Learn how to limit what SSH users can do by jailing them with the help of Jailkit.
When you have a Linux server that allows users to secure shell in, you might want to take control of what files and commands those users can access. How do you do that? You create a chroot jail for this purpose. Once the jail is created, and a user is added to the jail, they are locked into that jail and cannot gain access to the rest of the directory structure.
One way to make this happen is with Jailkit. Jailkit is a set of utilities to limit user access, using chroot. I'm going to walk you through the process of installing Jailkit on Debian 9, and then how to jail a specific user.
SEE: Hiring kit: Network administrator (Tech Pro Research)
What you need
The only things you need to make this work are:
- A running instance of Debian 9.
- A user account with sudo access.
Jailkit isn't found in the standard repositories, so installation is a bit more involved than the usual task. The first thing to do is to install the necessary dependencies. Open a terminal window, su to the root user, and issue the following command:
apt-get install build-essential autoconf automake1.11 libtool flex bison debhelper binutils-gold python wget -y
Once the above command completes, download and unpack the latest version of Jailkit (as of this writing, 2.20) with the commands:
cd ~/tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.20.tar.gz tar xvfz jailkit-2.20.tar.gz cd jailkit-2.20
Now we can install Jailkit with the following commands:
echo 5 > debian/compat ./debian/rules binary cd .. dpkg -i jailkit_2.20-1_amd64.deb
That's it, Jailkit is now installed and ready to be used.
Create and jailing a new user
We're going to test this out on a new user (as we don't want to lock out a regular user by mistake). Let's create the user devin with the command:
Answer the required questions to complete the addition of the user.
Now we're going to create the jail for our new user. Issue the command:
With the directory created for the jail, we're going to add a few commands that will be allowed by Devin. Let's assume that Devin only needs access to a fairly basic set of commands (such as basicshell, the jailkit limited shell, netutils, ssh, scp, and sftp). To add these commands to the jail, issue the command:
jk_init -v /jail netutils basicshell jk_lsh ssh scp sftp
If you get an error stating the source file /usr/lib/misc/sftp-server does not exist, you'll need to do the following:
- Issue the command nano /etc/jailkit/jk_init.ini.
- Look for the [sftp] section.
- Change /usr/libexec/openssh/sftp-server to /usr/lib/openssh/sftp-server.
- Save and close the file.
Now we need to add the user to the jail with the command:
jk_jailuser -m -j /jail/ devin
Once the user is added to the jail, if you attempt to ssh into the machine with that user, you'll get bumped right back out. Why? Because that user doesn't have a configured shell. To do that, we need to modify a single file. Issue the command:
Look for the line that starts with devin and change the shell entry from:
Save and close that file.
Now, when you attempt to Secure Shell into the Debian 9 machine, as the jailed user, you'll find yourself in a limited chroot, where certain commands will not work and the user cannot move outside of the jail (Figure A).
And that is how you create an SSH jailed user on Debian 9. There's much more to be gleaned from the Jailkit tool, but you now have a basic understanding of how to create users and then jail them with this handy tool.
- The 4 most important files for SSH connections (TechRepublic)
- How to block SSH attacks on Linux with denyhosts (TechRepublic)
- How to enable two-factor authentication for SSH in Fedora Linux (TechRepublic)
- How to use SSH as a VPN with sshuttle (TechRepublic)
- Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches (ZDNet)
- 5G mobile networks: A cheat sheet (TechRepublic)
- Resolve IT issues quickly with these 10 PowerShell cmdlets (TechRepublic download)
- What is SDN? How software-defined networking changed everything (ZDNet)
- The Best VPN services for 2019 (CNET)
- 5G: More must-read coverage (TechRepublic on Flipboard)