View Single Post
  #1  
Old 23rd March 2010, 23:47
jwlinux jwlinux is offline
Junior Member
 
Join Date: Mar 2010
Posts: 27
Thanks: 5
Thanked 2 Times in 2 Posts
Default jailkit not working on ISPconfig v 3.0.2 Debian Lenny

As mentioned in other posts - I recently installed ISPConfig 3.0.2 on Debian Lenny. I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3 to the best of my knowledge I followed the instructions exactly.

I made a reseller, reseller make a client, client made a website and FTP user and shell user. So far so good except for the shell user:

In the reseller limits, SSH-Chroot Options I checked both "none" and "jailkit"
In turn, the reseller checked "none" and "jailkit" for the client (limit is set to -1 in each)
When the client made the "shell user" we set the "Chroot Shell" option to Jailkit

However the shell user cannot log in via sftp, I see errors like this in the system logs:

Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 15:19:13 ccs090 sshd[27809]: subsystem request for sftp
Mar 23 15:19:13 ccs090 snoopy[27810]: [unknown, uid:5004 sid:27810]: false -c /usr/lib/openssh/sftp-server
Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session closed for user site1

I discovered that their shell was set to /bin/false.
So I changed it manually:
usermod -s /usr/sbin/jk_chrootsh site1

Then in the logs I saw errors like:

Mar 23 16:36:43 ccs090 sshd[28937]: Accepted password for site1 from 12.233.247.2 port 63729 ssh2
Mar 23 16:36:43 ccs090 sshd[28937]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:36:43 ccs090 sshd[28939]: subsystem request for sftp
Mar 23 16:36:43 ccs090 snoopy[28940]: [unknown, uid:5004 sid:28940]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: abort, path /var/www/clients/client5/web4/./home/web4 is group writable, set option 'relax_home_group_permissions' to relax this check

So after some google research I set the following options in /etc/jailkit/jk_chrootsh.ini :

[DEFAULT]
relax_home_group=1
relax_home_group_permissions=1
relax_home_other_permissions=1


Now, I get errors that chroot cannot find bash:

Mar 23 16:38:31 ccs090 sshd[28957]: Accepted password for site1 from 12.233.247.2 port 60101 ssh2
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:38:31 ccs090 sshd[28959]: subsystem request for sftp
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: now entering jail /var/www/clients/client5/web4 for user web4 (5004)
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: /bin/bash -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 snoopy[28960]: ERROR: failed to execute shell /bin/bash for user web4 (5004), check the permissions and libraries of /var/www/clients/client5/web4//bin/bash
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session closed for user site1


I also eventually changed the shell for user "web4":

usermod -s /usr/sbin/jk_chrootsh web4

All of the directories exist but bin/bash does not:

drwxrwxr-x 2 web4 client5 48 2010-03-22 16:21 /var/www/clients/client5/web4/./home/web4
drwxrwxr-x 4 root root 104 2010-03-23 15:19 /var/www/clients/client5/web4/./home/
drwxr-xr-x 9 root root 304 2010-03-22 16:21 /var/www/clients/client5/web4/

ls: cannot access /var/www/clients/client5/web4//bin/bash

And in fact there is no ./bin/ directory at all:

#ls /var/www/clients/client5/web4/
cgi-bin etc home log ssl tmp var web

I did not change any default setting for jailkit or for the user that I know of. It seems that jailkit/ISPConfig to not "create" the chroot jail correctly.

Can anyone tell me what I need to do to fix this?

Thank you,

JW

Last edited by jwlinux; 23rd March 2010 at 23:48. Reason: typo in Title
Reply With Quote
Sponsored Links