jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12

From: bdushok
Subject: [Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12
Date: Tue, 21 Jul 2015 09:04:47 -0400
I've just upgraded one of my servers from SUSE Enterprise Linux 11 to SUSE Enterprise Linux 12. 
Prior to the upgrade Jailkit 2.16 was used to jail sftp and scp for many users.   After the upgrade immediate disconnects result when these users use sftp or scp.  
I've upgraded to Jailkit 2.17 with no change.

I've verified and made changes to the paths in jk_init.ini.   My path setting within this file is as follows:
paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf

Within the sftp section I've set paths to:
paths = /usr/lib/ssh/sftp-server, /usr/bin/scp

Within jk_lsh.ini I have the following:
[group students]
paths=/usr/bin, /usr/lib, /usr/lib/ssh, /bin, /lib, /lib64
executables=/usr/lib/ssh/sftp-server, /usr/bin/scp, /bin/bash

I've made these changes to /etc/jailkit/jk_lsh.ini and then copied this file to /jail/etc/jailkit.

Testing from the user bd0001 I encounter an immediate connection drop upon SFTP login and the following in the logs:
2015-07-21T08:36:00.911649-04:00 cis sshd[25553]: Accepted keyboard-interactive/pam for bd0001 from 10.1.1.10 port 56519 ssh2
2015-07-21T08:36:00.943868-04:00 cis jk_chrootsh[25559]: now entering jail /jail for user bd0001 (1002) with arguments -c /usr/lib/ssh/sftp-server
2015-07-21T08:36:00.945249-04:00 cis jk_lsh[25559]: jk_lsh version 2.17, started
2015-07-21T08:36:00.946093-04:00 cis jk_lsh[25559]: executing command '/usr/lib/ssh/sftp-server' for user bd0001 (1002)
2015-07-21T08:36:00.951347-04:00 cis sshd[25558]: Received disconnect from 10.1.1.10: 11: disconnected by user

The account looks ok.   Within /etc/passwd:
bd0001:x:1002:1001::/jail/./home/bd0001:/usr/sbin/jk_chrootsh

Within /etc/group:
students:!:1001:

Within /jail/etc/passwd:
bd0001:x:1002:1001::/home/bd0001:/usr/sbin/jk_lsh

I've tried adding additional paths which may be required for sftp-server.   Using ldd /usr/lib/ssh/sftp-server I found the following:
    linux-vdso.so.1 (0x00007ffcf99e2000)
    libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007fc9d8e41000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fc9d8a99000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fc9d8895000)
    libz.so.1 => /lib64/libz.so.1 (0x00007fc9d867f000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fc9d944b000)
   
I've done the same for bash (ldd /bin/bash)
    linux-vdso.so.1 (0x00007ffca75a0000)
    libreadline.so.6 => /lib64/libreadline.so.6 (0x00007f987036e000)
    libtinfo.so.5 => (0x00007f987013a000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f986ff36000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f986fb8e000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f98705b6000)
   
My new path within jk_init.ini is:
paths = /bin/bash, /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf, /lib64/libcrypto.so.1.0.0, /lib64/libc.so.6, /lib64/libdl.so.2, /lib64/libz.so.1, /lib64/ld-linux-x86-64.so.2, /lib64/libreadline.so.6,  /lib64/libtinfo.so.5

The problem still persists.

Within /jail/etc/password I changed the shell to /bin/bash for this user.  Same problem.

Executing "jk_init -v -j /jail sftp scp" and "jk_init -v -j /jail jk_lsh" shows no errors (only messages stating files already exist).

Attempting to jail the user again results in the following:
jk_jailuser -v -j /jail bd0001
user bd0001 already exists in /jail/etc/passwd
user bd0001 has a correct home directory and shell already

Am I missing something obvious?  

Thanks,
Bob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]