[Jailkit-dev] [bug #64649] sftp should include section jk_lsh

[N247S]

Follow-up Comment #2, bug #64649 (project jailkit):

So what I did (step-by-step) is the following.

for the previous setup I called:
  jk_init -j /jail/dir uidbasics netbasics logbasics cvs git scp sftp ssh
rsync extendedshell editors netutils
  (other calls jailing the user etc.)

For fixing:
1. To add the missed but required jk_lsh call:
  jk_init -j /jail/dir jk_lsh

2. Edit the jk_lsh.ini to allow access to the sftp binaries through the jk_lsh
(for some reason this is the only accessed shell, eventhough the jk_chroot
shell is used for other ssh stuff).
  jk_lsh.ini added content >>
  ```
  [DEFAULT]
  executables = /usr/bin/scp, /usr/lib/sftp-server, 
/usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server,
/usr/libexec/sftp-server, /usr/lib/openssh/sftp-server, /usr/bin/rsync,
/usr/bin/ssh
  paths = /usr/bin/, /usr/lib
  allow_word_expansion = 1
  ```
3. Copy the jk_lsh.ini file to the '/jail/dir/etc/jailkit/' (either manually
or using:)
  jk_update -j /jail/dir /etc/jailkit/jk_lsh.ini

4. Make sure the global shell configuration for the jailed user is set at
'jk_chrootsh' > i.e. in the '/etc/passwd' file
  usermod -s /usr/sbin/jk_chrootsh jail_user

5. Make sure the shell configuration in the jailed environment for the jailed
user is set to the normal shell to make sure 'normal' ssh still works (rather
than only restricting to jk_lsh).
  (simplest way is to manually edit the /jail/dir/etc/passwd file)
  jail_user:x:1001:1001:,,,:/home/jail_user:/bin/bash

Hope this makes things clear.
This was my way to fix the issue afterwards, but should be set by making sure
the defaults are set correctly (see original post).


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?64649>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/