There is a new version of this tutorial available for Debian 9 (Stretch).

How to create a jailed ssh user with Jailkit on Debian Wheezy

Version 1.0
Author: Srijan Kishore
Follow howtoforge on Twitter

This document describes how to install and configure Jailkit in Debian Wheezy Server.  Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.

Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.

1 Preliminary Note

This tutorial is based on Debian 7.6 server, so you should set up a basic Debian 7.6 server installation before you continue with this tutorial. The system should have a static IP address. I use as my IP address in this tutorial and as the hostname. 

2 Install Jailkit

We will first download and install the Jailkit. At present time of writing this guide the latest available version of Jailkit is 2.17. I will download it and install it as follows:

cd /tmp    
tar xvfz jailkit-2.17.tar.gz
cd jailkit-2.17

Jailkit requires some packages before its installation, we will install them as follows:

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold python

Now our system is ready to install the Jailkit, install it as follows:

./debian/rules binary
cd ..
dpkg -i jailkit_2.17-1_amd64.deb

It will install the Jailkit in Debian Server, we can remove the extra packages from /tmp:

rm -rf /tmp/jailkit*

3 Jailing a user

Now we will create  a user which will be jailed using Jailkit as:

adduser srijan

[email protected]:~#adduser srijan
Adding user `srijan' ...
Adding new group `srijan' (1001) ...
Adding new user `srijan' (1001) with group `srijan' ...
Creating home directory `/home/srijan' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: <--password
Retype new UNIX password:<--password
passwd: password updated successfully
Changing the user information for srijan
Enter the new value, or press ENTER for the default
        Full Name []: <--ENTER
        Room Number []:<--ENTER
        Work Phone []:<--ENTER
        Home Phone []:<--ENTER
        Other []:<--ENTER
Is the information correct? [Y/n] <--Y
[email protected]:~#

In my case I am creating the user srijan, you can use any name.

Next we will check the information about user srijan in /etc/passwd as:

egrep srijan /etc/passwd
[email protected]:/tmp# egrep srijan /etc/passwd
[email protected]:/tmp#

Next we will jail the created user. Create a directory /jail for Jail environment:

mkdir /jail

Now we will provide the Jail with some of the default programs environment as:

jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp

We can give other values also, the complete list of the Jail environment can be checked in the file

nano /etc/jailkit/jk_init.ini

Now Jail is ready, just add the user inside the environment:

jk_jailuser -m -j /jail/ srijan

Again check the values in /etc/passwd for user srijan:

egrep srijan /etc/passwd
[email protected]:/tmp# egrep srijan /etc/passwd
[email protected]:/tmp#

Now our user have been added in the Jailed environment. I will connect the Debian server with bash terminal with its IP

ssh [email protected]
[email protected]:~$ ssh [email protected]
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 3d:ca:91:67:96:39:15:b4:0f:6e:c8:2c:92:ef:25:d7.
Are you sure you want to continue connecting (yes/no)? yes
[email protected]'s password:
Linux server1 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to closed.
[email protected]:~$

Connection is getting closed as the user don't have logging shell, lets add it in the configuration file for Jail:

nano /jail/etc/passwd

It will add the bash prompt for the jailed user srijan.  Now again try the ssh login with srijan user and you will be able to login:

ssh [email protected]

Now check the root directory content, you will notice that it have contents like this:

ls /
[email protected]:~$ ls /
bin  dev  etc  home  lib  lib64  usr
[email protected]:~$


4 Running services and commands in Jailed environment

Jail can be used to run services in Jailed environment. Suppose we want to run any service in Jailed environment then we will use jk_chrootlaunch command for that:

jk_chrootlaunch -j /jail -u srijan -x 'service apache2 start'

Here I am starting the service of Apache, similarly you can run any service or daemon with it in Jailed environment.

Suppose we want to run a particular command in Jail environment then we will use jk_cp. Lets test it in Jailed environment when we will run cal then it shows as follows:

[email protected]:~$ cal
bash: cal: command not found
[email protected]:~$

It means Jail environment don't knows the cal command, now I will add it in Debian Server as follows:

jk_cp  -v -j /jail/ /usr/bin/cal
[email protected]:~# jk_cp  -v -j /jail/ /usr/bin/cal
Creating symlink /jail/usr/bin/cal to ncal
Copying /usr/bin/ncal to /jail/usr/bin/ncal
Creating symlink /jail/lib/x86_64-linux-gnu/ to
Copying /lib/x86_64-linux-gnu/ to /jail/lib/x86_64-linux-gnu/
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib64/ already exists, will not touch it
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib/x86_64-linux-gnu/ already exists, will not touch it
/jail/lib64/ already exists, will not touch it
[email protected]:~#

Again run the cal command in Jailed environment:

[email protected]:~$ cal
   September 2014    
Su Mo Tu We Th Fr Sa 
    1  2  3  4  5  6 
 7  8  9 10 11 12 13 
14 15 16 17 18 19 20 
21 22 23 24 25 26 27 
28 29 30             
[email protected]:~$

So we have added the command for the Jailed environment. Congratulations! Now we have successfully configured Jail environment in Debian Wheezy :)

Share this page:

5 Comment(s)

Add comment

Please register in our forum first to comment.


By: PacoW

Great tutorial! This tutorial was written for Debian Wheezy. As I'm using the recently released Debian Jessie I encountered a few minor issues using the tutorial. I posted a list of (hopefully) helpful comments in the forum.

By: sean

I did a copy/paste of this tutorial so I can learn it in a fresh Debian Wheezy install in Virtualbox and when I came to the line "Now Jail is ready, just add the user inside the environment:", I got an invalid jail error and the whole install failed. I tried this four times. No clue as to what's going on. Cop and pasted everything as root. Ideas?

By: Clem


Work perfectly on Debian Jessie 8.3Tank's a lot dude !

By: Nash

adding bash as a shell in the /etc/passwd will make all what you have done void... not a jail at all.

By: till

You mix up passwd files here. In this tutorial, bash is not added in /etc/passwd, it is added in /jail/etc/passwd which is the passwd file inside the jail. Adding bash as shell there is required and does not make the jail void.