Jailkit, jailing sftp users and scp problems

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I needed a way to jail sftp users so I used jailkit 2.0.  There are a
couple of good SOPs on the web for setting it up and for the most
part, my installations were flawless using these SOPs.  However, I ran
into a problem this week dealing with sftp and scp on FC5.

At first, ssh worked fine for jailed users, but sftp and scp did not.
To get sftp to work, I needed to add /dev/null to the chrooted
environment.  I edited sftp section in /etc/jailkit/jk_init.ini to
look like this:

comment = ssh secure ftp
executables = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

Then I ran jk_init -v /jail sftp
Sftp works!

Still had scp problems though.  Scp kept complaining about "user
unknown".  I had to use strace to finally find the problem.  The
symbolic link for /lib64/libnss_compat.so.2 was missing in the /jail
directory.  As root, I cd'd to /jail/lib64 and then created a link for
libnss_compat.so.2 to libnss_compat-2.4.so.

Scp works!  Another symptom of this problem was when I ssh'd as the
jailed user and issued an ls -l, the effective uid and gid was showing
up instead of the user name and group name.

Re: Jailkit, jailing sftp users and scp problems

On 20 Apr, 19:06, gwart...@gmail.com wrote:
Quoted text here. Click to load it

Let me stop you right there. I've previously tried to get chroot jails
integrated into OpenSSH, and had my efforts refused. It's just not
worth the pain these days to try to re-create all that work when
you'll have to do it again, and again, and again for every new OpenSSH

Instead, proceed directly to WebDAV over HTTPS. It works in Windows,
with Konqueror, with LFTP, and you can even mount filesystem this way
in Linux with FUSE. You get all the Apache access controls, including
integrated PAM or Kerbersos, you get good chroot cage behavior, you
get a *VASTLY* better command line interface with LFTP, and it handles
symlinks in a reasonable fashion.

Site Timeline