Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th February 2012, 02:16
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default Automatically chroot'ing users in ISPConfig 2

Issue:

Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing.

Background info:

I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here.

I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time.

System:

Ubuntu 10.04.4 LTS
configured as explained here. It's a cloud-box, so I started in the middle of step 7.

ISPConfig Version: 2.2.40

Aiming to set up chroot'ed users with ISPConfig I looked at a few sources:
  1. http://www.howtoforge.com/chrooted_ssh_howto_debian
  2. http://www.howtoforge.com/restrictin...debian-squeeze
  3. http://www.howtoforge.com/forums/sho...+ssh+ispconfig
  4. http://www.howtoforge.com/forums/showthread.php?t=4373

Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here).

From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig.

I did all of the above, but things do not work.
I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed.

I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig?

Diagnostics:

Here are some snippets from my system config/diagnostics that may be relevant:

/home/admispconfig/ispconfig/lib/config.inc.php:
Code:
...
$go_info["server"]["ssh_chroot"] = 1;
...
/etc/ssh/sshd_config:

Code:
...
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

UsePAM yes
(end of file)
root@MyServer:~# ps flax:

Code:
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
. . .
4     0  1985     1  20   0   5600  2132 -      Ss   ?          0:00 /usr/sbin/sshd -D
4     0  2033  1985  20   0   8408  2820 -      Ss   ?          0:00  \_ sshd: root@notty
5     0  2315  2033  20   0   8508  1440 -      Ss   ?          0:00  |   \_ sshd: root@internal-sftp
4     0 21230  1985  20   0   8408  2740 -      Ss   ?          0:00  \_ sshd: MyUser [priv]
5 10001 21296 21230  20   0   8540  1460 -      S    ?          0:00  |   \_ sshd: MyUser@pts/0
0 10001 21297 21296  20   0   4592  1864 -      Ss   pts/0      0:00  |       \_ -bash
0 10001 21304 21297  20   0   6980  2848 -      S+   pts/0      0:00  |           \_ mc
0 10001 21306 21304  20   0   4608  1872 -      Ss+  pts/1      0:00  |               \_ bash -rcfile .bashrc
4     0 21426  1985  20   0   8408  2684 -      Ss   ?          0:00  \_ sshd: MyUser [priv]
5 10001 21488 21426  20   0   8540  1456 -      S    ?          0:00  |   \_ sshd: MyUser@notty
1 10001 21491 21488  20   0   8508  1252 -      Ss   ?          0:00  |       \_ sshd: MyUser@internal-sftp
4     0 21585  1985  20   0   8544  2808 -      Ss   ?          0:00  \_ sshd: root@pts/2
4     0 21647 21585  20   0   4632  1872 -      Ss   pts/2      0:00      \_ -bash
0     0 21662 21647  20   0   7528  3508 -      S+   pts/2      0:00          \_ mc
0     0 21664 21662  20   0   4636  1896 -      Ss   pts/3      0:00              \_ bash -rcfile .bashrc
4     0 21795 21664  20   0   2692   900 -      R+   pts/3      0:00                  \_ ps flax
. . .
Thanks!
Reply With Quote
Sponsored Links
  #2  
Old 28th February 2012, 20:23
gragus gragus is offline
Junior Member
 
Join Date: Sep 2011
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

Ping..

Any clues anyone?
Reply With Quote
  #3  
Old 19th September 2012, 22:04
hairydog2 hairydog2 is offline
Senior Member
 
Join Date: Oct 2005
Posts: 196
Thanks: 9
Thanked 3 Times in 2 Posts
Default

Quote:
Originally Posted by gragus View Post
Ping..

Any clues anyone?
I'd like to chroot sftp users too. Until I can do that, I can't give them sftp access, which I want to do, so I can stop ftp.

I've had a look at http://www.howtoforge.com/restrictin...debian-squeeze but I'm not clear how to apply that to an ispconfig 2 setup that has many, many users already

Last edited by hairydog2; 19th September 2012 at 22:08.
Reply With Quote
  #4  
Old 6th May 2013, 15:30
hairydog2 hairydog2 is offline
Senior Member
 
Join Date: Oct 2005
Posts: 196
Thanks: 9
Thanked 3 Times in 2 Posts
 
Default Still an issue

I am a bit surprised that in more than six months no-one has been able to offer any help at all.

Are we flogging a dead horse here?
Reply With Quote
Reply

Bookmarks

Tags
chroot, ispconfig 2, ubuntu 10.04

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Loads of mysql connections to dbispconfig StrikerNL General 2 5th March 2009 14:31
ISPConfig installation into multiple OpenVZ containers letezo Installation/Configuration 11 3rd March 2009 22:47
ISPConfig 3.0.0.7 Beta released till General 78 24th December 2008 11:47
ISPConfig won't start automatically? JoePorge Installation/Configuration 6 1st July 2008 19:32
Junk mail and spamassassin... sthompson Installation/Configuration 4 27th December 2006 16:11


All times are GMT +2. The time now is 23:41.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.