[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Adding a user to jail
From: |
Paul Mitchell |
Subject: |
Re: [Jailkit-users] Adding a user to jail |
Date: |
Thu, 3 Sep 2009 14:56:16 -0400 (EDT) |
User-agent: |
Alpine 2.00 (LRH 1167 2008-08-23) |
On Thu, 3 Sep 2009, Olivier Sessink wrote:
an interactive shell is a shell like bash/ksh/etc. that waits for your input.
jk_lsh is a shell that will only immediately start another executable given
on the commandline. If it is started without an executable on the commandline
it will give this error. What did you do that produced this log message?
Hello Olivier,
my command:
scp address@hidden:getit .
the error:
WARNING: user pmitchel (11782) tried to run 'scp -f getit', which is not
allowed according to /etc/jailkit/jk_lsh.ini
or
scp test address@hidden:drop
address@hidden's password:
lost connection
Sep 3 18:49:08 elndz01m jk_lsh[24368]: WARNING: user pmitchel (11782)
tried to run 'scp -t drop', which is not allowed according to
/etc/jailkit/jk_lsh.ini
WARNING: user pmitchel (11782) tried to run 'scp -t drop', which is not
allowed according to /etc/jailkit/jk_lsh.ini).
and my jk_lsh.ini is:
[pmitchel]
paths= /usr/lib/
executables= /usr/libexec/openssh/sftp-server, /usr/bin/scp,
/usr/lib/sftp-server
allow_word_expansion = 0
umask = 002
I assume you are referring to /home/jail/etc/jailkit/jk_lsh.ini ? can you see
if adding /usr/bin to 'paths' helps?
My current jk_lsh.ini looks like:
[pmitchel]
paths= /usr/bin, /usr/lib/
executables= /usr/bin/scp, /usr/lib/sftp-server,
/usr/lib/openssh/sftp-server, /usr/libexec/openssh/sftp-server
allow_word_expansion = 0
umask = 002
As it turns out, my users are using an and SSH/sftp client which jailkit
doesn't allow in. (I can run sftp form a unix command line, however, and
it works - but my users will be, for the most part, running windows).
sftp is the primary purpose of the jailkit on this server, so I'm pretty
you can, just like normal groups. You need to copy the right pieces of
/etc/group to <jail>/etc/group to make it work.
Ok, thanks.
just mount the NFS share inside the jail. If you want you can add 'noexec'
and 'nosuid' mount options (not sure if these are valid for nfs mounts, but
give it a try).
great, thanks. If I can get the scp/ssh option to work, then I can go on
holiday! (to Ireland, yet).
Paul>
==============================================================================
Paul Mitchell
Enterprise Systems
email: address@hidden
NOTE: new location: 440 Franklin, cubby 1213
NOTE: new desk phone: 919 962-2521 (Is here!^)
==============================================================================