28th December 2011, 12:47
|
|
Junior Member
|
|
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Jailed SSH users just exit.
Thanks for all the help so far too all those who contribute to the forums. I’ve gotten stuck on a real doozey this time though. As the title suggests I’m having trouble with jailing ssh users. Putty just exits. Here is some relevant info.
Just followed the new opensuse 12.1 perfect server guide and bought the manual and tried again everything else I think is fine. I'd love to stick with opensuse if possible.
I tried the following with no luck. Did I make a security hole?
Code:
chmod +s /usr/sbin/jk_addjailuser
chmod +s /usr/sbin/jk_check
chmod +s /usr/sbin/jk_chrootlaunch
chmod +s /usr/sbin/jk_chrootsh
chmod +s /usr/sbin/jk_cp
chmod +s /usr/sbin/jk_init
chmod +s /usr/sbin/jk_jailuser
chmod +s /usr/sbin/jk_list
chmod +s /usr/sbin/jk_lsh
chmod +s /usr/sbin/jk_procmailwrapper
chmod +s /usr/sbin/jk_socketd
chmod +s /usr/sbin/jk_update
It changed the nature of the problem but it still exists.
Here is the output of etc/passwd
Code:
web3:x:5005:5004::/srv/www/clients/client1/web3/./home/web3:/bin/false
grantstokes2:x:5005:5004::/srv/www/clients/client1/web3/./home/grantstokes2:/usr/sbin/jk_chrootsh
Here is the relevant output from the log
Code:
Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: now entering jail /srv/www/clients/client1/web3 for user grantstokes2 (5005)
Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: ERROR: failed to execute shell /bin/bash#015 for user grantstokes2 (5005), check the permissions and libraries of /srv/www/clients/client1/web3//bin/bash#015
Dec 28 17:33:39 webserv2 systemd-logind[1077]: Removed session 20.
Hope this all Helps and thank you so much in advance.
Grant
|
28th December 2011, 13:07
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
|
|
There was a problem with jailkit in ISPConfig 3.0.4, it has been fixed in ISPConfig 3.0.4.1. So most likely your problem will get solved by updating to the latest ispconfig version. The jail will only recreated when the first shell user of a website gets added, so you should try to create a new website and then a new shell user and try to login with that user to see if the problem is solved,
Quote:
|
Did I make a security hole?
|
Most likely, yes.
|
28th December 2011, 13:37
|
|
Junior Member
|
|
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
WOW! Thanks for the fast response but still no luck. I'll run through the guide again and let you know how i go. i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it? out of curiousity. i dont suppose i can find a list somewhere with what services need to be running at install and all the time. i rekon the distro added a few i didn't need. i nginx to if that changes anythin?
Grant
|
28th December 2011, 14:08
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
|
|
Quote:
|
i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it?
|
Thats should not matter as the jailkit daemon is not used in that setup. so it can be stopped.
Quote:
|
i dont suppose i can find a list somewhere with what services need to be running at install and all the time
|
Just follow the perfect server guide, at the end all services required by ispconfig are installed and running.
|
28th December 2011, 14:57
|
|
Junior Member
|
|
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Still got the same problem after running thgough again.
Code:
web1:x:5004:5004::/srv/www/clients/client1/web1/./home/web1:/bin/false
grantstokesssh:x:5004:5004::/srv/www/clients/client1/web1/./home/grantstokesssh:/usr/sbin/jk_chrootsh
Without jailkit
Code:
Dec 29 00:34:32 webserv2 sshd[7519]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:34:45 webserv2 sshd[7519]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55612 ssh2
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New user web1 logged in.
Dec 29 00:34:45 webserv2 systemd-logind[1217]: New session 17 of user web1.
With
Code:
Dec 29 00:38:01 webserv2 shadow[7806]: account already exists - account=grantstokesssh, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/., old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:22 webserv2 shadow[11754]: shell changed - account=grantstokesssh, uid=5004, shell=/usr/sbin/jk_chrootsh, old shell=/bin/bash, by=0
Dec 29 00:38:22 webserv2 shadow[11755]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/./home/grantstokesssh, old home=/srv/www/clients/client1/web1/., by=0
Dec 29 00:38:22 webserv2 shadow[11757]: home directory changed - account=web1, uid=5004, home=/srv/www/clients/client1/web1/./home/web1, old home=/srv/www/clients/client1/web1, by=0
Dec 29 00:38:46 webserv2 sshd[11767]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Dec 29 00:38:59 webserv2 sshd[11767]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55641 ssh2
Dec 29 00:38:59 webserv2 systemd-logind[1217]: New session 25 of user web1.
Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
Dec 29 00:39:00 webserv2 systemd-logind[1217]: User web1 logged out.
out put from ls -la /usr/sbin/jk_chrootsh
Code:
webserv2:~ # ls -la /usr/sbin/jk_chrootsh
-rwxr-xr-x 1 root root 27312 Oct 30 07:01 /usr/sbin/jk_chrootsh
Maybe my default run level to high or somthing? My brain hurts.
Grant
|
28th December 2011, 15:10
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
|
|
Do you login with username and password or with ssh keys? The ssh key function is not working currently as described in the bugtracker, to fix that for your user you will have to chown the authorized keys folder and its contents in the home directory of the user from root to the user.
http://bugtracker.ispconfig.org/inde...s&task_id=1945
|
29th December 2011, 00:02
|
|
Junior Member
|
|
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
I'm not using keys. Just using username and password. i think it's related to this line.
Code:
Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
or maybe the process run level is to low. If it were a key issue it wouldn't work with jailkit disabled.
|
29th December 2011, 01:31
|
|
Senior Member
|
|
Join Date: Dec 2010
Location: München
Posts: 339
Thanks: 35
Thanked 75 Times in 61 Posts
|
|
go to the customer limits and check if only jailkit is selected
cheers
|
29th December 2011, 06:24
|
|
Junior Member
|
|
Join Date: Dec 2011
Posts: 14
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Only jailkit is enabled. I plan to force users to use sftp with clients like filezilla.
|
29th December 2011, 07:55
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
|
|
Better use ftps instead oft ftp. Ftps is ftp over ssl and is jailed by the pure ftpd daemon, so you dont need jailkit. The jailkit jails are made for interactive connections e.g. With putty, they dont work for sftp by default.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 11:32.
|
English | 
Deutsch
Recent comments
19 hours 38 min ago
21 hours 26 min ago
1 day 10 hours ago
1 day 15 hours ago
1 day 19 hours ago
1 day 21 hours ago
2 days 11 hours ago
2 days 11 hours ago
2 days 16 hours ago
2 days 23 hours ago