jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Jailkit-users] Jailkit with no usermod, possibly useing pam_chroot

From: Paul Gildea
Subject: [Jailkit-users] Jailkit with no usermod, possibly useing pam_chroot
Date: Wed, 18 Dec 2019 13:02:41 +0000
Hi,

I am trying to limit a user to only be able to scp in a chroot, no ssh. I want their default directory to be /mnt. I initially used pam_chroot and scp worked but this still gave the user access to ssh. So I'm trying to either use pure jailkit or a combination of jailkit and pam_chroot so that I can disabled ssh.

I followed the howto guide to try and just use jailkit and was able to set up everything apart from jailing the user. I'm on an embedded system that does not have usermod so jailing the user fails. I used jk_init to copy scp (checked that the right dependencies were copied) and jk_lsh to the jail (/mnt), created a user, manually altered /etc/passwd and /mnt/etc/passwd, created a home directory belonging to them in the jail. 

add a user to the scp section to have it copied over also to /mnt/etc/passwd.
E.G. users = chrootuser

jk_init -j /mnt scp jk_lsh

inside /mnt
mkdir home
chown chrootuser home
chgrp chrootuser home
cd home/
mkdir chrootuser
chgrp chrootuser chrootuser/
chown chrootuser chrootuser/

/etc/passwd
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/mnt/./home/chrootuser:/usr/sbin/jk_chootsh
/mnt/etc/passwd
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/home/chrootuser:/usr/sbin/jk_lsh

Currently  when I try and scp I enter the user password which is accepted but the command just returns to the prompt with no errors, nothing in the logs. So I thought I'd just use pam_chroot to jail the user. Since I have not jailed the user I am guessing that is why it returns nothing? Unless I am missing something else.


So I enable pam_chroot to create the jail and I get the following complaint:

scp:
chrootuser@192.168.11.2's password: 
Could not chdir to home directory /mnt/./home/chrootuser: No such file or directory

I am guessing that pam_chroot is chrooting to /mnt as that is what is set up in it's chroot file, at that point there is no "/mnt" since it has become /?

/etc/security/chroot.conf:
chrootuser /mnt


so I changed /etc/passwd to:
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_chrootsh
and /mnt/etc/passwd to:
chrootuser:aOMaK6TXMYtOs:1003:1003:Linux User,,,:/:/usr/sbin/jk_lsh

The behaviour then reverts to me trying to scp and it just returning to the prompt with no errors.
Should I be changing my /etc/passwd files to something else? I noticed in the pam_chroot section it said I could use it instead of jk_chrootsh, so maybe that should be removed?

Anything else obvious that I have missed?

Thanks,

--
Paul






reply via email to
[Prev in Thread] Current Thread [Next in Thread]