Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th October 2013, 11:23
andcha andcha is offline
Junior Member
 
Join Date: Oct 2013
Posts: 23
Thanks: 8
Thanked 1 Time in 1 Post
Default Shell-User cannot access SFTP and SSH Commands

Hi
My system is running ISPConfig3 Latest Stable on Ubuntu 12.04 x64.
Problem is that shell users created in ISPConfig panel are not able to SFTP and execute even basic SSH Commands

Here is what I have done till now

I have created two shell users for two websites, one located in web1 folder and other in web2. I have tried both, keeping the user in Jailkit and in None, this is what happens:

If I keep the user defaultchotu as "Chroot Shell:None":

a) defaultchotu can access SSH but cannot execute even basic commands like: wget
-Without sudo prefix I get, file.zip: Permission denied
-With sudo, it asks for password (of course) but for user web1 and not defaultchotu. Even the putty screen shows web1@ns01:~$ as the user logged in, not defaultchotu. So when I enter the password for defaultchotu, it does not accepts and apache2 log shows following error lines
Code:
Oct  9 13:08:30 ns01 sudo: pam_unix(sudo:auth): authentication failure; logname=defaultchotu uid=5004 euid=0 tty=/dev/pts/0 ruser=web1 rhost=  user=web1
Oct  9 13:08:41 ns01 sudo: pam_unix(sudo:auth): conversation failed
Oct  9 13:08:41 ns01 sudo: pam_unix(sudo:auth): auth could not identify password for [web1]
Oct  9 13:08:41 ns01 sudo:     web1 : 2 incorrect password attempts ; TTY=pts/0 ; PWD=/var/www/clients/client0/web1 ; USER=root ; COMMAND=/usr/bin/wget https://www.dropbox.com/s/gibberish/file.zip
b) defaultchotu CAN login to SFTP through Filezilla and see all directories but cannot upload files (only download possible)

Filezilla log reads
Code:
Status:	Starting upload of D:\DL\testscript.sh
Status:	Retrieving directory listing...
Command:	ls
Status:	Listing directory /var/www/clients/client0/web1
Command:	put "D:\DL\testscript.sh" "testscript.sh"
Error:	/var/www/clients/client0/web1/testscript.sh: open for write: permission denied
Error:	File transfer failed
Status:	Retrieving directory listing...
Command:	ls
Status:	Listing directory /var/www/clients/client0/web1
Status:	Directory listing successful
Status:	Disconnected from server
/var/log/auth.log reads
Code:
Oct  9 13:16:21 ns01 sshd[21863]: Accepted password for defaultchotu from xxx.xxx.xxx.xxx port xxxxx ssh2
Oct  9 13:16:21 ns01 sshd[21863]: pam_unix(sshd:session): session opened for user defaultchotu by (uid=0)
Oct  9 13:16:21 ns01 sshd[22020]: subsystem request for sftp by user defaultchotu
If I keep the user defaultchotu2 as "Chroot Shell:Jailkit":

a) defaultchotu2 can access ssh but no shell commands are available to it. For example:
- I cannot list the web root directory with ls command (with webroot I mean /var/www/clients/client0/web2)
- If I do wget command, I get
Code:
Resolving www.dropbox.com (www.dropbox.com)... failed: Name or service not known. wget: unable to resolve host address `www.dropbox.com'
- I surely can go to cd /web and ls that directory but still wget or other basic commands doesn't work
- In both directories, web2 and web, if I use sudo, an error pops:
Code:
bash: sudo: command not found
FYI, Logs of /var/log/auth.log after defaultchotu2 login
Code:
	Oct  9 13:44:56 ns01 sshd[2669]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port xxxxx ssh2
Oct  9 13:44:56 ns01 sshd[2669]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
Oct  9 13:44:57 ns01 jk_chrootsh[2827]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments
b) defaultchotu2 cannot login through SFTP with the following errors
Filezilla
Code:
Status:	Connecting to server1.in:4xxxx...
Response:	fzSftp started
Command:	open "defaultchotu2@server1.in" 4xxxx
Command:	Pass: ******
Status:	Connected to server1.in
Error:	Connection closed by server with exitcode 1
Error:	Could not connect to server
/var/log/auth.log
Code:
Oct  9 14:03:24 ns01 sshd[5408]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xxx8 ssh2
Oct  9 14:03:24 ns01 sshd[5408]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
Oct  9 14:03:24 ns01 sshd[5565]: subsystem request for sftp by user defaultchotu2
Oct  9 14:03:24 ns01 jk_chrootsh[5566]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server
Oct  9 14:03:25 ns01 sshd[5408]: pam_unix(sshd:session): session closed for user defaultchotu2
Oct  9 14:03:32 ns01 sshd[5567]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xx29 ssh2
Oct  9 14:03:32 ns01 sshd[5567]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
Oct  9 14:03:33 ns01 sshd[5724]: subsystem request for sftp by user defaultchotu2
Oct  9 14:03:33 ns01 jk_chrootsh[5725]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server
Oct  9 14:03:33 ns01 sshd[5567]: pam_unix(sshd:session): session closed for user defaultchotu2

