Example of installation and use of Jailkit under Linux system

Jailkit is a toolset that enables you to quickly create a limited user account in a chroot jail. It contains a security log daemon that shells users, opens and sets the tools for the Chroot jail daemon.

"Action Steps"

1. Download the relevant software:

The code is as follows:

Wget-c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz

2. Decompression compile installation and so on operation

The code is as follows:

Tar zxvf jailkit-2.11.tar.gz

CD jailkit-2.11

./configure

Make && make install

CP extra/jailkit/etc/init.d/

chmod 755/etc/init.d/jailkit

Chkconif Jailkit on

3. Installation is relatively simple, on the above steps, please come down is to configure the chroot environment.

A. Create a chroot directory:

The code is as follows:

Mkdir/home/sky//#/home/sky is also the virtual root directory

B. Initializing the virtual root (chroot) environment: (Copy the corresponding link library to the/home/sky/directory)

The code is as follows:

Jk_init-v-j/home/sky/sftp SCP ssh jk_lsh Extendedshell

In fact, this step is relative to refactoring a small system,/home/sky is the root directory, and then create

This subsystem requires a corresponding directory or file related to the link library.

4. The basic configuration is finished, followed by the test process, whether to meet the requirements of the beginning:

A. Creating a test User: There are two ways to use the system's own commands, or use/usr/sbin/jk_addjailuser.

The code is as follows:

jk_addjailuser-d/home/test3/home/sky/test3 #创建test3用户

If the system user has been created, just move to the chroot environment, the command below

The code is as follows:

Jk_jailuser-m-n-j/home/sky/--shell=/bin/bash test1

echo "111111" |passwd test1--stdin//# Change the password to facilitate subsequent SSH testing.

After you complete the above steps, test.

"Test Steps"

The code is as follows:

Su-test1 # #切换为test1用户

Pwd

/home/test1

Cd/tmp

BASH:CD:/tmp:no such file or directory

Touch a

mkdir tmp//# establishes the TMP directory, note that this is/home/test1/tmp,

In fact, the corresponding system directory is/home/sky/home/tes1/tmp. Don't get it wrong.

Use SSH to test again.

SSH Test1@192.168.3.XX

Test1@192.168.3.XX ' s Password:

Still the same effect, you can test more. Here, there is a problem how to limit the use of limited command?

Let's see.

The code is as follows:

Ls-l/home/sky/

Total 28

Drwxr-xr-x 2 root root 4096 11-09 10:34 bin

Drwxr-xr-x 2 root root 4096 11-09 10:34 Dev

Drwxr-xr-x 3 root root 4096 11-09 10:34 etc

Drwxr-xr-x 5 root root 4096 11-10 20:34 Home

Drwxr-xr-x 2 root root 4096 11-09 10:34 Lib

Drwxr-xr-x 2 root root 4096 11-09 10:34 lib64

Drwxr-xr-x 7 root root 4096 11-09 10:34 usr

# Now everyone understands that only the files in the bin directory should be deleted, so users cannot use the appropriate commands [/code]

Using Jailkit to establish a restricted SSH account

SSH tunnel is a very useful thing, such as creating an SSH tunnel:

The code is as follows:

ssh-qtfnn-d 7070 User_name@host_home

However, when sharing the SSH account, it was found that if the SSH user's directory was not restricted, all files would be at a glance. After looking, found the Chroot tool Jailkit. Allows an administrator to establish a dedicated user to provide SSH tunnel services to prevent them from seeing files on the server.

First, Home/jail (or other directories) can be set to the jail directory

[/code]

Mkdir/log

Jk_init-v-j/log basicshell ssh Jk_lsh[/code]

Create the user and add it to the jail

The code is as follows:

Useradd Onlinelog

passwd Onlinelog

Jk_jailuser-m-j/log-s/bin/bash Onlinelog

Jk_cp-v-k-f-j/log/usr/bin/tail

Jk_cp-v-k-f-j/log/usr/bin/vim

Jk_cp-v-k-f-j/log/usr/bin/id

Start Jailkit

The code is as follows:

Service Jailkit Start

OK, then this user is equivalent to running in a small independent environment.

Other

Jailkit's role is not only to create accounts that can only use specific commands. From the data, Jailkit can:

Restricting user activity scope and permissions

Build a secure SSH multiuser environment

assist in establishing a safe production environment