HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Automatically chroot'ing users in ISPConfig 2 (http://www.howtoforge.com/forums/showthread.php?t=56323)

gragus 26th February 2012 02:16
Automatically chroot'ing users in ISPConfig 2
 
Issue:

Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing.

Background info:

I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here.

I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time.

System:

Ubuntu 10.04.4 LTS
configured as explained here. It's a cloud-box, so I started in the middle of step 7.

ISPConfig Version: 2.2.40

Aiming to set up chroot'ed users with ISPConfig I looked at a few sources:
  1. http://www.howtoforge.com/chrooted_ssh_howto_debian
  2. http://www.howtoforge.com/restrictin...debian-squeeze
  3. http://www.howtoforge.com/forums/sho...+ssh+ispconfig
  4. http://www.howtoforge.com/forums/showthread.php?t=4373

Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here).

From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig.

I did all of the above, but things do not work.
I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed.

I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig?

Diagnostics:

Here are some snippets from my system config/diagnostics that may be relevant:

/home/admispconfig/ispconfig/lib/config.inc.php:
Code:
...
$go_info["server"]["ssh_chroot"] = 1;
...
/etc/ssh/sshd_config:

Code:
...
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes
(end of file)
root@MyServer:~# ps flax:

Code:
F  UID  PID  PPID PRI  NI    VSZ  RSS WCHAN  STAT TTY        TIME COMMAND
. . .
4    0  1985    1  20  0  5600  2132 -      Ss  ?          0:00 /usr/sbin/sshd -D
4    0  2033  1985  20  0  8408  2820 -      Ss  ?          0:00  \_ sshd: root@notty
5    0  2315  2033  20  0  8508  1440 -      Ss  ?          0:00  |  \_ sshd: root@internal-sftp
4    0 21230  1985  20  0  8408  2740 -      Ss  ?          0:00  \_ sshd: MyUser [priv]
5 10001 21296 21230  20  0  8540  1460 -      S    ?          0:00  |  \_ sshd: MyUser@pts/0
0 10001 21297 21296  20  0  4592  1864 -      Ss  pts/0      0:00  |      \_ -bash
0 10001 21304 21297  20  0  6980  2848 -      S+  pts/0      0:00  |          \_ mc
0 10001 21306 21304  20  0  4608  1872 -      Ss+  pts/1      0:00  |              \_ bash -rcfile .bashrc
4    0 21426  1985  20  0  8408  2684 -      Ss  ?          0:00  \_ sshd: MyUser [priv]
5 10001 21488 21426  20  0  8540  1456 -      S    ?          0:00  |  \_ sshd: MyUser@notty
1 10001 21491 21488  20  0  8508  1252 -      Ss  ?          0:00  |      \_ sshd: MyUser@internal-sftp
4    0 21585  1985  20  0  8544  2808 -      Ss  ?          0:00  \_ sshd: root@pts/2
4    0 21647 21585  20  0  4632  1872 -      Ss  pts/2      0:00      \_ -bash
0    0 21662 21647  20  0  7528  3508 -      S+  pts/2      0:00          \_ mc
0    0 21664 21662  20  0  4636  1896 -      Ss  pts/3      0:00              \_ bash -rcfile .bashrc
4    0 21795 21664  20  0  2692  900 -      R+  pts/3      0:00                  \_ ps flax
. . .
Thanks!

gragus 28th February 2012 20:23
Ping.. :)

Any clues anyone?

hairydog2 19th September 2012 22:04
Quote:
Originally Posted by gragus (Post 274488)
Ping.. :)

Any clues anyone?
I'd like to chroot sftp users too. Until I can do that, I can't give them sftp access, which I want to do, so I can stop ftp.

I've had a look at http://www.howtoforge.com/restrictin...debian-squeeze but I'm not clear how to apply that to an ispconfig 2 setup that has many, many users already

hairydog2 6th May 2013 15:30
Still an issue
 
I am a bit surprised that in more than six months no-one has been able to offer any help at all.

Are we flogging a dead horse here?


All times are GMT +2. The time now is 12:24.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.