使用 Jailkit 的 sftp 连接到主机失败(退出状态 4)

tag-icon tag-icon ssh chroot
使用 Jailkit 的 sftp 连接到主机失败(退出状态 4)

我正在运行带有 Jailkit 2.21 的 Ubuntu Server 18.04,希望允许某些用户通过密码进行 chrooted scp/sftp 访问。

sftp 客户端可以验证成功,但随后就断开连接并显示“退出状态 4”,我看到的是“连接主机失败”:

sftp -v [email protected]

debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to some.hostname.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:z2aXPqeA9saacFJ6QSSW1bxAvAD92RVhL8KLJWG/Fwo
debug1: Host 'some.hostname.com' is known and matches the ECDSA host key.

... local ssh key stuff... 

debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentication succeeded (password).
Authenticated to some.hostname.com ([x.x.x.x]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 2760, received 2328 bytes, in 2.8 seconds
Bytes per second: sent 990.6, received 835.5
debug1: Exit status 4
Connection closed.

在服务器 ( grep -i sftp /var/log/auth.log) 上,当他们登录时,我看到了以下内容:

Feb 18 12:28:12 host jk_chrootsh[9462]: now entering jail /home/chroot_scp for user user1 (2933) with arguments -c /usr/lib/openssh/sftp-server

据我所见,没有错误。 /home/chroot_scp 的权限通过 jk_check 检查无误,用户及其组拥有的 home 为 755。

服务器的 sshd_config 是:

PermitRootLogin no 
PubkeyAuthentication yes
PasswordAuthentication no 
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
AllowGroups ssh scp
Match Group scp
     PasswordAuthentication yes

如果我暂时用 /bin/bash 替换用户的 shell,他们就可以正常登录。所以我认为这与 chroot 有关。

答案1

grep jail /var/log/auth.log显示:

Feb 18 14:36:41 host jk_lsh[21784]: WARNING: user user1 (2933) tried to run '/usr/lib/openssh/sftp-server', which is not allowed according to /etc/jailkit/jk_lsh.ini

我在 jk_lsh.ini 文件中输入了错误的 sftp-server 路径。

相关内容