Jailkit chrooting for Vesta Control Panel v0.9.8-17
This is a modification I've made to VestaCP code (http://github.com/serghey-rodin/vesta) which implements Jailkit chrooting. With this modification you're able to restrict users to their home directories on SSH and SFTP. VestaCP v0.9.8-17 already have a plugin for this named SFTP Chroot, so this works over it, that means you need to buy the plugin for getting this to work. The difference witheen the SFTP Chroot plugin and this modification is that you're able to give users SSH or SFTP access restricted to their home directory, with the official plugin you are only able to use SFTP restriction. It is useful if for example you wanna allow a user to use composer, or any other shell command you desire.
- Jailkit: http://olivier.sessink.nl/jailkit/
- A clean VestaCP installation: http://vestacp.com/ - https://github.com/serghey-rodin/vesta
- VestaCP SFTP Chroot plugin license: http://vestacp.com/features/#sftpchroot
- SSH keys support.
- SFTP and SSH access usign bash shell.
- SFTP only access usign nologin shell.
- Custom PS1 prompt support.
- VestaCP version 0.9.8-17
Take in mind that I'm using Centos 7, your installation process may differ a little bit depending on your O.S. I only tested the code on Centos 7, however it should work on other systems... let me know ;)
-
Downloading and installing Jailkit
Once you've got your O.S installed, you must login to your SSH server console as root.
Execute the update command for making sure you are up to date
yum update -y
Go to http://olivier.sessink.nl/jailkit/index.html#download and copy the link of the latest jalkit.tar.gz release.
Install necessary packages
yum install gcc make -y
Download jailkit from the copied link and uncompress it
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz tar xvfz jailkit-2.19.tar.gz cd jailkit-2.19
Install jailkit
./configure make make install
If everything goes well you should see something like this when executing the command jk_init
ERROR: need at least a jail directory and a configfile-section Usage: /usr/sbin/jk_init [OPTIONS] Usage: /usr/sbin/jk_init [OPTIONS] -j jaildir sections... -h --help : this help screen -c, --configfile=FILE : specify configfile location -l, --list : list all available sections in the configfile -j, --jail= : specify the jail to use. For backwards compatibility, if no jail is specified, the first argument after the options will be used as jail -v, --verbose : show what is being done -f, --force : force overwriting of existing files -k, --hardlink : use hardlinks if possible
-
Downloading and installing VestaCP
Note: I've tested the code on VestaCp v0.9.8-17 and it may not work on other release.
Download the installation script
cd /tmp curl -O http://vestacp.com/pub/vst-install.sh
Run the installation script. I recommend you using the "install command generator" as I did
bash vst-install.sh --nginx yes --apache yes --phpfpm no --vsftpd yes --proftpd no --exim yes --dovecot yes --spamassassin yes --clamav yes --named yes --iptables yes --fail2ban yes --mysql yes --postgresql no --remi yes --quota yes
-
Downloading code from GitHub and configuring jailkit
- Download all the files located on the GitHub repository folder /bin
- Open the file v-add-sys-sftp-jail with your desired editor
- Search for /sbin/jk_init
- Modify the following lines as you prefeer and save the file:
You must specify which packages the user should be able to use here.
/sbin/jk_init -f -j $chroot basicshell editors extendedshell netutils ssh sftp scp git /sbin/jk_cp -f -j $chroot /bin/id
- Modify /etc/jailkit/jk_init.ini as you prefeer
-
Inserting modified code
- Login to your SFTP server as root.
- Navigate to the directory /usr/local/vesta/bin
- Upload and replace all the files that you've downloaded on the step 3
-
Activating SFTP Chroot plugin
For activating the SFTP Chroot license key you must go to your recently installed VestaCP web panel:
- Open your browser and go to https://yourhostname:8083 and login as the admin user.
- Then go to "Server" -> "Configure" -> "Vesta Control Panel Plugins", activate the plugin, insert licence key and save the form.
If you did everything correctly you should now see the /chroot directory.
-
- Make sure the user is logged out from SFTP, this way we avoid errors...
- Go to your browser and navigate to https://yourhostname:8083/ logged in as admin
- Edit your desired user
- On the SSH Access dropdown select bash
-
- Make sure the user is logged out from SFTP and SSH, this way we avoid errors...
- Go to your browser and navigate to https://yourhostname:8083/ logged in as admin
- Edit your desired user
- On the SSH Access dropdown select nologin
-
PS1 (Prompt String 1) is one of the prompts available in Linux/Unix. When you try to login to any machine, you have to enter user name and password. Once you are done with this you are presented with some info like who logged in, on what machine he logged in, what is his present working directory and if the logged in user is a super user or a normal user. This is done by using PS1 prompt which is a inbuilt shell variable. The other prompts are PS2, PS3 and PS4.
Default prompt when we login to a machine:
[root@host ~]
If you wish, you can modify the PS1 prompt to a custom text like:
root@host [12:42:55] $ # or.. [My great Hosting] root@host >
If you wanna do this please take a look to the following steps:
- Login to your SSH server console as root.
- Open the file /usr/local/vesta/bin/v-add-user-sftp-jail with your desired editor (I'll use nano)
nano /usr/local/vesta/bin/v-add-user-sftp-jail
- Search the following line
#echo 'PS1="\u@\h [\t]> "' >> /home/$user/.bash_profile
- Uncomment it and modify it as you want. Here you have a tutorial for doing it, just write inside the " ".
- At the end it should look something like this
echo 'PS1="\u@\h [\t]> "' >> /home/$user/.bash_profile
This script is licensed under the GPL v3 license
Copyright (c) 2016 Estilate, Manuel Valle - info@estilate.com