jailkit not working on ISPconfig v 3.0.2 Debian Lenny

[jwlinux]

As mentioned in other posts - I recently installed ISPConfig 3.0.2 on Debian Lenny. I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3 to the best of my knowledge I followed the instructions exactly.

I made a reseller, reseller make a client, client made a website and FTP user and shell user. So far so good except for the shell user:

In the reseller limits, SSH-Chroot Options I checked both "none" and "jailkit"
In turn, the reseller checked "none" and "jailkit" for the client (limit is set to -1 in each)
When the client made the "shell user" we set the "Chroot Shell" option to Jailkit

However the shell user cannot log in via sftp, I see errors like this in the system logs:

Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 15:19:13 ccs090 sshd[27809]: subsystem request for sftp
Mar 23 15:19:13 ccs090 snoopy[27810]: [unknown, uid:5004 sid:27810]: false -c /usr/lib/openssh/sftp-server
Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session closed for user site1

I discovered that their shell was set to /bin/false.
So I changed it manually:
usermod -s /usr/sbin/jk_chrootsh site1

Then in the logs I saw errors like:

Mar 23 16:36:43 ccs090 sshd[28937]: Accepted password for site1 from 12.233.247.2 port 63729 ssh2
Mar 23 16:36:43 ccs090 sshd[28937]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:36:43 ccs090 sshd[28939]: subsystem request for sftp
Mar 23 16:36:43 ccs090 snoopy[28940]: [unknown, uid:5004 sid:28940]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: abort, path /var/www/clients/client5/web4/./home/web4 is group writable, set option 'relax_home_group_permissions' to relax this check

So after some google research I set the following options in /etc/jailkit/jk_chrootsh.ini :

[DEFAULT]
relax_home_group=1
relax_home_group_permissions=1
relax_home_other_permissions=1


Now, I get errors that chroot cannot find bash:

Mar 23 16:38:31 ccs090 sshd[28957]: Accepted password for site1 from 12.233.247.2 port 60101 ssh2
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
Mar 23 16:38:31 ccs090 sshd[28959]: subsystem request for sftp
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: jk_chrootsh -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: path /var/www/clients/client5/web4/./home/web4 is group writable
Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: now entering jail /var/www/clients/client5/web4 for user web4 (5004)
Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: /bin/bash -c /usr/lib/openssh/sftp-server
Mar 23 16:38:31 ccs090 snoopy[28960]: ERROR: failed to execute shell /bin/bash for user web4 (5004), check the permissions and libraries of /var/www/clients/client5/web4//bin/bash
Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session closed for user site1


I also eventually changed the shell for user "web4":

usermod -s /usr/sbin/jk_chrootsh web4

All of the directories exist but bin/bash does not:

drwxrwxr-x 2 web4 client5 48 2010-03-22 16:21 /var/www/clients/client5/web4/./home/web4
drwxrwxr-x 4 root root 104 2010-03-23 15:19 /var/www/clients/client5/web4/./home/
drwxr-xr-x 9 root root 304 2010-03-22 16:21 /var/www/clients/client5/web4/

ls: cannot access /var/www/clients/client5/web4//bin/bash

And in fact there is no ./bin/ directory at all:

#ls /var/www/clients/client5/web4/
cgi-bin etc home log ssl tmp var web

I did not change any default setting for jailkit or for the user that I know of. It seems that jailkit/ISPConfig to not "create" the chroot jail correctly.

Can anyone tell me what I need to do to fix this?

Thank you,

JW

[jwlinux]

Just for testing I also tried having the client change the "shell user's" Chroot Shell option from "Jailkit" to "none".

The user is now able to log in, but of course they can see the entire host FS, which is certainly not desirable.

Thanks,

JW

[jwlinux]

Also in the Reseller's account, viewing the System > Server Config > Jailkit tab, everything is set to the defaults (I did not change them) and the defaults are these:


Jailkit chroot home
/home/[username]

Jailkit chroot app sections
basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh

Jailkit chrooted applications
/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico

Jailkit cron chrooted applications
/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php


Is there anything wrong with that?

JW

[till]

Quote:

I discovered that their shell was set to /bin/false.
So I changed it manually:
usermod -s /usr/sbin/jk_chrootsh site1

Do not modify an ispconfig user manually. The only thing that you can achieve with that is to break your setup. Please delete the users and sites that you modified manually in ispconfig and recreate them afterwards in ispconfig.


Jailkit is working fine in ispconfig 3.0.2, so we have to find out whats wrong with your installation. Have you installed jailkit before you installed ispconfig or after you installed ispconfig.

