sftp with Jailkit Connecting to host failed (exit status 4)

Question

I'm running Ubuntu Server 18.04 with Jailkit 2.21, wanting to allow chrooted scp/sftp access via password to some users.

The sftp client can authenticate OK, but then just disconnects with a "Exit status 4" which I see is "Connecting to host failed":

sftp -v user1@some.hostname.com

debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to some.hostname.com:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:z2aXPqeA9saacFJ6QSSW1bxAvAD92RVhL8KLJWG/Fwo
debug1: Host 'some.hostname.com' is known and matches the ECDSA host key.

... local ssh key stuff... 

debug1: Next authentication method: password
user1@some.hostname.com's password: 
debug1: Authentication succeeded (password).
Authenticated to some.hostname.com ([x.x.x.x]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 2760, received 2328 bytes, in 2.8 seconds
Bytes per second: sent 990.6, received 835.5
debug1: Exit status 4
Connection closed.

On the server (grep -i sftp /var/log/auth.log), I see this when they log in:

Feb 18 12:28:12 host jk_chrootsh[9462]: now entering jail /home/chroot_scp for user user1 (2933) with arguments -c /usr/lib/openssh/sftp-server

And no errors as far as I can see. The permissions for /home/chroot_scp check out OK with jk_check and the users home is 755 owned by them and their group.

The server's sshd_config is:

PermitRootLogin no 
PubkeyAuthentication yes
PasswordAuthentication no 
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
AllowGroups ssh scp
Match Group scp
     PasswordAuthentication yes

If I temporarily replace the user's shell with /bin/bash, they can log in as expected. So I assume it's something to do with the chroot.

score 0 · Answer 1 · answered Feb 18 '21 at 14:45

grep jail /var/log/auth.log showed:

Feb 18 14:36:41 host jk_lsh[21784]: WARNING: user user1 (2933) tried to run '/usr/lib/openssh/sftp-server', which is not allowed according to /etc/jailkit/jk_lsh.ini

I'd got the wrong path to sftp-server in the jk_lsh.ini file.

sftp with Jailkit Connecting to host failed (exit status 4)

1 Answers1