Ssh – Jailkit not allowing SSH connections

chrootdebianssh

I'm trying to set up jailkit on one of my servers which is running Debian 5. I created a new ssh user (bob) and a chroot directory for him (/var/www/bob). I gave the chroot the extshellplusnet and limitedshell options with the following commands:

jk_init -c /etc/jailkit/jk_init.ini -j /var/www/bob/ extshellplusnet
jk_init -c /etc/jailkit/jk_init.ini -j /var/www/bob/ limitedshell

And then I jailed him:

jk_jailuser -m -j /var/www/bob bob

When I try to ssh in as bob, it connects, I get the banner, and then it disconnects. My auth.log looks like this:

Aug 25 05:04:36 server sshd[29885]: Accepted password for bob from 123.45.6.7 port 50624 ssh2
Aug 25 05:04:36 server sshd[29885]: pam_unix(sshd:session): session opened for user bob by (uid=0)
Aug 25 05:04:36 server jk_chrootsh[29942]: now entering jail /var/www/bob for user bob (1001) with arguments 
Aug 25 05:04:36 server sshd[29885]: pam_unix(sshd:session): session closed for user bob

My non-jailed users work just fine, and I don't seem to be getting any permission errors. Any ideas?

Best Answer

Firstly turn you SSH logs to DEBUG3 by replacing in the sshd_config file : LogLevel INFO by LogLevel DEBUG3

You will see more information why SSH did close the connection.

Then Ensure you have all the shell need to run in chrooted environment :

  • The user home is there with the right permissions
  • All shell need to be lauched in the chroot directory (shell executable and all librairies)
  • All the components such as passwd, group, hosts, nsswitch.conf, resolv.conf, shadow are in the /var/www/bob/etc
  • The null pseudo device is the /var/www/bob/dev directory. You can create it typing : mknod /var/www/bob/dev/null c 1 3
  • Then if it still does not work, I recommand you to debug your chroot environment with the strace command.

strace chroot /var/www/bob/ /bin/bash

Related Topic