[jwlinux]

Quote:

Originally Posted by till

Do not modify an ispconfig user manually. The only thing that you can achieve with that is to break your setup. Please delete the users and sites that you modified manually in ispconfig and recreate them afterwards in ispconfig.

Jailkit is working fine in ispconfig 3.0.2, so we have to find out whats wrong with your installation. Have you installed jailkit before you installed ispconfig or after you installed ispconfig.

I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3, so yes I installed jailkit (on page 4 in Step 15 Install Jailkit) before ISPConfig, which is later, step 18 in those instructions.

I can delete and create as many users / sites as you would like me to. They all behave the same.

Here I have created a whole new client account and new shell user. On the client ssh/sftp side I see this:

ssh bvc1@myserver
bvc1@myserver's password:
Linux ccs089 2.6.26-2-amd64 #1 SMP Tue Mar 9 22:29:32 UTC 2010 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Connection to myserver closed.

sftp bvc1@myserver
Connecting to myserver...
bvc1@myserver's password:
Connection closed

On the server I see the following in the logs:


Mar 24 09:59:05 myserver snoopy[18200]: [unknown, uid:0 sid:18200]: /usr/sbin/sshd -R
Mar 24 09:59:13 myserver sshd[18200]: Accepted password for bvc1 from 2.123.123.123 port 61215 ssh2
Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
Mar 24 09:59:13 myserver snoopy[18203]: [bvc1, uid:5005 sid:18203]: -false
Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session closed for user bvc1
Mar 24 09:59:39 myserver snoopy[18204]: [unknown, uid:0 sid:18204]: /usr/sbin/sshd -R
Mar 24 09:59:45 myserver sshd[18204]: Accepted password for bvc1 from 2.123.123.123 port 61218 ssh2
Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
Mar 24 09:59:45 myserver sshd[18206]: subsystem request for sftp
Mar 24 09:59:45 myserver snoopy[18207]: [unknown, uid:5005 sid:18207]: false -c /usr/lib/openssh/sftp-server
Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session closed for user bvc1


I have not edited or changed this user in anyway.
By default, these new users are being created with /bin/false for a shell. If this correct behavior?

What other information can I provide to debug this problem?

These are 2 new Debian Lenny installs. The only difference I can think of is that I did install some additional packages and perl modules on the system before installing ISPConfig (not after). Does ISPConfig use any perl modules?

Here's a list of all my extra debian packages (aside from perl):

emacs22-nox less bzip2 vim wget ncftp w3m lynx wajig sudo ntp apt-show-versions cvs firehol ulogd screen psmisc openssl rsync iproute logwatch snoopy sysstat mysql-client
gcc make automake autoconf bison flex libc6-dev

Thanks,

JW

[till]

ISPConfig itself does not use perl. But it is possible that external packages like jailkit use it. The shell /bin/false is the correct shell for the main user of a website. Then you create a shell user with jailkit enabled and jailkit the changes the shell for this new user ti the jailkit shell.

Which jailkit version did you install?

[jwlinux]

Quote:

Originally Posted by till

Then you create a shell user with jailkit enabled and jailkit the changes the shell for this new user to the jailkit shell.

jailkit is not actually doing this, then.

Quote:

Originally Posted by till

Which jailkit version did you install?

jailkit 2.5-1

[jwlinux]

Also for clarification, I did delete the old site & user as you asked. After recreating it - it's still the same.

[BorderAmigos]

I'm using Debian Lenny on 2 servers with ISPConfig 3.0.2 and jailkit is working fine. I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. Also what is 'snoopy' doing? I don't know the answer. Just things to look into.

[jwlinux]

" I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. "

It actually doens't say "unknown UID", is says "unknown, uid:5004." unknown refers to some other field of information, I'm not sure what.

uid:5004 was the users's UID in /etc/password, that part is correct (or was at the time).

I also noticed that the user's directory tree files under web/ are owned by, for example:

drwxr-xr-x 2 1061 users 216 2010-03-24 04:55 error

and no such user 1061 exists in /etc/password. I don't know where it got 1061 from. I wonder if it's trying to use that in other places (such as while creating a shell user) and that's what's breaking it.

"Also what is 'snoopy' doing? I don't know the answer. Just things to look into."

Snoppy is a logging function. I have been using it for years on all kinds of servers, it works good, and is transparent to all programs. I'm sure there is some 0.01% possibility that snoopy is causing a problem but it is very, very unlikely.

Till: please tell me where I can look or what tests I ran run to try to find _why_ the jailkit user is not being created correctly.

On one of my two ISPConfig servers I also tried doing the automatic upgrade to 3.0.2.1, because I saw elsewhere on the forum that this was recommended in a few cases to fix jailkit problems.

I tried creating new sites and shell users after the upgrade, and it is still the same.

Thank you every one for your help,

JW