jailkit-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS

From: Ming Wu
Subject: [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8
Date: Sat, 6 Mar 2021 22:37:02 -0500 (EST)
User-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 
Follow-up Comment #4, bug #60178 (project jailkit):

By following your comment on "sftp internally", I nailed down the problem:

It is this line
Subsystem sftp internal-sftp
in /etc/ssh/sshd_config that breaks the jail.

There is still an issue: user mike got "Connection closed" for sftp.

Thanks alot for the help on sovling this jail break problem!

-----------------------------------------
# Experiment #1
1. content of /etc/ssh/sshd_config on CentOS 8
[root@tpc8 ~]# cat /etc/ssh/sshd_config | tail -7
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpgrp
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory %h
        ForceCommand internal-sftp
# Please note that we are using internal-sftp here.

2a. ssh on Ubuntu 20.04.2
$ ssh mike@10.168.139.33
mike@10.168.139.33's password:
Last login: Sun Mar  7 03:06:08 2021 from 10.168.128.164
Connection to 10.168.139.33 closed.

2b. output of journalctl -f | grep jk_ on CentOS 8
# journalctl -f |grep jk_
Mar 07 03:10:53 tpc8 jk_chrootsh[1432]: now entering jail /srv/sftpjail for
user mike (1006) with arguments

3a. sftp on Ubuntu 20.04.2
$ sftp mike@10.168.139.33
mike@10.168.139.33's password:
Connected to 10.168.139.33.
sftp> pwd
Remote working directory: /srv/sftpjail/home/mike
sftp> cd /var/www/html
sftp> get index.php a3.txt
Fetching /var/www/html/index.php to a3.txt
/var/www/html/index.php                             100% 1228   129.0KB/s  
00:00
sftp> bye
# mike succesfully downloaded a file: jail broken

3b. output of journalctl -f | grep jk_ on CentOS 8
nothing
# this indicates that user mike is not jailed for sftp at all.

----------
# Experiment #2
1. content of /etc/ssh/sshd_config on CentOS 8
[root@tpc8 ~]# cat /etc/ssh/sshd_config | tail -7
Subsystem      sftp    /usr/libexec/openssh/sftp-server
#Subsystem sftp internal-sftp
Match Group sftpgrp
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory %h
        ForceCommand internal-sftp
# Please note that we are not using internal-sftp here

2a. ssh on Ubuntu 20.04.2
usr00@ubu00:~$ ssh mike@10.168.139.33
mike@10.168.139.33's password: 
Last login: Sun Mar  7 03:10:53 2021 from 10.168.128.164
Connection to 10.168.139.33 closed.

2b. output of journalctl -f | grep jk_ on CentOS 8
# journalctl -f |grep jk_
Mar 07 03:19:13 tpc8 jk_chrootsh[1490]: now entering jail /srv/sftpjail for
user mike (1006) with arguments

3a. sftp on Ubuntu 20.04.2
usr00@ubu00:~$ sftp mike@10.168.139.33
mike@10.168.139.33's password: 
Connection closed
# mike cannot sftp at all

3b. output of journalctl -f | grep jk_ on CentOS 8
Mar 07 03:20:25 tpc8 jk_chrootsh[1737]: now entering jail /srv/sftpjail for
user mike (1006) with arguments -c /usr/libexec/openssh/sftp-server
# this indicates that user mike is jailed for sftp.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?60178>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]