How to Create Jailed ssh User with Jailkit on Debian Wheezy

February 9, 2015 | By
| 1 Reply More

Hi there, today we'll be creating a jailed ssh user with Jailkit on a Debian Wheezy box. Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.

Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.

1. Installing JailKit

Firstly, We'll gonna download and install the Jailkit.

$ cd /tmp
$ wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz
$ tar xvfz jailkit-2.17.tar.gz
$ cd jailkit-2.17

downloading and extracting jailkit

Note: Please replace jailkit-2.17 with the version of jailkit you are gonna install.

As Jailkit requires some packages before its installation, we will gonna install them as follows:

$ sudo apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold python

 installing dependencies

Now our system is ready to install the Jailkit, install it as follows:

$ ./debian/rules binary
$ cd ..
$ dpkg -i jailkit_2.17-1_i386.deb

installing jailkit

It will install the Jailkit in Debian Server, we can remove the extra packages from /tmp:

$ rm -rf /tmp/jailkit*

2. Configuring the jail environment

There needs to be a directory where the whole jail environment will be setup. Lets do it in /opt/jail. This can be whatever.

$ sudo mkdir /opt/jail

Root should own this directory. So chown it out.

$ sudo chown root:root /opt/jail

3. Enabling the programs to be available inside the jail

All the programs that need to be available in the jail need to be copied inside it using the jk_init command.
Example

$ sudo jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp

enabling programs for jail users

The names like basicshell , editors , netutils are groups that contain multiple programs. Each group is a set of executable files, libraries etc to be copied into the shell. For example, the section basicshell provides many programs like bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep etc in the jail.

For a complete list of sections that can be setup, have a look at /etc/jailkit/jk_init.ini.

4. Create the user who will be jailed

Need a user to put inside the jail. Lets create one

$ sudo adduser arun

Note that this is a normal user who is created in the actual filesystem and not inside the jail.
In the next step this user shall be imprisoned inside the jail.

At this point if you take a look at /etc/passwd you get to see an entry at the end that looks like this

arun:x:1006:1005:,,,:/home/arun:/bin/bash

This is our new user and the last part /bin/bash indicates that the user has a normal shell access on the system, if he logs in.

5. Jail the user

Now its time to put the user inside the jail.

$ sudo jk_jailuser -m -j /opt/jail/ arun

By doing this the user arun has now been jailed.
Now if you take a look at /etc/passwd the last entry would look like this

arun:x:1006:1005:,,,:/opt/jail/./home/arun:/usr/sbin/jk_chrootsh
Note that the last 2 parts that indicate the home user and the shell type have changed. The home directory of the user is now inside the jail environment at /opt/jail. The shell of the user is now a special program called jk_chrootsh that will provide the jailed shell.

It is this particular shell called jk_chrootsh that takes the user inside the jail, every time he logs onto the system.

The jail setup by now is nearly done. But if you try to connect to id from ssh, it will fail like this :

$ ssh arun@localhost

connection closed

The connection shall close. This happens because the user actually has a limited shell.

6. Give bash shell to user inside the jail

Now, the important thing we'll need to do is to provide user a proper bash shell, but inside the jail.
Open the following file

$ sudo nano /opt/jail/etc/passwd

Its the password file inside the jail. It would look somewhat like this

root:x:0:0:root:/root:/bin/bash
arunp:x:1006:1001:arun pyasi,001,,:/home/arunp:/usr/sbin/jk_lsh

change jk_lsh to bash

Change the /usr/sbin/jk_lsh to /bin/bash

root:x:0:0:root:/root:/bin/bash
arun:x:1006:1005:,,,:/home/arun:/bin/bash

Save the file and exit.

7. Login to the jail

So now its time to login into the jail again

$ ssh arun@localhost

ssh login success

Now we have a fully functional bash shell but inside the jail.Now check the environment by moving around. The root / of the jailed environment is /opt/jail of the real file system. But its only we who knows that, not the jailed user.

Also only the commands that were copied via jk_cp sections will be available in this jail. If the login fails, then check /var/log/auth.log for error messages.

Now try running some network command like wget or anything similar.

$ wget http://www.google.com/

If you get an error like this :

$ wget http://www.google.com/
--2012-06-23 12:56:43-- http://www.google.com/
 Resolving www.google.com (www.google.com)... failed: Name or service not known.
 wget: unable to resolve host address `www.google.com'

Fix it by running the following 2 commands :

$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_files.so.2
$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_dns.so.2

The exact location of the libnss_files.so and libnss_dns.so can vary so check.

8. Running programs or services in the jail

Now the setup is complete. Jails are useful to run programs or services in a restricted/secure environments. To launch a program or daemon inside the jail use the jk_chrootlaunch command.

$ sudo jk_chrootlaunch -j /opt/jail -u arun -x /some/command/in/jail

The jk_chrootlaunch utility can be used to launch a particular process inside the jail environment with privileges of the specified user. If the daemon fails to start, check /var/log/syslog for error messages.

To run the program inside the jail, the program must first be fully copied inside the jail using the jk_cp command.

jk_cp - a utility to copy files including permissions and libraries into a jail

Conclusion

So, finally we have created a working jailed ssh with the help of Jailkit in our Debian Wheezy Server.It limited to some specific command, or a daemon inside a chroot jail with automated utilities. For further information about various jailkit commands, check the documentation on olivier website. If you have any problem, queries or questions please comment below without hesitation so that we can update and improve our blogs and contents more.

Filed Under : NETWORK, SECURITY

Free Linux Ebook to Download

Comments (1)

Trackback URL | Comments RSS Feed

  1. Brian says:

    Hi

    I followed the instructions above and users are successfully created in /opt/jail however they can navigate out of their home folder i.e to /opt/jail/etc and also into other users homes and view their files.

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.