Jailkit howto - use pam_chroot with Jailkit

The PAM chroot module can be used to chroot users. There are several versions of this module, tested is the module included in Ubuntu and Debian. The PAM_chroot module is an alternative to the use of jk_chrootsh. The PAM_chroot module can be used together with the other Jailkit utilities.

The PAM chroot module needs a chroot jail just like any other chroot jail made with Jailkit. Use jk_init and jk_cp to copy the desired utilities into the jail.

jk_init -v -j /home/jail basicshell

Note that the jk_init.ini file in the Jailkit tarball has defaults for Debian and Ubuntu. If you use jk_init on other operating systems you may need to use a different jk_init.ini file, or update the file locations in jk_init.ini yourself.

The PAM chroot module makes a chroot() system call after the user is authenticated, and before the users shell is started. The module is usually loaded in /etc/pam.d/common-session, an example config for this file is shown:

session required pam_chroot.so

For an interactive session, this means that the shell specified in /etc/passwd should exist within the jail. The jail to use for a specific user is specified in /etc/security/chroot.conf

mike /home/jail

It is perfectly valid to use jk_lsh as shell for a user jailed with pam_chroot.

There are some issues reported with the PAM chroot module. Because the module needs to do a chroot() system call, it needs root priveleges. Several sources report that using privilege separation in the ssh server breaks libpam_chroot. However, this is not the case on Ubuntu. Disabling privilege separation will reduce your systems security, so if your pam_chroot has this requirement, you are better of using jk_chrootsh instead of pam_chroot!