Jailkit: does it work in 22.04?

Question

I'm following these instructions for setting up sftp and scp (although I'd like to add rsync too) but when the jailed account logs in, it immediately disconnects without any errors I can see.

The doc says that if this happens you need to journalctl|grep jk_, which gives this (nor errors):

jk_chrootsh[3157425]: now entering jail /home/jail for user jailtest (1001) with arguments -c /usr/lib/openssh/sftp-server

Most if not all of the information I can find on Jailkit seems pretty old, although I see jailkit itself was updated in Oct 2021. Does anyone know if it still works on Ubuntu or how I can track down what error is happening?

I have used Jailkit successfully in the past with Ubuntu 18. I'm starting to think that something fundamental has changed in 20 (snaps, perhaps?) which has disabled Jailkit in some way.

/home/jail/etc/passwd:

jailtest:x:1001:1004:tester,,,:/home/jailtest:/usr/sbin/jk_lsh

/etc/jailkit/jk_lsh.ini:

[jailtest]
paths= /usr/bin, /usr/lib/openssh
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server

ldd /usr/sbin/jk_lsh

linux-vdso.so.1 (0x00007ffce6d11000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91ffee6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f920011f000)

strace chroot /home/jail/ /usr/sbin/jk_lsh and other things doesn't seem to show anything missing.

scp -v ./test.txt jailtest@xxx.uk:/home/jailtest/ from the client shows no errors and just hangs up:

debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_GB.UTF-8"
debug1: Sending subsystem: sftp
debug1: pledge: fork
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 4172, received 4132 bytes, in 0.4 seconds
Bytes per second: sent 9390.9, received 9300.9
debug1: Exit status 3
scp: Connection closed

My sshd_config is:

PermitRootLogin no 
PubkeyAuthentication yes
PasswordAuthentication no 
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
AllowGroups ssh-users # I've put the jailed user into this, removing it causes a permissions error

It might be simpler using internal-sftp as the jail and disabling normal SSH shell — Daniel T, Mar 01 '24 at 23:04
@DanielT It says in the docs that if you do that it will not start a shell, and thus bypass jk_chrootsh, so it would (I assume) be unsafe to do that? — TommyPeanuts, Mar 01 '24 at 23:11
I meant uninstall JailKit and figure out how to use internal-sftp to do this natively. — Daniel T, Mar 01 '24 at 23:25
See https://askubuntu.com/q/402302/1004020 or https://askubuntu.com/q/134425/1004020 — Daniel T, Mar 01 '24 at 23:26
Just realised: no, internal-sftp won't work as I need to have users using public key auth (eg scp). So, back to JailKit. — TommyPeanuts, Mar 02 '24 at 14:31
What? Public key auth should be at the sshd level, and is at the authentication stage, before any command is run. It has nothing to do with whether it's internal-sftp or jailkit. As you said, jailkit looks unmaintained — Daniel T, Mar 02 '24 at 16:24
I was unable to comment on your other question before you deleted it, but iirc the tricky part is where exactly to place the authorized_keys file versus the home directory in the passwd file - see for example Public key authorization on sftp chroot directory. — steeldriver, Mar 02 '24 at 17:28
(cont.) or you could move it outside the user's home altogether, somewhere like /etc/ssh/authorized_keys/%u as here How to properly chroot when using key based authentication within openssh-server — steeldriver, Mar 02 '24 at 17:28

TommyPeanuts · Accepted Answer · 2024-03-13T10:38:28.263

The short answer to this is "yes". Before I started investigting @DanielT's very good suggestions in the comments, I decided to remove and re-install the JailKit package. I then re-created my jail with:

jk_init -v -j /home/jail netutils jk_lsh

(Note that this appears different to the official documentation.)

The netutils alias in that command allows access to sftp, scp and rsync which is what I was interested in - see /etc/jailkit/jk_init.ini.

For some reason, I got a Python error when I ran the jk_init command (jailkit v2.23-1), but running it again appeared to clear the problem.

Jailed accounts were then able to log in and were chrooted correctly.

Jailkit: does it work in 22.04?

1 Answers1