In our world there are many, many secrets… I honestly don't think I can learn enough to know most of them, and this is given by the simple fact that Linux allows us to do so many, but so many things that it is difficult for us to know them all.
This time I will explain how to do something extremely useful, something that many network or system administrators have needed to do, and we have found it difficult to simply not find a fairly simple way to achieve it:
How to cage users connecting via SSH
cage? … WTF!
Yes. If for any reason we must give SSH access to a friend of ours to our computer (or server), we must always take care of the security and stability of our computer or server.
It happens that recently we wanted to give Perseus SSH access to a server of ours, but we cannot give him any type of access because we have really sensitive configurations there (we have compiled many things, packages that we have installed individually, etc ...) and if someone who does not Whether I try to make even the slightest change to the server, there is a possibility that everything will go to waste hehe.
Then, How to create a user with extremely limited privileges, so much so that he can't even get out of his cage (home)?
Let's start by downloading jailkit, a tool that will allow us to do this:
1. First we must download our JailKit server.
wget http://ftp.desdelinux.net/jailkit-2.14.tar.gz
2. Then we must unzip the package and enter the folder that just appeared:
tar xzf jailkit-2.14.tar.gz && cd jailkit-2.14
3. Later we went on to compile and install the software (I leave you screenshot):
./configure
make
make install
4. Ready, this is already installed. Now we go on to create the cage that will contain future users, in my case I created it in: / opt / and called it "jail", so the path would be: / opt / jail :
mkdir /opt/jail
chown root:root /opt/jail
5. The cage is already created, but it does not have all the necessary tools so that future users who will be there can work without problems. I mean, up to this point the cage is created, but it is just an empty box. Now we will put in the cage some tools that caged users will need:
jk_init -v /opt/jail basicshell
jk_init -v /opt/jail editors
jk_init -v /opt/jail extendedshell
jk_init -v /opt/jail netutils
jk_init -v /opt/jail ssh
jk_init -v /opt/jail sftp
jk_init -v /opt/jail jk_lsh
6. Ready, the cage exists and it already has the tools for the user to use ... now we only need ... the user! Let's create the user kira and we will put it in the cage:
adduser kira
jk_jailuser -m -j /opt/jail kira
cat /etc/passwd | grep jk_chroot
If you notice that nothing like the screenshot appears, you must have done something wrong. Leave a comment here and I will gladly help you.
7. And voila, the user is already caged ... but, he is SO caged, that he cannot connect by SSH, because when he tries to connect the server does not allow him:
8. To allow the user to connect we must do one more step.
We must edit the etc / passwd file of the cage, that is, in this case it would be / opt / jail / etc / passwd , in it we comment on the user line that we created, and add a new one such as:
kira: x: 1003: 1003 :: / home / kira: / bin / bash
That is, we would have the file like this Passwd:
root: x: 0: 0: root: / root: / bin / bash
#kira: x: 1003: 1003: ,,,: / opt / jail /./ home / kira: / usr / sbin / jk_lsh
kira: x: 1003: 1003 :: / home / kira: / bin / bash
Notice well the duplicate punctuation marks and others, it is important not to drop any of them 🙂
After doing this, the user can enter without any problem 😀
And that's all.
The tool we use for all this (jailkit) use in the backend chroot, which is actually what almost all tutorials use. However using JailKit it becomes simpler to cage 😉
If someone has a problem or something is not going well, leave as much detail as possible, I do not consider myself an expert but I will help you as much as I can.
So it would be something like the permissions in FTP? interesting
you always come up with everything that you didn't even know existed, like the users in mysql xD
Not exactly, because SSH is not the same as FTP. SSH is a shell, that is, a terminal ... you would be in a terminal on another computer or server, you could execute commands, start processes, etc ... you would do as much as the server administrator allows you 😉
hahahahahaha nah come on, what happens is that I publish more technical things ... that is, I like to publish little things that are not so popular and interesting. For example, I personally do not plan to publish something the day the new Ubuntu comes out, because I believe that many will already talk about it ... however, what you read here in the post, is it not something that is read every day or not? 😀
Very good contributions thank you
there is also a protocol called sftp which is ftp and Secure Shell together, although it is not the same as running FTP over SSH: \
regards
Yes yes indeed, but by caging SSH I automatically cage whoever connects using SFTP, because as you say, SFTP is actually SSH + FTP 😀
regards
The images can not be seen!!! 🙁
A little mistake of mine hehe, tell me now 😀
Ready. Thanks 😀
very good, I point it to my favorites to have it available when I need it lol
Thank you, any questions or problems, we are here to help you 🙂
They have Perseus in a cage. http://i.imgur.com/YjVv9.png
LOL
xD
That such.
