER/somefile /home/CSUSER/somedir/
the file is sync'd into the dir ok.
I am using jk_lsh; see the config below.
Thank you for any assistance; I don't know what to do next.
The following steps were performed to prepare the jail:
CREATE LOGIN ON CENTRAL SERVER 'CS'
Create login to CS for use by client: CSUSER # as root on CS adduser CSUSER
Ensure the user is in only its group, no others.
grep /etc/group/CSUSER # should show only the one line for the CSUSER group itself
Add public key for address@hidden to permit authentication without password: # on host CS, as someuser: # create $HOME/.ssh/authorized_keys
# change perms to 600, and add public key for address@hidden Verify login works: ssh address@hidden
SETUP JAILKIT
Scp the jailkit release to CSDEVUSR user on CS: scp mylocaldir/tar/jailkit*.tar.gz address@hidden:.
Untar the jailkit release in CSDEVUSR user on CS and build the software: # as CSDEVUSR on CS mkdir ~/sw/jailkit cd ~/sw/jailkit tar xvfz ~/jailkit*tar.gz # Build the jailkit software.
cd sw/jailkit ./configure make
Install the jailkit software: # Use sudo to be root for the install sudo make install
Initialise the jail # As root on CS... # Create the jail dir
mkdir /usr/local/chroot_jail # root should own it chown root:root /usr/local/chroot_jail chmod 0755 /usr/local/chroot_jail # Add in the programs that are to be accessible jk_init -j /usr/local/chroot_jail -v jk_lsh
jk_init -j /usr/local/chroot_jail -v rsync
Make the chroot jail look like as complete a filesystem as needed: # get the timezone jk_cp -j /usr/local/chroot_jail /etc/localtime
Create the account in the jail by moving the existing user's home dir.
jk_jailuser --jail=/usr/local/chroot_jail --verbose CSUSER
Creates the user's home dir in the jail, adds user to jail's etc/passwd, and changes shell of user to jk_chrootsh. After the above command, the user's home dir should have been moved into the jail dir. The user's passwd file entry should now look like this:
CSUSER:x:1002:1002:,,,: /usr/local/chroot_jail/./home/CSUSER:/usr/sbin/jk_chrootsh
Edit the jk_lsh configfile in the jail, see man jk_lsh NOTE the file is in the jail dir (not the 'real' /etc/jailkit!)
# as root on CS vi /usr/local/chroot/etc/jailkit/jk_lsh.ini (... see contents below...)
Restart jk_socketd # as root on CS (jk_socketd becomes the user specified in its # config file, normally 'nodoby')
killall jk_socketd jk_socketd
Test the account rsync somefile address@hidden:.
# check the logs if everything is correct # on host CS tail -f /var/log/daemon.log tail -f /var/log/auth.log
# Try to sync a file # as someuser on host UH: rsync a_local_file address@hidden:.