HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Jailed SSH users just exit. (http://www.howtoforge.com/forums/showthread.php?t=55557)

xrstokes 28th December 2011 13:47

Jailed SSH users just exit.
 
Thanks for all the help so far too all those who contribute to the forums. Iíve gotten stuck on a real doozey this time though. As the title suggests Iím having trouble with jailing ssh users. Putty just exits. Here is some relevant info.
Just followed the new opensuse 12.1 perfect server guide and bought the manual and tried again everything else I think is fine. I'd love to stick with opensuse if possible.
I tried the following with no luck. Did I make a security hole?
Code:

chmod +s /usr/sbin/jk_addjailuser
chmod +s /usr/sbin/jk_check
chmod +s /usr/sbin/jk_chrootlaunch
chmod +s /usr/sbin/jk_chrootsh
chmod +s /usr/sbin/jk_cp
chmod +s /usr/sbin/jk_init
chmod +s /usr/sbin/jk_jailuser
chmod +s /usr/sbin/jk_list
chmod +s /usr/sbin/jk_lsh
chmod +s /usr/sbin/jk_procmailwrapper
chmod +s /usr/sbin/jk_socketd
chmod +s /usr/sbin/jk_update

It changed the nature of the problem but it still exists.
Here is the output of etc/passwd
Code:

web3:x:5005:5004::/srv/www/clients/client1/web3/./home/web3:/bin/false
grantstokes2:x:5005:5004::/srv/www/clients/client1/web3/./home/grantstokes2:/usr/sbin/jk_chrootsh

Here is the relevant output from the log
Code:

Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: now entering jail /srv/www/clients/client1/web3 for user grantstokes2 (5005)
Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: ERROR: failed to execute shell /bin/bash#015 for user grantstokes2 (5005), check the permissions and libraries of /srv/www/clients/client1/web3//bin/bash#015
Dec 28 17:33:39 webserv2 systemd-logind[1077]: Removed session 20.

Hope this all Helps and thank you so much in advance.

Grant

till 28th December 2011 14:07

There was a problem with jailkit in ISPConfig 3.0.4, it has been fixed in ISPConfig 3.0.4.1. So most likely your problem will get solved by updating to the latest ispconfig version. The jail will only recreated when the first shell user of a website gets added, so you should try to create a new website and then a new shell user and try to login with that user to see if the problem is solved,

Quote:

Did I make a security hole?
Most likely, yes.

xrstokes 28th December 2011 14:37

WOW! Thanks for the fast response but still no luck. I'll run through the guide again and let you know how i go. i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it? out of curiousity. i dont suppose i can find a list somewhere with what services need to be running at install and all the time. i rekon the distro added a few i didn't need. i nginx to if that changes anythin?

Grant

till 28th December 2011 15:08

Quote:

i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it?
Thats should not matter as the jailkit daemon is not used in that setup. so it can be stopped.

Quote:

i dont suppose i can find a list somewhere with what services need to be running at install and all the time
Just follow the perfect server guide, at the end all services required by ispconfig are installed and running.

xrstokes 28th December 2011 15:57

Still got the same problem after running thgough again.


Code:

web1:x:5004:5004::/srv/www/clients/client1/web1/./home/web1:/bin/false
grantstokesssh:x:5004:5004::/srv/www/clients/client1/web1/./home/grantstokesssh:/usr/sbin/jk_chrootsh

Without jailkit

Code:

Dec 29 00:34:32 webserv2 sshd[7519]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:34:45 webserv2 sshd[7519]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55612 ssh2
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New user web1 logged in.
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New session 17 of user web1.

With

Code:

Dec 29 00:38:01 webserv2 shadow[7806]: account already exists - account=grantstokesssh, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/., old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: shell changed - account=grantstokesssh, uid=5004, shell=/usr/sbin/jk_chrootsh, old shell=/bin/bash, by=0
Dec 29 00:38:22 webserv2 shadow[11755]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/./home/grantstokesssh, old home=/srv/www/clients/client1/web1/., by=0
Dec 29 00:38:22 webserv2 shadow[11757]: home directory changed - account=web1, uid=5004, home=/srv/www/clients/client1/web1/./home/web1, old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:46 webserv2 sshd[11767]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:38:59 webserv2 sshd[11767]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55641 ssh2
Dec 29 00:38:59 webserv2 systemd-logind[1217]: New session 25 of user web1.
Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
Dec 29 00:39:00 webserv2 systemd-logind[1217]: User web1 logged out.

out put from ls -la /usr/sbin/jk_chrootsh

Code:

webserv2:~ # ls -la /usr/sbin/jk_chrootsh
-rwxr-xr-x 1 root root 27312 Oct 30 07:01 /usr/sbin/jk_chrootsh

Maybe my default run level to high or somthing? My brain hurts.

Grant

till 28th December 2011 16:10

Do you login with username and password or with ssh keys? The ssh key function is not working currently as described in the bugtracker, to fix that for your user you will have to chown the authorized keys folder and its contents in the home directory of the user from root to the user.

http://bugtracker.ispconfig.org/inde...s&task_id=1945

xrstokes 29th December 2011 01:02

I'm not using keys. Just using username and password. i think it's related to this line.

Code:

Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.

or maybe the process run level is to low. If it were a key issue it wouldn't work with jailkit disabled.

pititis 29th December 2011 02:31

go to the customer limits and check if only jailkit is selected

cheers

xrstokes 29th December 2011 07:24

Only jailkit is enabled. I plan to force users to use sftp with clients like filezilla.

till 29th December 2011 08:55

Better use ftps instead oft ftp. Ftps is ftp over ssl and is jailed by the pure ftpd daemon, so you dont need jailkit. The jailkit jails are made for interactive connections e.g. With putty, they dont work for sftp by default.


All times are GMT +2. The time now is 19:35.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.