PDA

View Full Version : ISPconfig Jaikit / SSH Chroot not working (Lenny)


edge
6th March 2009, 21:30
Not sure where I did go wrong, but I did install Jaikit (according to The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3] - Page 4 - step 15 - Install Jailkit) before I installed ISPconfig 3

Whatever option I try for a Shell-User (none / Jailkit / SSH CHroot), they can cd into other directorys, and read the data.

Is it me who made a mistake, or does it not work on Lenny?

till
6th March 2009, 23:27
Jailkit works for me fine on lenny, there are no known bugs. SSH-Chroot will only work if you patch your SSH daemon like it was nescessary for ispconfig 2.

edge
7th March 2009, 09:18
Hi Falko,

I'm 100% sure that I did install it according to the howto.

Also the directory /etc/jailkit and the needed files do exist, and jk_sockeetd.ini does point to the "jailed" user directory [/var/clients/client1/web1/dev/log]
base=512
peak=2048
interval=10

When I login with the created shell-user I get this back as prompt.
$USER@www.somedomain.nl:~$

Is the $USER correct, or should it say the user name?

Also.. Is there an other way of checking that Jailkit is installed correct?

edge
7th March 2009, 09:34
I've created a new domain / user, and now jailkit is working fine!
The 1st domain / user that I tested it with was the main host name of the server. I guess that this was kind of mixing things up.

All is working fine for the new user.

However! I do still see the deleted test user accounts in "/var/clients/client1/web1/home"

falko
7th March 2009, 15:30
I see you've posted this in the bugtracker, so we will check it.

oncletom
23rd April 2009, 10:06
Hi, I think I have a similar problem.

I created a client, then a website and at least, at shell account with a Jailkit chroot.
Its dir is `/var/www/clients/client1/web1`. When I login, I'm located in `/var/www/clients/client1/web1/home/[clientname]`. I can browse the whole filesystem (according to the user permissions at least).

A last thing, I let the username empty because a shell login with [clientname] was fine. Could it be related? No chroot created because of no username given?

PS: I've installed Jailkit before ISPConfig ;-)

till
23rd April 2009, 10:24
Are you really sure that you can broser the complete filesystem? Please login with that user and then execute:

cd /

and post the output of:

ls -la

oncletom
23rd April 2009, 10:46
Are you really sure that you can broser the complete filesystem? Please login with that user and then execute:

cd /

and post the output of:

ls -la
Hello :)

Thanks for your prompt reply. Here is the output:

web1@ns206144:~$ cd /
web1@ns206144:/$ ls -la
total 84
drwxr-xr-x 21 root root 4096 avr 19 19:25 .
drwxr-xr-x 21 root root 4096 avr 19 19:25 ..
drwxr-xr-x 2 root root 4096 fév 12 14:46 bin
drwxr-xr-x 2 root root 4096 avr 19 19:23 boot
drwxr-xr-x 12 root root 14080 avr 23 06:25 dev
drwxr-xr-x 95 root root 4096 avr 23 10:38 etc
drwxr-xr-x 3 root root 4096 fév 9 12:53 home
drwxr-xr-x 11 root root 4096 avr 23 10:35 lib
lrwxrwxrwx 1 root root 4 avr 19 19:23 lib64 -> /lib
drwx------ 2 root root 16384 avr 19 19:15 lost+found
drwxr-xr-x 3 root root 4096 fév 9 11:23 media
drwxr-xr-x 2 root root 4096 déc 4 10:21 mnt
drwxr-xr-x 2 root root 4096 fév 9 11:23 opt
dr-xr-xr-x 170 root root 0 avr 19 22:27 proc
drwxr-xr-x 5 root root 4096 avr 21 19:20 root
drwxr-xr-x 2 root root 4096 avr 21 19:57 sbin
drwxr-xr-x 2 root root 4096 sep 16 2008 selinux
drwxr-xr-x 2 root root 4096 fév 9 11:23 srv
drwxr-xr-x 12 root root 0 avr 19 22:27 sys
drwxrwxrwt 5 root root 4096 avr 23 10:45 tmp
drwxr-xr-x 11 root root 4096 avr 19 21:45 usr
drwxr-xr-x 15 root root 4096 avr 19 22:12 var

Is it the expected result?

till
23rd April 2009, 10:48
Ok, the user is really not chrooted. Did you get any errors in the log files (see monitoring module) as you created the jailed user? Please try to create a different new jailed user and check if this gets jailed.

oncletom
24th April 2009, 10:47
Ok, the user is really not chrooted. Did you get any errors in the log files (see monitoring module) as you created the jailed user? Please try to create a different new jailed user and check if this gets jailed.

I'll check for that. I'll keep you in touch thanks.

oncletom
24th April 2009, 14:42
I reinstalled the whole box, created 2 accounts (with login suffix now, like [CLIENTNAME]test1 & test2) but I encounter the same issue: `cd /` brings me to the very root of the server.

