How to create an SSH jailed user on Debian 9

Learn how to limit what SSH users can do by jailing them with the help of Jailkit.

How to create an SSH jailed user on Debian 9 Learn how to limit what SSH users can do by jailing them with the help of Jailkit.

When you have a Linux server that allows users to secure shell in, you might want to take control of what files and commands those users can access. How do you do that? You create a chroot jail for this purpose. Once the jail is created, and a user is added to the jail, they are locked into that jail and cannot gain access to the rest of the directory structure.

One way to make this happen is with Jailkit. Jailkit is a set of utilities to limit user access, using chroot. I'm going to walk you through the process of installing Jailkit on Debian 9, and then how to jail a specific user.

SEE: Hiring kit: Network administrator (Tech Pro Research)

What you need

The only things you need to make this work are:

  • A running instance of Debian 9.
  • A user account with sudo access.

Installation

Jailkit isn't found in the standard repositories, so installation is a bit more involved than the usual task. The first thing to do is to install the necessary dependencies. Open a terminal window, su to the root user, and issue the following command:

apt-get install build-essential autoconf automake1.11 libtool flex bison debhelper binutils-gold python wget -y

Once the above command completes, download and unpack the latest version of Jailkit (as of this writing, 2.20) with the commands:

cd ~/tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz
tar xvfz jailkit-2.20.tar.gz
cd jailkit-2.20

Now we can install Jailkit with the following commands:

echo 5 > debian/compat
./debian/rules binary
cd ..
dpkg -i jailkit_2.20-1_amd64.deb

That's it, Jailkit is now installed and ready to be used.

Create and jailing a new user

We're going to test this out on a new user (as we don't want to lock out a regular user by mistake). Let's create the user devin with the command:

useradd devin 

Answer the required questions to complete the addition of the user.

Now we're going to create the jail for our new user. Issue the command:

mkdir /jail

With the directory created for the jail, we're going to add a few commands that will be allowed by Devin. Let's assume that Devin only needs access to a fairly basic set of commands (such as basicshell, the jailkit limited shell, netutils, ssh, scp, and sftp). To add these commands to the jail, issue the command:

jk_init -v /jail netutils basicshell jk_lsh ssh scp sftp 

If you get an error stating the source file /usr/lib/misc/sftp-server does not exist, you'll need to do the following:

  1. Issue the command nano /etc/jailkit/jk_init.ini.
  2. Look for the [sftp] section.
  3. Change /usr/libexec/openssh/sftp-server to /usr/lib/openssh/sftp-server.
  4. Save and close the file.

Now we need to add the user to the jail with the command:

jk_jailuser -m -j /jail/ devin

Once the user is added to the jail, if you attempt to ssh into the machine with that user, you'll get bumped right back out. Why? Because that user doesn't have a configured shell. To do that, we need to modify a single file. Issue the command:

nano /jail/etc/passwd

Look for the line that starts with devin and change the shell entry from:

/usr/sbin/jk_lsh

To:

/bin/bash

Save and close that file.

Now, when you attempt to Secure Shell into the Debian 9 machine, as the jailed user, you'll find yourself in a limited chroot, where certain commands will not work and the user cannot move outside of the jail (Figure A).

Figure A

Figure A: Although the /data directory exists, devin cannot access it.

And that is how you create an SSH jailed user on Debian 9. There's much more to be gleaned from the Jailkit tool, but you now have a basic understanding of how to create users and then jail them with this handy tool.

Also see

networkhero.jpg
Image: Jack Wallen