You know, it is a subject that I am not very familiar with and that I had been checking in BSD (PC-BSD and Ghost BSD) and I find it very interesting and with functionalities that can be very useful.
I'm going to keep it for reference and check it against the BSD doc. Thanks for the information.
I was not familiar with this either because I never thought of giving someone SSH access to any of my servers haha, but when I found the need to do so, I wanted to give access but without the possibility that someone might do something by mistake must 😀
I have never tried this on BSD systems, so I can't tell you it will work, but if you are looking for how to chroot in BSD, something should come out 😉
Thanks for the comment friend 🙂
Hello, I use FreeBSD and of course jailkit works in fact this in the ports
You install it with this command
cd / usr / ports / shells / jailkit / && make install clean
Or by ftp packet
pkg_add -r jailkit
Only in the configuration (kira: x: 1003: 1003 :: / home / kira: / bin / bash)
You need to add tcsh or sh, unless you have installed bash and add this path
/ usr / local / bin / bash
And a few more details, in Ghost BSD it should be the similar process even simpler as it is based on FreeBSD
regards
Great, I was looking for it; do you know if it works in Centos ?? thanks.
I haven't tested it on Centos, but yes, it should work :)
In fact I remember that several have used this same tool on Centos and Red Hat servers 😉
Thanks a lot. It goes directly to bookmarks.
Thanks to you for commenting 🙂
Very good "trick", super useful for sys administrators. But even better, excellently well written. What more could you want.
Thank you very much for the contribution.
Thank you, thank you very much for your comment 😀
regards
Praise SSH haha
Once I tried to make a cage for ssh but in the traditional style and the truth is that it never came out correctly. If the cage was running, it didn't even have a bash, that is, it connected and there was nothing left haha, if the shell was working, it could go up in the directory hierarchy and a lot of more quilombos haha but this jailkit is a mace, it automates all those things ... recommended
haha thanks.
Yes, actually SSH is all wonderful for what it allows us, which is actually nothing more than what the system allows so ... hooray for Linux! … haha.
Hello, a question!
why change the home from (1) / opt / jail /./ home / kira to (2) / home / kira
We must edit the file etc / passwd of the cage, that is, in this case it would be / opt / jail / etc / passwd, in it we comment on the user line that we created, and add a new one such as:
kira: x: 1003: 1003 :: / home / kira: / bin / bash
In other words, the passwd file would look like this:
root: x: 0: 0: root: / root: / bin / bash
(1) #kira: x: 1003: 1003: ,,,: / opt / jail /./ home / kira: / usr / sbin / jk_lsh
(2) kira: x: 1003: 1003 :: / home / kira: / bin / bash
Hello
If that is not set, the SSH access does not work, the user tries to connect but is automatically expelled ... it seems to be a bug or problem with the interpreter that JailKit brings, because when making this change indicating that it uses the normal bash of the system, everything works .
I still close the ssh session: C
Suse 10.1 x64
Hello I have installed this and it works excellent mind very well in centos = D
but my dua is like ago to add more commands for example to a jail user
can't run svn co command http://pagina.com/carpeta
I mean, this command does not exist for jail users in this case like ago to add these commands to the jail and there are many more that I need to add.
Hello, how are you?
If you want to enable the command «svn» in the Jail you have the command jk_cp
That is:
jk_cp / opt / jail / / bin / svn
This assuming the svn binary or executable is: / bin / svn
And let the Cage / Jail be: / opt / jail /
You will find commands that depend on others, that is, if you add the command «pepe» you will see that you must also add «federico», because «pepe» depends on «federico» to be executed, if you find this then you add the necessary commands and already 😉
That is excellent.
Luck 😀
I have managed to do what you told me but in this way and automatically it has detected me without any problem. This was the command that I used to be able to use the subverision.
jk_cp -j / home / jaul svn
Well I use centos xP and maybe it is different but good
now I would like to know which are the libraries like svn but now I would like to compile because let's say I need to use a command like this
./configure and mark error
./configure.lineno: line 434: expr: command not found
I would not know which are the libraries I already have installed what is mysql and others if it compiles outside the jail but not inside the jaui.
sorry for the inconvenience.
ps: you should put in the guide what I told you about the command used in centos =) greetings.
Look, when I tell you that it can't find a command (like here) the first thing is to find the command:
whereis exprOnce found (/ usr / bin / expr and / usr / bin / X11 / expr) we copy it to the Jail with jk_cp 😉
Try this to see.
Yep, I already edit the post and add that it works in Centos 😀
Great thank you very much (:
Thanks for the input…
Hi, how are you?
