[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS
From: |
Ming Wu |
Subject: |
[Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8 |
Date: |
Sat, 6 Mar 2021 22:37:02 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 |
Follow-up Comment #4, bug #60178 (project jailkit):
By following your comment on "sftp internally", I nailed down the problem:
It is this line
Subsystem sftp internal-sftp
in /etc/ssh/sshd_config that breaks the jail.
There is still an issue: user mike got "Connection closed" for sftp.
Thanks alot for the help on sovling this jail break problem!
-----------------------------------------
# Experiment #1
1. content of /etc/ssh/sshd_config on CentOS 8
[root@tpc8 ~]# cat /etc/ssh/sshd_config | tail -7
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpgrp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
# Please note that we are using internal-sftp here.
2a. ssh on Ubuntu 20.04.2
$ ssh mike@10.168.139.33
mike@10.168.139.33's password:
Last login: Sun Mar 7 03:06:08 2021 from 10.168.128.164
Connection to 10.168.139.33 closed.
2b. output of journalctl -f | grep jk_ on CentOS 8
# journalctl -f |grep jk_
Mar 07 03:10:53 tpc8 jk_chrootsh[1432]: now entering jail /srv/sftpjail for
user mike (1006) with arguments
3a. sftp on Ubuntu 20.04.2
$ sftp mike@10.168.139.33
mike@10.168.139.33's password:
Connected to 10.168.139.33.
sftp> pwd
Remote working directory: /srv/sftpjail/home/mike
sftp> cd /var/www/html
sftp> get index.php a3.txt
Fetching /var/www/html/index.php to a3.txt
/var/www/html/index.php 100% 1228 129.0KB/s
00:00
sftp> bye
# mike succesfully downloaded a file: jail broken
3b. output of journalctl -f | grep jk_ on CentOS 8
nothing
# this indicates that user mike is not jailed for sftp at all.
----------
# Experiment #2
1. content of /etc/ssh/sshd_config on CentOS 8
[root@tpc8 ~]# cat /etc/ssh/sshd_config | tail -7
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp internal-sftp
Match Group sftpgrp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory %h
ForceCommand internal-sftp
# Please note that we are not using internal-sftp here
2a. ssh on Ubuntu 20.04.2
usr00@ubu00:~$ ssh mike@10.168.139.33
mike@10.168.139.33's password:
Last login: Sun Mar 7 03:10:53 2021 from 10.168.128.164
Connection to 10.168.139.33 closed.
2b. output of journalctl -f | grep jk_ on CentOS 8
# journalctl -f |grep jk_
Mar 07 03:19:13 tpc8 jk_chrootsh[1490]: now entering jail /srv/sftpjail for
user mike (1006) with arguments
3a. sftp on Ubuntu 20.04.2
usr00@ubu00:~$ sftp mike@10.168.139.33
mike@10.168.139.33's password:
Connection closed
# mike cannot sftp at all
3b. output of journalctl -f | grep jk_ on CentOS 8
Mar 07 03:20:25 tpc8 jk_chrootsh[1737]: now entering jail /srv/sftpjail for
user mike (1006) with arguments -c /usr/libexec/openssh/sftp-server
# this indicates that user mike is jailed for sftp.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?60178>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/05
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/06
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8,
Ming Wu <=
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Olivier Sessink, 2021/03/07
- [Jailkit-dev] [bug #60178] sftp account is not limited at all on CentOS 8, Ming Wu, 2021/03/07