#1  
Old 28th December 2011, 12:47
xrstokes xrstokes is offline
Junior Member
 
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default Jailed SSH users just exit.

Thanks for all the help so far too all those who contribute to the forums. I’ve gotten stuck on a real doozey this time though. As the title suggests I’m having trouble with jailing ssh users. Putty just exits. Here is some relevant info.
Just followed the new opensuse 12.1 perfect server guide and bought the manual and tried again everything else I think is fine. I'd love to stick with opensuse if possible.
I tried the following with no luck. Did I make a security hole?
Code:
chmod +s /usr/sbin/jk_addjailuser
chmod +s /usr/sbin/jk_check
chmod +s /usr/sbin/jk_chrootlaunch
chmod +s /usr/sbin/jk_chrootsh
chmod +s /usr/sbin/jk_cp
chmod +s /usr/sbin/jk_init
chmod +s /usr/sbin/jk_jailuser
chmod +s /usr/sbin/jk_list
chmod +s /usr/sbin/jk_lsh
chmod +s /usr/sbin/jk_procmailwrapper
chmod +s /usr/sbin/jk_socketd
chmod +s /usr/sbin/jk_update
It changed the nature of the problem but it still exists.
Here is the output of etc/passwd
Code:
web3:x:5005:5004::/srv/www/clients/client1/web3/./home/web3:/bin/false
grantstokes2:x:5005:5004::/srv/www/clients/client1/web3/./home/grantstokes2:/usr/sbin/jk_chrootsh
Here is the relevant output from the log
Code:
Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: now entering jail /srv/www/clients/client1/web3 for user grantstokes2 (5005)
Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: ERROR: failed to execute shell /bin/bash#015 for user grantstokes2 (5005), check the permissions and libraries of /srv/www/clients/client1/web3//bin/bash#015
Dec 28 17:33:39 webserv2 systemd-logind[1077]: Removed session 20.
Hope this all Helps and thank you so much in advance.

Grant
Reply With Quote
Sponsored Links
  #2  
Old 28th December 2011, 13:07
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

There was a problem with jailkit in ISPConfig 3.0.4, it has been fixed in ISPConfig 3.0.4.1. So most likely your problem will get solved by updating to the latest ispconfig version. The jail will only recreated when the first shell user of a website gets added, so you should try to create a new website and then a new shell user and try to login with that user to see if the problem is solved,

Quote:
Did I make a security hole?
Most likely, yes.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 28th December 2011, 13:37
xrstokes xrstokes is offline
Junior Member
 
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

WOW! Thanks for the fast response but still no luck. I'll run through the guide again and let you know how i go. i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it? out of curiousity. i dont suppose i can find a list somewhere with what services need to be running at install and all the time. i rekon the distro added a few i didn't need. i nginx to if that changes anythin?

Grant
Reply With Quote
  #4  
Old 28th December 2011, 14:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Quote:
i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it?
Thats should not matter as the jailkit daemon is not used in that setup. so it can be stopped.

Quote:
i dont suppose i can find a list somewhere with what services need to be running at install and all the time
Just follow the perfect server guide, at the end all services required by ispconfig are installed and running.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 28th December 2011, 14:57
xrstokes xrstokes is offline
Junior Member
 
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Still got the same problem after running thgough again.


Code:
web1:x:5004:5004::/srv/www/clients/client1/web1/./home/web1:/bin/false
grantstokesssh:x:5004:5004::/srv/www/clients/client1/web1/./home/grantstokesssh:/usr/sbin/jk_chrootsh
Without jailkit

Code:
Dec 29 00:34:32 webserv2 sshd[7519]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:34:45 webserv2 sshd[7519]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55612 ssh2
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New user web1 logged in.
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New session 17 of user web1.
With

Code:
Dec 29 00:38:01 webserv2 shadow[7806]: account already exists - account=grantstokesssh, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/., old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: shell changed - account=grantstokesssh, uid=5004, shell=/usr/sbin/jk_chrootsh, old shell=/bin/bash, by=0
Dec 29 00:38:22 webserv2 shadow[11755]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/./home/grantstokesssh, old home=/srv/www/clients/client1/web1/., by=0
Dec 29 00:38:22 webserv2 shadow[11757]: home directory changed - account=web1, uid=5004, home=/srv/www/clients/client1/web1/./home/web1, old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:46 webserv2 sshd[11767]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:38:59 webserv2 sshd[11767]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55641 ssh2
Dec 29 00:38:59 webserv2 systemd-logind[1217]: New session 25 of user web1.
Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
Dec 29 00:39:00 webserv2 systemd-logind[1217]: User web1 logged out.
out put from ls -la /usr/sbin/jk_chrootsh

Code:
webserv2:~ # ls -la /usr/sbin/jk_chrootsh
-rwxr-xr-x 1 root root 27312 Oct 30 07:01 /usr/sbin/jk_chrootsh
Maybe my default run level to high or somthing? My brain hurts.

Grant
Reply With Quote
  #6  
Old 28th December 2011, 15:10
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

Do you login with username and password or with ssh keys? The ssh key function is not working currently as described in the bugtracker, to fix that for your user you will have to chown the authorized keys folder and its contents in the home directory of the user from root to the user.

http://bugtracker.ispconfig.org/inde...s&task_id=1945
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
chroot, jail, shell, ssh

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't receive mails baicunko Server Operation 12 3rd August 2011 22:02
ISPConfig 2 few problems Tarka Installation/Configuration 8 13th May 2010 13:30
Fedora 12 - Strage problem - Freezes K_meleonu Installation/Configuration 6 3rd March 2010 18:42
Cacti and ISPConfig: Monitoring Tool VMartins Tips/Tricks/Mods 11 9th August 2008 18:37
Junk mail and spamassassin... sthompson Installation/Configuration 4 27th December 2006 16:11


All times are GMT +2. The time now is 03:58.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.