Re: [Jailkit-users] Users connected via SFTP not jailed

[Ali Nebi]

I used following command to jail the user:

jk_jailuser -m -j /home/chrootssh/ test-anebi

In auth.log following things happen:

When i connect with SFTP:

Apr  4 09:06:25 labs sshd[22685]: Accepted password for test-anebi from 89.215.8.109 port 60208 ssh2

Apr  4 09:06:25 labs sshd[22685]: pam_unix(sshd:session): session opened for user test-anebi by (uid=0)

Apr  4 09:06:26 labs sshd[8070]: subsystem request for sftp by user test-anebi

When i connect with SSH

Apr  4 09:07:03 labs sshd[6482]: Accepted password for test-anebi from 89.215.8.109 port 60253 ssh2

Apr  4 09:07:03 labs sshd[6482]: pam_unix(sshd:session): session opened for user test-anebi by (uid=0)

Apr  4 09:07:03 labs jk_chrootsh[15416]: now entering jail /home/chrootssh for user test-anebi (1008) with arguments 

Olivier, yes, i do have little bit changed ssh config, i have changed SFTP subsystem

from
Subsystem sftp /usr/lib/openssh/sftp-server

to
Subsystem sftp internal-sftp

# Rules for sftponly group

Match group sftponly

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

I tried yesterday reverting this change, but still same problem, so i am not sure if this can cause this problem.

I will try to reproduce the problem on a clean system without any configuration changes to see if it will happen there.

On Fri, Apr 4, 2014 at 1:15 AM, Olivier Sessink <address@hidden> wrote:

On 04/03/2014 11:49 AM, Ali Nebi wrote:
> Hi,
>
> I have installed jailkit on ubuntu 12.04 and it is working perfectly
> for SSH accesses for jailed users. They are in jail dir and all is ok.
> But i noticed today that when users connect via SFTP, they see and can
> browse in real system - they are not jailed. I checked all libraries,
> all device files related to sftp and all is copied to jail dir. Can
> you give me advices how to get this working?

all processes that are started via the shell of the user will be jailed
(because the shell it jk_chrootsh). Any process that is not started via
the shell is not jailed. Normally openssh will start sftp via the shell
and thus the user is jailed. So my first guesses are:

- you could be using a different ssh server, or differently configured ?

- you could be using ftps (ftp over ssl) and not sftp (ftp over ssh),
and the ftps server is not in a jail

Olivier

--
Bluefish website http://bluefish.openoffice.nl/
Blog http://oli4444.wordpress.com/

_______________________________________________
Jailkit-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/jailkit-users

--

Iguana Information Technologies, SL
Calle López de Hoyos 35, 1º
28002 Madrid, España (Spain)

+34 915569100
+34 649336286
http://www.iguanait.com/

Advertencia
-----------
Este mensaje contiene información privada y confidencial. Si usted
no es el destinatario, no está autorizado a leer, imprimir, retener,
copiar o difundir este mensaje o parte de él. En caso de que usted
reciba este mensaje por error debe borrarlo. Gracias.

Confidentiality notice
----------------------
This message contains private and confidential information. If you
are not the named addressee, you are not authorized to read, print,
retain, copy or disseminate this message or any part of it. In case
you receive this message by mistake you should delete it. Thanks.