#1  
Old 28th February 2011, 11:43
serverstage serverstage is offline
Junior Member
 
Join Date: Oct 2010
Posts: 19
Thanks: 1
Thanked 3 Times in 2 Posts
Default ISPConfig & AjaXplorer

I have been working on the AjaXplorer bridge and have made a lot of progress, however it is not finished yet. I'll post what I have here and also on the AjaXplorer forum and hope that someone with a similar setup finds it useful and might even contribute to the solution. Thanks to apoana on howtoforge for laying the groundwork.

My ISPConfig setup is multi server. AjaXplorer is installed on, and it's database tables must be created in the master ISPConfig database. There are no modifications required on the slave servers.

You will login to AjaXplorer with your ISPConfig username/password.
The process is to find the groups in sys_user where this user has access. For each group that has an ssh user defined, a Repository is created. This happens automatically at each login, but we skip the Repositories which are already created (but first checking for changes to the hostname, domainname, username and pass).

In order to make the connection from the master server to the slave, AjaXplorer needs to know the password, so changes have been made in ISPConfig to save the users' shell pass in cleartext. Obviously a security issue - maybe someone can figure out a better way? Using the SSH account gives us the possibility to connect via the secure and fast SFTP plugin. I did have other problems with this though, see below...

TODO:
1. delete repositories which don't exist (as defined in ISPConfig)
2. find a better way to authenticate the repositories, so that we don't save passwords in cleartext
3. Passthrough authentication from ISPConfig
4. **Fix the issues with SFTP or choose a different data access mechanism
- image thumbnails not working
- downloads slow to initialize
- zip folders not working
- apparent folder access error when using jailkit on the slave


Regards, Brandon
Attached Files
File Type: zip AJXP_ISPC3_Bridge_v1.zip (42.5 KB, 347 views)
Reply With Quote
The Following 2 Users Say Thank You to serverstage For This Useful Post:
falko (1st March 2011), till (28th February 2011)
Sponsored Links
  #2  
Old 14th June 2011, 19:05
dudumomo dudumomo is offline
Junior Member
 
Join Date: Mar 2011
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Thank you for your plugin !

Any new version ?

Is it working with Jailkit ?

Thank you !
Reply With Quote
  #3  
Old 14th June 2011, 21:51
serverstage serverstage is offline
Junior Member
 
Join Date: Oct 2010
Posts: 19
Thanks: 1
Thanked 3 Times in 2 Posts
Default

Yes, there have been many improvements - AjaxPlorer is very interesting, but I must admit the ISPC3 plugin is not ready for beta testing or even use. Please do improve!

Scenario:
1. My ISPConfig setup is multiserver
2. AJXP is running on the same server as the control panel
3. The control panel does not host any customer sites, so all AJXP connections are proxied through the CP.
4. File access method is SFTP / FTP over SSH
5. On login to AJXP, repositories are created for each ISPC3 shell account a user has access to (by group IIRC)


There are two real problems:
1. AjaxPlorer can't show / set the permissions correctly.
- The real issue is AJXP tries to cache all file attributes when it reads a directory. File operations are first compared to the cached ownership & permissions. The devs made a quick fix to allow writing to directories by adding 022 to the cached permission, allowing the target server to actually decide if the operation would complete - which essentially works, but also screws up the permissions dialog
2. The ISPC3 plugin needs to be cleaned up and sorted out.
- OnLogin: Check which accounts should be accessible; correctly create the repository; delete any repositories which don't exists anymore (or don't have permission for?); Perhaps Autologin?


And at least one other ugly issue:
1. AJXP needs to know the SSH usernames and passwords, so I modified ISPC3 code to also save a cleartext copy of the Shell password.


Other observations:
1. Jailkit seems to work just fine
2. Image / Movie previews don't work well. It is optional for me, so I have not looked into this any further. The issue is the time it takes to download all images to the proxy and create thumbnails is not fun. Disabling this made things pretty snappy.


So to get started:
1. Get the latest AjaxPlorer and configure: http://www.ajaxplorer.info/wordpress/download/
2. Apply this plugin to the AJXP files (careful about server/conf.php)
3. Install the MySQL tables. Check the code first that it does what you expect, use a test instance of ISPC3. There is SQL code in plugins/auth.ispconfig/ceate.sql
4. Apply the ISPC3 changes ( again, in your test server )
5. Create Shell users in ISPC3
6. Login to AJXP, try it out
Attached Files
File Type: zip AJXP_ISPC3_v2.zip (44.9 KB, 277 views)
__________________
ServerStage
performance hosting
Reply With Quote
The Following User Says Thank You to serverstage For This Useful Post:
falko (15th June 2011)
  #4  
Old 15th June 2011, 10:02
dudumomo dudumomo is offline
Junior Member
 
Join Date: Mar 2011
Posts: 11
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Very useful explaination ! Thank you !

Do you let Ajaxplorer use the creditential of the session to use the SFTP plugin ? Instead of copy in plain text the password. (Not quite sure)

Also, I'm worried about the permission issue, especially by activating Jailkit.
You confirm that if Jailkit is activated for a user, Ajaxplorer can still access its folder and modify stuff ? (As it is not the same user running the Shell and the Ajaxplorer, I guess there is a problem there with the permission, no ?)

Thank you !
Reply With Quote
  #5  
Old 15th June 2011, 12:59
serverstage serverstage is offline
Junior Member
 
Join Date: Oct 2010
Posts: 19
Thanks: 1
Thanked 3 Times in 2 Posts
Default

Jailkit only forces a particular user to remain within a specified directory.

Each of the AJXP repositories created uses the shell account respective to the current user- so there can't really be any permissions error. In my case the user logged in must have write access.

The shell authentication happens in the background, as does the creation of repositories. The user doesn't even have to know that the account exists (if it is permissible to hide it from them in ISPC3). Actually I might block SSH from the hardware firewall and allow it only from the AJXP server.

You can see that the session credential isn't enough for access to all the user's repositories across multiple servers.
__________________
ServerStage
performance hosting
Reply With Quote
  #6  
Old 19th October 2012, 12:00
abdi abdi is offline
Senior Member
 
Join Date: Sep 2012
Posts: 118
Thanks: 0
Thanked 10 Times in 6 Posts
 
Default

Am doing something like that though I dont store passwords in cleartext, instead I encrypt them with my algorithm and before connecting to Ajaxplorer, I decrypt them ..
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Relay access denied when using SMTP to external recipients Kamran Shah Installation/Configuration 111 14th May 2014 18:10
chroot SSH IspConfig2 kextra1 General 4 20th January 2011 18:41
Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop gwa7 Tips/Tricks/Mods 1 30th September 2009 18:08
ISPConfig 2.3.1-dev released till General 0 8th May 2006 22:18
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 15:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.