Re: [Jailkit-users] Jailkit with no usermod, possibly useing pam_chroot

[Paul Gildea]

Hi!

I saw your reply to me in the archive but it didn't come to my inbox, so I just saw it today sorry!

Thanks for the help. It turns out the issue is the home directory being in the format expected for jk_chrootsh.

Oh and I had to manually copy /dev/null (cp -af /dev/null /mnt/dev/null), maybe I forgot some part of the process that copies that automatically, or had to alter an .ini file for the path.

For anybody else this is what my entries looked like for pam_chroot to work(https://code.google.com/archive/p/pam-chroot/downloads 0.9.2), same as what was recommended:

Both /etc/passwd and /mnt/etc/passwd:

chrootuser:TDzElZZ4KyEe.:1003:1003:Linux User,,,:/home/chrootuser:/usr/sbin/jk_lsh

For some reason the root credentials are being copied to /mnt/etc/passwd automatically when i create the jail, but I'm not sure why.

I manually edit that file, remove that line and add my user and everything works, and ssh fails, perfect! 

When I ssh to the system and I am denied, on the system this appears on the user CLI, I'll have to try and hide that:

[username]#  sshd[14917]: error: openpty: No such file or directory
 error: session_pty_req: session 0 alloc failed

Thanks for the help!

--

Paul

On Wed, 18 Dec 2019 at 13:02, Paul Gildea <address@hidden> wrote:

Hi,

I am trying to limit a user to only be able to scp in a chroot, no ssh. I want their default directory to be /mnt. I initially used pam_chroot and scp worked but this still gave the user access to ssh. So I'm trying to either use pure jailkit or a combination of jailkit and pam_chroot so that I can disabled ssh.

I followed the howto guide to try and just use jailkit and was able to set up everything apart from jailing the user. I'm on an embedded system that does not have usermod so jailing the user fails. I used jk_init to copy scp (checked that the right dependencies were copied) and jk_lsh to the jail (/mnt), created a user, manually altered /etc/passwd and /mnt/etc/passwd, created a home directory belonging to them in the jail. 

add a user to the scp section to have it copied over also to /mnt/etc/passwd.
E.G. users = chrootuser

jk_init -j /mnt scp jk_lsh

inside /mnt
mkdir home
chown chrootuser home
chgrp chrootuser home
cd home/
mkdir chrootuser
chgrp chrootuser chrootuser/
chown chrootuser chrootuser/

/etc/passwd

chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/mnt/./home/chrootuser:/usr/sbin/jk_chootsh

/mnt/etc/passwd
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/home/chrootuser:/usr/sbin/jk_lsh

Currently  when I try and scp I enter the user password which is accepted but the command just returns to the prompt with no errors, nothing in the logs. So I thought I'd just use pam_chroot to jail the user. Since I have not jailed the user I am guessing that is why it returns nothing? Unless I am missing something else.

So I enable pam_chroot to create the jail and I get the following complaint:

scp:

chrootuser@192.168.11.2's password: 

Could not chdir to home directory /mnt/./home/chrootuser: No such file or directory

I am guessing that pam_chroot is chrooting to /mnt as that is what is set up in it's chroot file, at that point there is no "/mnt" since it has become /?

/etc/security/chroot.conf:

chrootuser /mnt

so I changed /etc/passwd to:

chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_chrootsh

and /mnt/etc/passwd to:

chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_lsh

The behaviour then reverts to me trying to scp and it just returning to the prompt with no errors.

Should I be changing my /etc/passwd files to something else? I noticed in the pam_chroot section it said I could use it instead of jk_chrootsh, so maybe that should be removed?

Anything else obvious that I have missed?

Thanks,

--

Paul