HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   shell users can navigate backwards (http://www.howtoforge.com/forums/showthread.php?t=54076)

aldo 7th September 2011 16:37

shell users can navigate backwards
 
I need to create users only to allow SFTP access.

At this time, "Chroot Shell" is set to "Jailkit" but the user can navigate backwards from the home folders, almost anywhere.

At least I would like to avoid this.

Thank you for your help.

till 7th September 2011 16:42

Then the jail is not initiated correctly. You can check that in /etc/passwd. As fasr as I know, you can not even use sftp in a jail in ispconfig, so if the jail would be there, then not sftp login is possible.

In general, I recommend that you use ftps and not sftp. ftps is FTP over a secure TLS encrypted connection which runs over the FTP daemon so that it can benefit from the virtual ftp jails while sftp is a ssh protocol and needs full ssh jails.

aldo 7th September 2011 17:10

Thank you Till,
please can you tell me what I have to check/correct in /etc/passwd?

FTPS users are configured as shell users or ftp users in ISPConfig 3?

Thanks again.

till 7th September 2011 17:15

Quote:

please can you tell me what I have to check/correct in /etc/passwd?
Check the shell of the shell users in /etc/passwd. If its /bin/bash, then they are not jailed. if the shell is something like jk_chrootsh, then the users are jailed.

Quote:

FTPS users are configured as shell users or ftp users in ISPConfig 3?
FTPS users are configured as FTP users in ispconfig.

aldo 7th September 2011 17:45

in /etc/passwd there is:
web9:x:5011:5006::/var/www/clients/client2/web9/./home/web9:/bin/false
user9:x:5011:5006::/var/www/clients/client2/web9/./home/user9:/usr/sbin/jk_chrootsh

while in ISPConfig:
user9
Chroot Shel=Jailkit
Options:
Web Username=web9
Web Group=client2
Shell=/bin/bash
Dir=/var/www/clients/client2/web9

the only oddity seems the web9 user's shell
/bin/false in /etc/password
/bin/bash in ISPconfig

till 7th September 2011 17:51

Does it work when you change /bin/false to /usr/sbin/jk_chrootsh manually?

aldo 7th September 2011 18:10

Yes it works.

The strange thing is that now also works with the old configuration.

It seems that the configurations take effect several minutes after being executed.

till 7th September 2011 18:35

It takes about one minute until the configuration is applied. You can see in the jobqueue of the ispconfig monitor when a job has been executed.


All times are GMT +2. The time now is 13:46.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.