Chrooted SSH on Virtualmin GPL

Last Updated on Saturday, 28 November 2009 22:21 Written by Joe Aldeguer Thursday, 16 April 2009 16:23

Recently a web site owner requested SSH access, immediately I felt my heart rate increased a notch. The problem with giving a regular user SSH access once their able to SSH into the box they are able to wander about the system or into other user's home directories if permissions are not set to 750. In a shared web hosting environment this is unacceptable. I needed a solution and that is chrooting SSH, which apparently from what I have heard is no easy task to implement. I spent hours searching online, reading forums, working through different tutorials but still not getting any closer to achieving what I wanted. To which at one point I got really tempted to take the easy way and just inform the web site owner we only allow SFTP, SCP and Webmin. Well almost, not wanting to feel less of a Systems Admin I decided to give it one last try that was when I came across Jailkit. It turned out to be the exact chrooting solution I was looking for!

Disclaimer: I am not responsible for any security risk that can come about following this tutorial nor from software programs used in the tutorial. There is no guarantee this will work for you the information provided is for author's personal use.

This is how I implemented Jailkit on a Debian Lenny server with Virtualmin GPL installed. Virtualmin was installed using the manual method. Words in italics are commands to run on a shell.

Note: After the user has been jailed he will no longer be able to manage some of the admin tasks using his webmin account. The Webmin root account is not affected. Setting up e-mail delivery to a jailed user account is not covered by this tutorial.

Download Jailkit.

cd /usr/local/src

wget http://olivier.sessink.nl/jailkit/jailkit-2.7.tar.gz

md5sum jailkit-2.7.tar.gz  should produce: a4654d323bd2dd75fded9cf245b6ed25 

tar -xzvf jailkit-2.7.tar.gz

cd /jailkit-2.7

./configure
make
make install

Newer versions of jailkit no longer requires you to create the root of the chroot jail it will now do so when you run jk_init.

/home/jail  (Owned by user root group root.)

After creating a new virtual domain using Virtualmin I will place the owner of the virtual host into a chroot jail.

Before running jk_init I want to make sure the defaults matches the environment of my operating system.

vi /etc/jailkit/jk_init.ini

Find the line [sftp] I'll change this to.

[sftp]
comment = ssh secure ftp
# paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
paths = /usr/lib/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null

I will also add unzip as one of the utilities available for the user to use.

[extendedshell]

paths = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami, /usr/bin/unzip

I want to give the owner of the virtual host access to some utilities in the chroot jail. Running jk_init will copy all required files to run the programs in the chroot jail. No need to run ldd for each program to find out which files and libraries need to be copied over to the chroot jail. I'll leave all the tedious work to jk_init!

This will copy all of the utilities made available in the jk_init.ini file and create the /home/jail.

Time to run jk_init.

jk_init -v -j /home/jail basicshell editors extendedshell netutils ssh sftp scp

Now time to jail the user. (Owner of the virtual host I just created.  The script also deletes the original location /home/example after it moves it into the jail /home/jail/home. Repeat the process for other user accounts to be jailed.)

jk_jailuser -m -j /home/jail  example (If running this you get an error could not find jk_lsh just copy /usr/sbin/jk_lsh  into /home/jail/usr/sbin)

jk_jailuser -m -s /bin/bash -j /home/jail example (This method will add the bash shell for the user)

Checking the /etc/passwd will show the following:

vi /etc/passwd

example:x:1006:1006::/home/jail/./home/example:/usr/sbin/jk_chrootsh

Also the /tmp directory should be available for all users in the jail.

mkdir /home/jail/tmp
chmod a+rwx /home/jail/tmp

The contents of /home/jail/etc/passwd

vi /home/jail/etc/passwd (Also delete the line where it contains root.)

example:x:1006:1006::/home/example:/usr/sbin/jk_lsh 

Very important this is the way it should appear.

example:x:1006:1006::/home/example:/bin/bash (Replace example with your user account. Failure to do so will cause your ssh connection to be dropped.)

The contents of /home/jail/etc/group

vi /home/jail/etc/group

example:x:1006:

I'll the ran jk_check for security problems but first i need to adjust the jk_check.ini file to reflect the correct path to my jail location.

vi /etc/jailkit/jk_check.ini

[/home/jail]
ignorepathoncompare = /home/jail/home, /home/jail/etc, /home/jail/tmp/
ignorewritableforgroup = /home/jail/tmp
ignorewritableforothers = /home/jail/tmp

If I need to add a utility which a user needs I can easily add the utility  by using jk_cp.

jk_cp -j /home/jail   /usr/bin/unzip

This will add the unzip utility from /usr/bin/unzip into /home/jail/usr/bin/unzip. Amazingly simple!

I should be able to ssh into the server now.  If unable to succesfully connect check the logs /var/log/auth.log for any clues.

ssh -l example example.com

Doing an ls -a  I can see contents of my home directory inside the jail. You may have noticed the user can still move about outside of his home directory and see the directories /etc /bin /dev /var etc. What he sees are actually directories inside the jail. Not the actual system directories of the server. For further chroot explanations click here.

 

 

 

 

I am also able to use WinSCP.

 

 

 

 

 

 

 

 

 

 

 

 

I also tried SFTP using Filezilla.

 

 

 

 

 

 

 

 

 

 

 

 

I will now have to tell apache2 the new location of my /public_html directory.

 

Go to Servers | Apache Server | Virtual Server (Virtual website being chroot.) Browse to the new location of the document root. Click Save, Then Apply Changes.

 

 

 

 

 

 

I will also adjust the location of where apache2 writes the logs. Go to Servers | Apache Server | Virtual Server | Edit Directives. Change the path to what is high lighted in blue. Adjust to reflect the actual path in your server. Click Save then Apply Changes.

ErrorLog /home/jail/home/example/logs/error_log
CustomLog /home/jail/home/example/logs/access_log combined

 

 

 

 

 

 

Something to keep in mind whenever you delete a virtual website you will also need to go into /home/jail/home/ to manually delete the user account.  The Virtualmin delete script won't do this for you.  Create a scheduled backup for your new home directory location. You will have to use Webmin's File system module to backup the directories.  Use Webmin MySQL module to create database backups . You cannot use Virtualmin's schedule backups any longer since the home directory locations have changed.

Thanks to Jailkit's developer Olivier Sessink, implementing Chroot SSH was incredibly easy!

Jailkit config files available for download. Rename the files to remove the .txt before uploading to your server. Make the necessary changes to match your OS.

bait@aldeguer.us