View Single Post
  #1  
Old 23rd December 2009, 18:38
hrvbid hrvbid is offline
Junior Member
 
Join Date: Nov 2006
Posts: 13
Thanks: 9
Thanked 14 Times in 7 Posts
Default shrooted ssh environments for ispconfig users

(ispconfig 2.2.35, ubuntu 9.10)
With openssh 4.9.x/5.x, the logic to build chrooted ssh users in just built in. Because of the new
logic, the magic separator "/./" within the users homedir assignment in passwd is no longer needed, but is
now in trouble. See http://www.howtoforge.com/forums/showthread.php?t=32459 for the basics.
To consider the history and also the new logic, a solution for ispconfig seems easy to adapt:
One strategic parameter is in /root/ispconfig/scripts/lib/config.inc.php, where
PHP Code:
$go_info["server"]["ssh_chroot"] = or 
is responsible for two actions. In case of value 1, 1st, the magic separator "/./" is used, and 2nd, the
script /root/ispconfig/scripts/shell/create_chroot_env.sh is scheduled to build the users chrooted
environment.
One solution is, to have a tri-state with $go_info["server"]["ssh_chroot"], where 0 leads to no chroot,
where 1 leads to chroot with magic "/./" and script execution, and where a new value 2 leads to omit the
magic "/./" but performs the script. The behaviour of option 0 and 1 are unchanged to support all those
with the need of the old logic, but option 2 now becomes adjusted to the new logic. The changes are most easy:
The essential file is /root/ispconfig/scripts/lib/config.lib.php, where lines
# 772-774 (insert new user)
PHP Code:
  if($go_info["server"]["ssh_chroot"] == && $user["user_shell"] && $web["web_shell"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
have to change to
PHP Code:
  if($go_info["server"]["ssh_chroot"] > && $user["user_shell"] && $web["web_shell"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
and lines
# 949-950 (update user)
PHP Code:
  if($go_info["server"]["ssh_chroot"] == && $user["user_shell"] && $web["web_shell"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
also have to change to
PHP Code:
  if($go_info["server"]["ssh_chroot"] > && $user["user_shell"] && $web["web_shell"]) {
          
exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 
Note, thats all to do - a really cheap solution. To be complete, a look to
/root/ispconfig/scripts/lib/config.inc.php, where line #106
$go_info["server"]["ssh_chroot"] = 2; // 0 = no, 1 = yes with old chroot path /./, 2 = yes without /./ (openssh 5.x logic)
is the example to use the new logic.
I would be happy, if the small changes would be confirmed with one of the next ispconfix 2.x releases.
Reply With Quote
Sponsored Links