Fuck dude! From Chile my greetings. You are as fart as me! LOL!. Hugs. Your post has been a great help to me!
Thank you for your comment 😀
Thank you very much for the post, it helped me a lot, but unfortunately in the part of
////////////////////////////////////////////////////// //////////////////////////////////////////////////// //////////////////////
We must edit the file etc / passwd of the cage, that is, in this case it would be / opt / jail / etc / passwd, in it we comment on the user line that we created, and add a new one such as:
kira: x: 1003: 1003 :: / home / kira: / bin / bash
In other words, the passwd file would look like this:
root: x: 0: 0: root: / root: / bin / bash
#kira: x: 1003: 1003: ,,,: / opt / jail /./ home / kira: / usr / sbin / jk_lsh
kira: x: 1003: 1003 :: / home / kira: / bin / bash
/////////////////////////////////////////////////// /////////////////////////////////////////
It causes me the same error, I mean, I leave it as it is, and it boots me from the terminal when connecting ,,, .., I comment on the line and add one more modifying it as you indicate, and it also boots me….
Install the latest version "jailkit-2.16.tar", even create a script to save time, here it is below:
////////////////////////////////////////////////////// //////////////////////////////////////////////
#! / Bin / bash
wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
tar -zxvf jailkit-2.16.tar.gz
cd jailkit-2.16
./configure
make
make install
exit
//////////////////////////////////////////////////// /////////////////////////
Obviously first they log in as "root" ...
How could I solve the error friend ????
Sorry, I already got it, I had made a mistake about the Home folder, but I have a big doubt, how can I get it to let me execute the "screen" command, I try to use it (in the caged user), but it doesn't work ... Another thing is that, how do I get this caged user to run the wine program on an exe that he just put inside his home, how would it be?
hello, very good tuto! I am new to these environments, I have a question ...
As for security, I see that in its root it has many folders, are they necessary? I just want him to have access to his folder (ftp-upload and ssh-execute) so that he can run an application, what folders could he delete from the root? or does it not represent any danger to me? I appreciate your help in advance, greetings!
@ KZKG ^ Gaara, thank goodness you put the wheezy error but with the version of jailkit-2.16.tar.gz that you suggested they fixed it
http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
I think I'll pass it to a PDF, jojo .. to cage and thanks wn 😀
Greetings friend, I have a question:
Suppose we have a user named "test".
The question is, the file /home/test/.ssh/known_hosts that is located in the home of that user, is the file the same or not caged the user?
Try this. It is possible with this method to restrict the navigation to the other home of the other users.
First of all, thanks for the post! It is being very useful to me; but I have two doubts, and these arise from the scenario that I have:
I need to create N users with independent and private access to their home, each user can only access their home to deposit, modify and delete files contained there without having to move around to others (I already have this point). It does not require access via ssh.
1. Do you have to create a cage for each user, or is there a way to have the different users in the same cage but each have their "private" directory?
2. When accessing (via FTP client) all the directories created by the tool are shown, is there a way to show the folder clean? Or did I do something wrong along the way?
Excellent tutorial! It has been a great help to me, I am testing it with version 2.17 on Ubuntu 14.04 and it works very well. Now I have the following challenge, once the user is caged so that he cannot move to any path, I want him to only be able to see the content of a file that is in another path. I tried with a symbolic link but when trying to make a tail or a cat to this file it tells me that it does not exist although when accessing with the user I can list that file in the home of the cage.
If you could help me I would be very grateful, thank you in advance
Hello, I have followed the whole manual and when logging in with ssh it closes automatically, traces:
Dec 4 19:20:09 toby sshd [27701]: Accepted password for test from 172.16.60.22 port 62009 ssh2
Dec 4 19:20:09 toby sshd [27701]: pam_unix (sshd: session): session opened for user test by (uid = 0)
Dec 4 19:20:09 toby jk_chrootsh [27864]: now entering jail / opt / jail for user test (1004) with arguments
Dec 4 19:20:09 toby sshd [27701]: pam_unix (sshd: session): session closed for user test
Thank you
Not when I do the last step of giving ssh access to the user, it still closes the connection 🙁
Can it be possible from this created user to change to root? your -root? it does not let me. How would it be? Thank you for your help
Thank you very much for the tutorial, I needed it to create a user who could use clonezilla to make an image and copy it to a third party server but who could not swarm wherever he wanted
Good! I would be needing to know something.
Is it possible to enter as ROOT using FTP and having these permissions, to manage it by FTP and not with SSH? Let's say like creating a connection, tunnel style or something like that. How is it done? Configuring the VSFTPD file?
Thank you!