Automatically chroot'ing users in ISPConfig 2
Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing.
I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here.
I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time.
Ubuntu 10.04.4 LTS
configured as explained here. It's a cloud-box, so I started in the middle of step 7.
ISPConfig Version: 2.2.40
Aiming to set up chroot'ed users with ISPConfig I looked at a few sources:
Essentially,  and  say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although  says that you need to download and build a modified server, that article is quite old, and from  it seems that these days it is sufficient to install OpenSSH (also hinted on here).
From  and  you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig.
I did all of the above, but things do not work.
I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed.
I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in ? If so, how should they look like to interop well with ISPConfig?
Here are some snippets from my system config/diagnostics that may be relevant:
Any clues anyone?
I've had a look at http://www.howtoforge.com/restrictin...debian-squeeze but I'm not clear how to apply that to an ispconfig 2 setup that has many, many users already
Still an issue
I am a bit surprised that in more than six months no-one has been able to offer any help at all.
Are we flogging a dead horse here?
|All times are GMT +2. The time now is 12:24.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.