Jailkit: does it work in 22.04?

I’m following these instructions for setting up sftp and scp (although I’d like to add rsync too) but when the jailed account logs in, it immediately disconnects without any errors I can see.

The doc says that if this happens you need to journalctl|grep jk_, which gives this (nor errors):

jk_chrootsh[3157425]: now entering jail /home/jail for user jailtest (1001) with arguments -c /usr/lib/openssh/sftp-server

Most if not all of the information I can find on Jailkit seems pretty old, although I see jailkit itself was updated in Oct 2021. Does anyone know if it still works on Ubuntu or how I can track down what error is happening?

I have used Jailkit successfully in the past with Ubuntu 18. I’m starting to think that something fundamental has changed in 20 (snaps, perhaps?) which has disabled Jailkit in some way.

/home/jail/etc/passwd:

jailtest:x:1001:1004:tester,,,:/home/jailtest:/usr/sbin/jk_lsh

/etc/jailkit/jk_lsh.ini:

[jailtest]
paths= /usr/bin, /usr/lib/openssh
executables= /usr/bin/scp, /usr/lib/openssh/sftp-server

ldd /usr/sbin/jk_lsh

linux-vdso.so.1 (0x00007ffce6d11000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f91ffee6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f920011f000)

strace chroot /home/jail/ /usr/sbin/jk_lsh and other things doesn’t seem to show anything missing.

scp -v ./test.txt jailtest@xxx.uk:/home/jailtest/ from the client shows no errors and just hangs up:

debug1: Sending environment.
debug1: channel 0: setting env LANG = "en_GB.UTF-8"
debug1: Sending subsystem: sftp
debug1: pledge: fork
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 4172, received 4132 bytes, in 0.4 seconds
Bytes per second: sent 9390.9, received 9300.9
debug1: Exit status 3
scp: Connection closed

My sshd_config is:

PermitRootLogin no 
PubkeyAuthentication yes
PasswordAuthentication no 
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
AllowGroups ssh-users # I've put the jailed user into this, removing it causes a permissions error
Asked By: TommyPeanuts

||

The short answer to this is "yes". Before I started investigting @DanielT’s very good suggestions in the comments, I decided to remove and re-install the JailKit package. I then re-created my jail with:

jk_init -v -j /home/jail netutils jk_lsh

(Note that this appears different to the official documentation.)

The netutils alias in that command allows access to sftp, scp and rsync which is what I was interested in – see /etc/jailkit/jk_init.ini.

For some reason, I got a Python error when I ran the jk_init command (jailkit v2.23-1), but running it again appeared to clear the problem.

Jailed accounts were then able to log in and were chrooted correctly.

Answered By: TommyPeanuts
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.