However I noticed whem I just connected, I'm in `/var/www/clients/client1/web1/./home/[CLIENTNAME]test1`. When I do `cd`, I'm then in `/var/www/clients/client1/web1/home/[CLIENTNAME]test1`.

Does it help?

till
24th April 2009, 14:48
If you have a . in the path then you selected the wrong chrooting method and this explains all your problems. You have to select jailkit and not ssh chroot if your ssh daemon has not been patched for chrooting.

oncletom
24th April 2009, 15:01
If you have a . in the path then you selected the wrong chrooting method and this explains all your problems. You have to select jailkit and not ssh chroot if your ssh daemon has not been patched for chrooting.

I have only 2 choice for Chroot Shell: None or Jailkit.
I patched nothing else (I followed the install guide step by step except for the webmail and FTP server I don't want) so I'm wondering where its comes from.

I'm on a Debian Lenny (5.0.1).

oncletom
26th April 2009, 11:17
I investigated a little more but I find nothing.

I've only installed jailkit with the configure/make/make install and nothing more. It was the version 2.7.

I checked files within /etc/jailkit and the only one with a different modified date was jk_socketd.ini:

# example
#[/home/testchroot/dev/log]
#base = 1024
#peak = 10240
#interval = 2.0

[/var/www/clients/client1/web1/dev/log]
base=512
peak=2048
interval=10

In the Monitor tab of ISPConfig, I don't have anything related to Jailkit, only Fail2ban:
2009-04-26 06:25:03,808 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-04-26 06:25:03,808 fail2ban.jail : INFO Creating new jail 'ssh'
2009-04-26 06:25:03,808 fail2ban.jail : INFO Jail 'ssh' uses poller
2009-04-26 06:25:03,809 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2009-04-26 06:25:03,809 fail2ban.filter : INFO Set maxRetry = 6
2009-04-26 06:25:03,810 fail2ban.filter : INFO Set findtime = 600
2009-04-26 06:25:03,810 fail2ban.actions: INFO Set banTime = 600
2009-04-26 06:25:03,863 fail2ban.jail : INFO Jail 'ssh' started
2009-04-26 06:25:05,468 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2009-04-26 06:25:29,468 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log

till
26th April 2009, 11:25
Looks fine so far.

If I remember correctly I did my last tests with Jailkit 2.6, maybe something changed there. I will try to setup a new system in the next days to see if everything is still working. Added this to the bugtracker:

http://bugtracker.ispconfig.org/index.php?do=details&task_id=716

Ovidiu
5th May 2009, 14:18
Jailkit works for me fine on lenny, there are no known bugs. SSH-Chroot will only work if you patch your SSH daemon like it was nescessary for ispconfig 2.

Just wondering if this is still valid, as far as I know the latest openssh contains the patch so it is not needed anymore.

Besides, I followed the how to for the perfect debian lenny webserver for ispcfg3 completely and I am not offered the chroot option only the jailkit one.

besides, what is the difference in a few sentences between those two?

till
5th May 2009, 14:31
This is still valid. The patch in openssh is not compatible with the way the chroot was configured with the patch thatw as available before.

oncletom
7th May 2009, 09:27
In fact I just saw these logs (/var/log/auth.log) after creating a user:

May 3 18:32:01 *serverName* useradd[17093]: new user: name=someuser, UID=5011, GID=5006, home=/var/www/clients/client4/web18, shell=/bin/bash
May 3 18:32:01 *serverName* CRON[17054]: pam_unix(cron:session): session closed for user root
May 3 18:32:01 *serverName* usermod[17099]: lock user `someuser' password
May 3 18:32:05 *serverName* usermod[18272]: unlock user `someuser' password
May 3 18:32:05 *serverName* usermod[18279]: change user `someuser' home from `/var/www/clients/client4/web18' to `/var/www/clients/client4/web18/./home/someuser'
May 3 18:32:05 *serverName* usermod[18284]: change user `web18' home from `/var/www/clients/client4/web18' to `/var/www/clients/client4/web18/./home/web18'

Finally, when the user log-in, the path is good as it's the setuped one. But it's not the expected one.

Hope it helps

till
7th May 2009, 11:06
If you use Jailkit newer then 2.5 then please install this update:

http://www.howtoforge.com/forums/showthread.php?t=34555

oncletom
8th May 2009, 15:02
I applied the update, reconfigured the services, switched a Shell User account from Jailkit to None then None to Jailkit and now I'm dropped in the good directory (the one of the Dir option in the Options tab of ISPConfig.

If I do "cd /", I can still access the root of the server. Is it normal?

oncletom
8th May 2009, 15:07
I said nothing: now I reconnected again and I'm headed to the /home folder. The / is now the client folder :) that's good!

EDIT : anyway, is there a way to let user execute the command "su"?
Adding the following in the jk_init.ini will be sufficient?

[su]
comment = Change user while jailed
executable = /bin/su