shrooted ssh environments for ispconfig users

[hrvbid]

(ispconfig 2.2.35, ubuntu 9.10)
With openssh 4.9.x/5.x, the logic to build chrooted ssh users in just built in. Because of the new
logic, the magic separator "/./" within the users homedir assignment in passwd is no longer needed, but is
now in trouble. See http://www.howtoforge.com/forums/showthread.php?t=32459 for the basics.
To consider the history and also the new logic, a solution for ispconfig seems easy to adapt:
One strategic parameter is in /root/ispconfig/scripts/lib/config.inc.php, where

PHP Code:

$go_info["server"]["ssh_chroot"] = 0 or 1 


is responsible for two actions. In case of value 1, 1st, the magic separator "/./" is used, and 2nd, the
script /root/ispconfig/scripts/shell/create_chroot_env.sh is scheduled to build the users chrooted
environment.
One solution is, to have a tri-state with $go_info["server"]["ssh_chroot"], where 0 leads to no chroot,
where 1 leads to chroot with magic "/./" and script execution, and where a new value 2 leads to omit the
magic "/./" but performs the script. The behaviour of option 0 and 1 are unchanged to support all those
with the need of the old logic, but option 2 now becomes adjusted to the new logic. The changes are most easy:
The essential file is /root/ispconfig/scripts/lib/config.lib.php, where lines
# 772-774 (insert new user)

PHP Code:

  if($go_info["server"]["ssh_chroot"] == 1 && $user["user_shell"] && $web["web_shell"]) {
          exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 


have to change to

PHP Code:

  if($go_info["server"]["ssh_chroot"] > 0 && $user["user_shell"] && $web["web_shell"]) {
          exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 


and lines
# 949-950 (update user)

PHP Code:

  if($go_info["server"]["ssh_chroot"] == 1 && $user["user_shell"] && $web["web_shell"]) {
          exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 


also have to change to

PHP Code:

  if($go_info["server"]["ssh_chroot"] > 0 && $user["user_shell"] && $web["web_shell"]) {
          exec("/root/ispconfig/scripts/shell/create_chroot_env.sh $user_username");
  } 


Note, thats all to do - a really cheap solution. To be complete, a look to
/root/ispconfig/scripts/lib/config.inc.php, where line #106
$go_info["server"]["ssh_chroot"] = 2; // 0 = no, 1 = yes with old chroot path /./, 2 = yes without /./ (openssh 5.x logic)
is the example to use the new logic.
I would be happy, if the small changes would be confirmed with one of the next ispconfix 2.x releases.

[userman]

Hi,

I got ispconfig 2.2.35, centos 5.4 and OpenSSH_5.2p1.

I add to sshd_config:
Match Group web*
ChrootDirectory ~/
AllowTcpForwarding no

I change 0 to 1:
/home/admispconfig/ispconfig/lib/config.inc.php
$go_info["server"]["ssh_chroot"] = 1;

When I create a user from ispconfig, I get all library into the ftp account but i cant connect to sftp.
I think I get the error in sshd_config because if i dont put the new config into sshd_config, its work!

Whats the my problem?
Thanks for the help!!

** Sorry for my bad english

[steve7680768]

your English is not bad at all. I have consider your problem... I will try to sort it out..

[userman]

i dont remember... do you active shell access from panel ispconfig for the user of the domain?

[rockstar9840]

Hi hrvbid, Thanks for the nice post you sharing with us.