Weird thing is that I cannot even transfer files from my main user account (with root privileges 'sudo su') to /var/www/clients/client0/web2 or /var/www/clients/client0/web1 directories

Additional Info:

1. /etc/passwd contains following
Code:
web1:x:5004:5005::/var/www/clients/client0/web1:/bin/false
web2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh
defaultchotu:x:5004:5005::/var/www/clients/client0/web1:/bin/bash
defaultchotu2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh

2. Before even installing ISPConfig3, I had:
Disabled root login in /etc/ssh/sshd_config
Changed SSH port from 22 to xxxxx in /etc/ssh/sshd_config
Changed protocol from 1,2 to 2 in /etc/ssh/sshd_config
Added UsePAM yes in /etc/ssh/sshd_config
UseDNS no in /etc/ssh/sshd_config
AllowGroups sshdusers in /etc/ssh/sshd_config

3. etc/sudoers contains following lines
Code:
Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
www-data ALL=(root) NOPASSWD: /usr/sbin/repquota
4. Now to cope up with this security measure, I ran following commands right after adding users in ISPConfig > Shell-Users; to add these users to allowed groups
Code:
addgroup defaultchotu admin
addgroup defaultchotu sshdusers
addgroup web1 admin
addgroup web1 sshdusers
service ssh restart
service sudo restart

addgroup defaultchotu2 admin
addgroup defaultchotu2 sshdusers
addgroup web2 admin
addgroup web2 sshdusers
service ssh restart
service sudo restart
reboot
Update 1
a) Can this be a quota problem? Because I skipped quota settings as mentioned in step 16 of The Perfect Server - Ubuntu 12.04 LTS. Why I feel this is because ISPC created few lines in /etc/fstab
Code:
/var/log/ispconfig/httpd/example.in /var/www/clients/client0/web1/log    none    bind,nobootwait    0 0
/var/log/ispconfig/httpd/example2.in /var/www/clients/client0/web2/log    none    bind,nobootwait    0 0
b) Although I tried this before also, but I tried once again, to create a ftp user in ISPC Panel from Sites > FTP Account > New User, but still no success. I can connect to the ftp in the base directory (web2) but cannot upload files (download works). Here is the error I get in filezilla:
Code:
Command:	TYPE A
Response:	200 TYPE is now ASCII
Command:	PASV
Response:	227 Entering Passive Mode (198,xxx,xx,xx,xxx,xxx)
Command:	STOR testscript.sh
Response:	553 Can't open that file: Permission denied
Error:	Critical file transfer error

Last edited by andcha; 9th October 2013 at 15:14.
Reply With Quote
Sponsored Links
  #2  
Old 11th October 2013, 23:36
andcha andcha is offline
Junior Member
 
Join Date: Oct 2013
Posts: 23
Thanks: 8
Thanked 1 Time in 1 Post
Default

Okay, It took some time but I figured it out.
Reply With Quote
  #3  
Old 12th October 2013, 06:09
Quaxth Quaxth is offline
Senior Member
 
Join Date: Sep 2013
Location: Samut Prakan, Thailand
Posts: 440
Thanks: 48
Thanked 34 Times in 31 Posts
Send a message via Skype™ to Quaxth
Default

Maybe it would be appropriate to post the solution you found that other users could benefit from it if they having the same problem.

Thanks.
__________________
*************
Have a nice day.
Reply With Quote
  #4  
Old 20th May 2014, 14:49
GrafPorno GrafPorno is offline
Junior Member
 
Join Date: Jan 2012
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP login and Jailkit problem jvargas General 1 15th August 2012 08:56
Opensuse 11.3 ispconfig3 ssh, sftp, issues wildnux Server Operation 1 30th November 2010 11:06
Fedora 14, ISPConfig 3, Chrooted SSH SFTP does not work alecksmart General 3 25th November 2010 19:15
Upload via FTP Access Denied but not SFTP ... OmegaQuest Installation/Configuration 1 5th July 2009 11:52
How to setup SFTP accounts via SSH? webwizzy Server Operation 3 4th March 2009 13:58


All times are GMT +2. The time now is 23:18.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.