Ferry Boender

Programmer, DevOpper, Open Source enthusiast.

Email: ferry.boender@gmail.com
Github: https://www.github.com/fboender
Résumé: PDF, Dutch
PGP key: PGP key
Blog: Electricmonk.nl
Keybase: fboender

Jailing SFTP/SCP

Thursday, August 9th, 2007

Here's how to set up a jailed / chrooted SFTP/SCP environment for a single user:

Note: This is a little specific for Debian in some places, but it should work for other distributions too. You may need to tweak the jailkit configurations in /etc/jailkit/jk_init.ini a bit.

Get jailkit (http://olivier.sessink.nl/jailkit/index.html#download). Jailkit is an awesome tool that'll allow you to set up minimal jails by inspecting which libs are used by binaries and copying them, the binaries and some other directories to a seperate dir, which can be used as a chrooted environment.

Get Jailkit and install it:

$ wget http://olivier.sessink.nl/jailkit/jailkit-2.4.tar.bz2
$ tar -xjf jailkit-2.4.tar.bz2
$ cd jailkit-2.4
$ ./configure
$ make
$ make install

Now, create a new normal user like you would normally do. In a moment, we'll use jailkit to move this user to the jail.

$ adduser --disabled-password public

Set up the jail. You can't do this in /home! (You can move everything to /home later if you want to).

$ mkdir /jail
$ chown root:root /jail
$ chmod 755 /jail
$ jk_init -v -j /jail/public/ sftp scp jk_lsh

This copies all the library files sftp and scp need to /jail/public. If you look at /etc/jailkit/jk_init.ini, you'll see sections there for the sftp, scp and jk_lsh programs. They include some directories to include in the copy, etc. jk_lsh is a minimal, restricted shell for the jail environment that restricts what commands can be run in the jail environment. In this case, it will limit commands to sftp and scp.

Now, we move the public user to the jail:

$ jk_jailuser -m -j /jail/public/ public

Edit the /jail/public/etc/jailkit/jk_lsh.ini file and add which program the jailed user may run. In this case, scp and sftp-server.

paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server

Just to be sure, check if the executables exist:

$ ls /jail/public/usr/lib/openssh/sftp-server
$ ls /jail/public/usr/bin/scp

If you want, move the /jail/public to /home/ and edit /etc/passwd to reflect this change.

$ mv /jail/public /home/public
$ vim /etc/passwd

and change the homedir for user public from /jail/public/./home/public to: /home/public/./home/public (Yes, that's correct).

$ rmdir /jail/


If you want to add public key authentication:

$ mkdir /home/public/home/public/.ssh
$ chown public:public /home/public/home/public/.ssh
$ vim /home/public/home/public/.ssh/authorized_keys2

Add the public key to the authorized_keys2 file.

You can place directories from outside the jail inside the jail using mount:

$ mount --bind /storage/sound/mp3/ /jail/public/home/public/mp3/

The result?

[todsah@jib]~$ sftp public@sharky
Connecting to sharky...
sftp> ls
sftp> ls /
/dev   /etc   /home  /lib   /usr
sftp> ls mp3
mp3/10 CC                                                             mp3/Aeternus
mp3/After Forever                                                     mp3/Air
mp3/Alborada                                                          mp3/Alter Bridge
mp3/Aphix Twin                                                        mp3/Apocalyptica
mp3/Arch Enemy                                                        mp3/Autumn
mp3/Bachmann Turner Overdrive                                         mp3/Beethoven

There's tons of other cool stuff you can do with Jailkit. Check out the HowTo's on the Jailkit homepage.

Oh, and the size?:

[root@sharky]/home# du -hs public/
4.1M    public/

Update! Important!

Remember that you need to regularly do a jk_update -j /jail/public/ to update the files in the jail! Remember that a jail has files (libraries, executables) that are copies of the main system. So any security fixes in files in the main system aren't reflected in the jail until you do an jk_update!

The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.