|
| From: | Olivier Sessink |
| Subject: | Re: [Jailkit-users] Jailkit with no usermod, possibly useing pam_chroot |
| Date: | Wed, 18 Dec 2019 19:48:57 +0100 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 |
Hi,
I am trying to limit a user to only be able to scp in a chroot, no ssh. I want their default directory to be /mnt. I initially used pam_chroot and scp worked but this still gave the user access to ssh. So I'm trying to either use pure jailkit or a combination of jailkit and pam_chroot so that I can disabled ssh.
I followed the howto guide to try and just use jailkit and was able to set up everything apart from jailing the user. I'm on an embedded system that does not have usermod so jailing the user fails. I used jk_init to copy scp (checked that the right dependencies were copied) and jk_lsh to the jail (/mnt), created a user, manually altered /etc/passwd and /mnt/etc/passwd, created a home directory belonging to them in the jail.
add a user to the scp section to have it copied over also to /mnt/etc/passwd.
E.G. users = chrootuser
jk_init -j /mnt scp jk_lsh
inside /mnt
mkdir home
chown chrootuser home
chgrp chrootuser home
cd home/
mkdir chrootuser
chgrp chrootuser chrootuser/
chown chrootuser chrootuser/
/etc/passwdchrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/mnt/./home/chrootuser:/usr/sbin/jk_chootsh/mnt/etc/passwd
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/home/chrootuser:/usr/sbin/jk_lsh
Currently when I try and scp I enter the user password which is accepted but the command just returns to the prompt with no errors, nothing in the logs. So I thought I'd just use pam_chroot to jail the user. Since I have not jailed the user I am guessing that is why it returns nothing? Unless I am missing something else.
So I enable pam_chroot to create the jail and I get the following complaint:
scp:chrootuser@192.168.11.2's password:Could not chdir to home directory /mnt/./home/chrootuser: No such file or directory
I am guessing that pam_chroot is chrooting to /mnt as that is what is set up in it's chroot file, at that point there is no "/mnt" since it has become /?
/etc/security/chroot.conf:chrootuser /mnt
so I changed /etc/passwd to:chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_chrootsh
and /mnt/etc/passwd to:chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_lsh
The behaviour then reverts to me trying to scp and it just returning to the prompt with no errors.Should I be changing my /etc/passwd files to something else? I noticed in the pam_chroot section it said I could use it instead of jk_chrootsh, so maybe that should be removed?
Two options:
1) use jk_chrootsh
/etc/passwd should have /usr/sbin/jk_chrootsh as shell, and /mnt/./home/chrootuser as home dir
/mnt/etc/passwd should have /usr/bin/jk_lsh as shell, and /home/chrootuser as home dir
2) use pam_chroot
/etc/passwd should have /usr/bin/jk_lsh as shell (in some
versions you need /mnt in front of that), and /mnt/home/chrootuser
as home dir
In both cases you need /mnt/etc/jailkit/jk_lsh.ini to allow scp,
and you need scp in the jail. There are various versions of
pam_chroot, they all work slightly different, so watch the logs!
(and make sure you have logging in the jail)
Olivier
-- Bluefish website http://bluefish.openoffice.nl/ Blog http://oli4444.wordpress.com/
| [Prev in Thread] | Current Thread | [Next in Thread] |