jailkit for chroot ssh account security tutorial and fix for error

This was done on Centos but I think it's easier on Debian machines, the paths that it is set to use are tailored towards Debian, so there is some fiddling that needs to be done on Centos.

This is for chrooting ssh, but jailkit has other uses than just SSH jails but I won't cover them in this writeup.

1. Install jailkit

yum install jailkit

2. Setup Jail Home

mkdir /home/jail
chown root:root /home/jail

3. Enable Jailed Programs For Your Users

jk_init -v -j /home/jail basicshell editors extendedshell netutils ssh sftp scp

You'll see a lot of text scrolling, basically it is copying all the executables and their dependencies to the chroot environment.

For more specialized setups/extra programs you can edit /etc/jailkit/jk_init.ini to enable or add more programs.

4. Enable the Jail on an Existing User

jk_jailuser -m -j /home/jail "testguy"


invalid shell, /home/jail/usr/sbin/jk_lsh does not exist
enter jail directory:

Fix the error with the following:

You need to copy "jk_lsh" and should have done it from the start (bad documentation)

jk_init -v -j /home/jail jk_lsh

 Now you can add whatever use you want to the jail.

And just to confirm notice the changed /etc/passwd entry for testguy:

testguy:x:500:500::/home/jail/./home/testguy:/usr/sbin/jk_chrootsh

5. Finalize Settings

Set the shell you want for your user in /home/jail/etc/passwd

root:x:0:0:root:/root:/bin/bash
testguy:x:500:500::/home/testguy:/usr/sbin/jk_lsh

I don't know why "root" is there, I deleted that line.  I also changed the shell for testguy to bash, and so my new file looks like:

testguy:x:500:500::/home/testguy:/bin/bash

 


Tags:

jailkit, chroot, ssh, tutorial, errorthis, centos, debian, paths, tailored, fiddling, chrooting, jails, writeup, install, yum, mkdir, chown, enable, jailed, programs, users, jk_init, basicshell, editors, extendedshell, netutils, sftp, scp, ll, text, scrolling, copying, executables, dependencies, specialized, setups, edit, etc, ini, existing, user, jk_jailuser, quot, testguy, invalid, shell, usr, sbin, jk_lsh, directory, documentation, passwd, entry, jk_chrootsh, finalize, settings, bin, bash, deleted,

Latest Articles

  • Flash LSI MegaRAID 2208 to IT mode in Linux Mint/Debian/Ubuntu
  • LSI MegaRAID in Linux Ubuntu / Centos Tutorial Setup Guide megacli
  • Convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/413. convert-im6.q16: no images defined `pts-time.jpg' @ error/convert.c/ConvertImageCommand/3258. solution ImageMagick P
  • Apache PHP sending expires header solution cannot use cache with CDN
  • How to install virt-manager in Mint 22/Ubuntu 22
  • Infiniband Guide
  • python mysql install error: /bin/sh: 1: mysql_config: not found /bin/sh: 1: mariadb_config: not found /bin/sh: 1: mysql_config: not found mysql_config --version
  • FreePBX 17 How To Add a Trunk
  • Docker Container Onboot Policy - How to make sure a container is always running
  • FreePBX 17 How To Add Phones / Extensions and Register
  • Warning: The driver descriptor says the physical block size is 2048 bytes, but Linux says it is 512 bytes. solution
  • Cisco How To Use a Third Party SIP Phone (eg. Avaya, 3CX)
  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX 17 in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups