Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 14th March 2009, 20:00
hrvbid hrvbid is offline
Junior Member
 
Join Date: Nov 2006
Posts: 13
Thanks: 9
Thanked 14 Times in 7 Posts
Default Chrooted environments with Ubuntu and IspConfig

Several howtos explain the steps to setup chrooted ssh environments with Ubuntu (and others) using together with ispConfig. I want to point about the logic of using chrooted ssh has changed rather drastic.
The good news is, openSSh V5 has builtin functionality for chroots. The more bad news are, ubuntu up to 8.04 uses openSSH V4 and only ubuntu 8.10 has openSSh V5.1.

With the said howtos, a patch was mentioned for openSSH to support chroot. The bad news are, the patch(es) for the different openSSH versions do no more exists at sourceforge and for some versions never had exist. Without the version dependent patch, chrooted ssh environments cannot be implemented with any openSSH V4. A bad circumstance now is: Ubuntu 8.04, thats an LTS, just only has openSSH V4 support.

To work with ssh chroots, the new logic of openSSh (V5) needs attention. The good messages are,
1st now chroot stuff is builtin (no more patching) and 2nd, that is really most easy to handle:

New declarations in sshd_config are implemented. I want to show those in a matter working
together with ispconfig (2.2.29) by adding only three lines at the end of the file:

Match Group web*
ChrootDirectory ~/
AllowTcpForwarding no
Nearly unbelievable, thats all. Match Group allows wildcards, while ChrootDirectory does not.
The example shown covers what ispConfig performs when new users (and groups) become created.
The 2nd line is most simple code without any need of wildcards and directs the user to his
(chrooted!) homedir that we know with ispconfig has site/group association. As usual in any
linux, the users have their homedir declared in passwd, and ChrootDirectory obviously refers
to by using ~/ with success.

That's really all?
No, we have to work out the past. Remember, ispConfig supports chroot with the specification

$go_info["server"]["ssh_chroot"]=1;

in config.inc.php that, as far I know, causes
1st, new system user definitions with the magic /./ in the homedir string, and
2nd, prepares the chrooted environment for the new user by copying some files and libraries
in the cage by a script.
The 1st item now is obsolete. The magic /./ is no longer needed, does not have to be used anymore
and ssh complains about an invalid path string is such case. That means, for all just existing
users managed by ispConfig, the central passwd should be adjusted by removing all magics /./
from each line. Thus, if ispConfig is requested to regard chroot ssh, the creation of the
new user should no more have the magic.
The 2nd action is just valid as in the past and no changes are required.
What else?
The users homedir always needs ownership root:root (has to change) and chmod 755 (as is).
And, the ssh server requires restart, of course, after the changes made.

Conclusion:
Implementing ssh chroot is as easy as never before. With Ubuntu, only 8.10 supports openSSH V5.
But the new logic shows where to road leads to. IspConfig some day needs some adjustment, but
that can wait until the majority of systems (also beyond Ubuntu) are on the openSSH V5 drive.
Up the then, some manual work with the ispconfiged users is required for the admins, but that
is a minor impact against the perspective, to have a system very well adjusted to the future,
like openSsh, like Ubuntu, like last not least ispConfig.
Hilmar

Btw, having ssh chroot also just enables SFTP (but not FTPS). Simply add or change the line
Subsystem sftp internal-sftp
in sshd_config. Adding onother line above Match Group with
ForceCommand internal-sftp
allows the users to have sftp (with winscp, with filezilla etc), but no shell access. That
most powerfull means, you can kick off any (unsecure) ftp server from your system. If you want :-)
Reply With Quote
The Following 3 Users Say Thank You to hrvbid For This Useful Post:
falko (15th March 2009), till (15th March 2009), timharris777 (23rd March 2009)
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Loads of mysql connections to dbispconfig StrikerNL General 2 5th March 2009 14:31
ISPConfig installation into multiple OpenVZ containers letezo Installation/Configuration 11 3rd March 2009 22:47
Ubuntu 8.04 server edition ISPconfig installation error malinens Installation/Configuration 4 30th July 2008 07:30
Ubuntu 8 LTS Server ISPCONFIG t.roijers General 12 26th April 2008 11:15
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 07:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.