Re: [Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12

To: address@hidden
From: Richard Scott <address@hidden>
Date: 07/21/2015 10:01AM
Cc: address@hidden
Subject: Re: [Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12

Hmmm... Perhaps try changing from /usr/sbin/jk_lsh to /bin/bash for one user and install bash in your chroot?

See if that works, then you know if its your setup or jk_lsh being funny.

Rich

On 21/07/2015 14:45, address@hidden wrote:
Rich,

Thanks for the info.   I wasn't aware of jk_update.

I just used it and it removed some outdated and deprecated files as well as copied some new files. Once done I restarted jailkit. Unfortunately, I'm still encountering the same problem.

Bob

Bob Dushok
Director of Enterprise Systems and Computer Labs
Luzerne County Community College

1-800-377-5222 ext 7327
address@hidden

-----Richard Scott <address@hidden> wrote: -----
To: address@hidden
From: Richard Scott <address@hidden>
Date: 07/21/2015 09:14AM
Cc: address@hidden
Subject: Re: [Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12

Hi,

Not sure if this will help, but did you run this:

http://olivier.sessink.nl/jailkit/jk_update.8.html

This will refresh the changed files in the jail with ones from the Operating System.

Thanks,

Rich

On 21/07/2015 14:04, address@hidden wrote:
I've just upgraded one of my servers from SUSE Enterprise Linux 11 to SUSE Enterprise Linux 12.
Prior to the upgrade Jailkit 2.16 was used to jail sftp and scp for many users.   After the upgrade immediate disconnects result when these users use sftp or scp.
I've upgraded to Jailkit 2.17 with no change.

I've verified and made changes to the paths in jk_init.ini.   My path setting within this file is as follows:
paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf

Within the sftp section I've set paths to:
paths = /usr/lib/ssh/sftp-server, /usr/bin/scp

Within jk_lsh.ini I have the following:
[group students]
paths=/usr/bin, /usr/lib, /usr/lib/ssh, /bin, /lib, /lib64
executables=/usr/lib/ssh/sftp-server, /usr/bin/scp, /bin/bash

I've made these changes to /etc/jailkit/jk_lsh.ini and then copied this file to /jail/etc/jailkit.

Testing from the user bd0001 I encounter an immediate connection drop upon SFTP login and the following in the logs:
2015-07-21T08:36:00.911649-04:00 cis sshd[25553]: Accepted keyboard-interactive/pam for bd0001 from 10.1.1.10 port 56519 ssh2
2015-07-21T08:36:00.943868-04:00 cis jk_chrootsh[25559]: now entering jail /jail for user bd0001 (1002) with arguments -c /usr/lib/ssh/sftp-server
2015-07-21T08:36:00.945249-04:00 cis jk_lsh[25559]: jk_lsh version 2.17, started
2015-07-21T08:36:00.946093-04:00 cis jk_lsh[25559]: executing command '/usr/lib/ssh/sftp-server' for user bd0001 (1002)
2015-07-21T08:36:00.951347-04:00 cis sshd[25558]: Received disconnect from 10.1.1.10: 11: disconnected by user

The account looks ok.   Within /etc/passwd:
bd0001:x:1002:1001::/jail/./home/bd0001:/usr/sbin/jk_chrootsh

Within /etc/group:
students:!:1001:

Within /jail/etc/passwd:
bd0001:x:1002:1001::/home/bd0001:/usr/sbin/jk_lsh

I've tried adding additional paths which may be required for sftp-server.   Using ldd /usr/lib/ssh/sftp-server I found the following:
    linux-vdso.so.1 (0x00007ffcf99e2000)
    libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007fc9d8e41000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fc9d8a99000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fc9d8895000)
    libz.so.1 => /lib64/libz.so.1 (0x00007fc9d867f000)
    /lib64/ld-linux-x86-64.so.2 (0x00007fc9d944b000)

I've done the same for bash (ldd /bin/bash)
    [IMAGE]linux-vdso.so.1 ([IMAGE]0x00007ffca75a0000)
    [IMAGE]libreadline.so.6 => /[IMAGE]lib64/[IMAGE]libreadline.so.6 ([IMAGE]0x00007f987036e000)
    [IMAGE]libtinfo.so.5 => ([IMAGE]0x00007f987013a000)
    [IMAGE]libdl.so.2 => /[IMAGE]lib64/[IMAGE]libdl.so.2 ([IMAGE]0x00007f986ff36000)
    [IMAGE]libc.so.6 => /[IMAGE]lib64/[IMAGE]libc.so.6 ([IMAGE]0x00007f986fb8e000)
    /[IMAGE]lib64/[IMAGE]ld-linux-x86-64.so.2 ([IMAGE]0x00007f98705b6000)

My new path within [IMAGE]jk_init.ini is:
paths = /bin/bash, /lib/[IMAGE]libnsl.so.1, /[IMAGE]lib64/[IMAGE]libnsl.so.1, /lib/[IMAGE]libnss*.[IMAGE]so.2, /[IMAGE]lib64/[IMAGE]libnss*.[IMAGE]so.2, /etc/[IMAGE]nsswitch.conf, /etc/[IMAGE]ld.so.conf, /[IMAGE]lib64/[IMAGE]libcrypto.so.1.0.0, /[IMAGE]lib64/[IMAGE]libc.so.6, /[IMAGE]lib64/[IMAGE]libdl.so.2, /[IMAGE]lib64/[IMAGE]libz.so.1, /[IMAGE]lib64/[IMAGE]ld-linux-x86-64.so.2, /[IMAGE]lib64/[IMAGE]libreadline.so.6, /[IMAGE]lib64/[IMAGE]libtinfo.so.5

The problem still persists.

Within /jail/etc/password I changed the shell to /bin/bash for this user. Same problem.

Executing "[IMAGE]jk_init -[IMAGE]v -[IMAGE]j /jail [IMAGE]sftp [IMAGE]scp" and "[IMAGE]jk_init -[IMAGE]v -[IMAGE]j /jail [IMAGE]jk_lsh" shows no errors (only messages stating files already exist).

Attempting to jail the user again results in the following:
[IMAGE]jk_jailuser -[IMAGE]v -[IMAGE]j /jail [IMAGE]bd0001
user [IMAGE]bd0001 already exists in /jail/etc/[IMAGE]passwd
user [IMAGE]bd0001 has a correct home directory and shell already

Am I missing something obvious?

Thanks,
Bob

_______________________________________________
Jailkit-users mailing listaddress@hiddenhttps://lists.nongnu.org/mailman/listinfo/jailkit-users

From:	Richard Scott
Subject:	Re: [Jailkit-users] Disconnects after Upgrade to SUSE Enterprise 12
Date:	Tue, 21 Jul 2015 15:34:42 +0100
User-agent:	Roundcube Webmail/1.0.5