Automatically chroot'ing users in ISPConfig 2

Discussion in 'Installation/Configuration' started by gragus, Feb 26, 2012.

  1. gragus

    gragus New Member

    Issue:

    Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing.

    Background info:

    I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here.

    I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time.

    System:

    Ubuntu 10.04.4 LTS
    configured as explained here. It's a cloud-box, so I started in the middle of step 7.

    ISPConfig Version: 2.2.40

    Aiming to set up chroot'ed users with ISPConfig I looked at a few sources:

    1. http://www.howtoforge.com/chrooted_ssh_howto_debian
    2. http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze
    3. http://www.howtoforge.com/forums/showthread.php?t=6370&highlight=chroot+ssh+ispconfig
    4. http://www.howtoforge.com/forums/showthread.php?t=4373

    Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here).

    From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig.

    I did all of the above, but things do not work.
    I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed.

    I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig?

    Diagnostics:

    Here are some snippets from my system config/diagnostics that may be relevant:

    /home/admispconfig/ispconfig/lib/config.inc.php:
    Code:
    ...
    $go_info["server"]["ssh_chroot"] = 1;
    ...
    /etc/ssh/sshd_config:

    Code:
    ...
    #Subsystem sftp /usr/lib/openssh/sftp-server
    Subsystem sftp internal-sftp
    
    UsePAM yes
    [I](end of file)[/I]
    [email protected]:~# ps flax:

    Code:
    F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
    . . .
    4     0  1985     1  20   0   5600  2132 -      Ss   ?          0:00 /usr/sbin/sshd -D
    4     0  2033  1985  20   0   8408  2820 -      Ss   ?          0:00  \_ sshd: [email protected]
    5     0  2315  2033  20   0   8508  1440 -      Ss   ?          0:00  |   \_ sshd: [email protected]
    4     0 21230  1985  20   0   8408  2740 -      Ss   ?          0:00  \_ sshd: MyUser [priv]
    5 10001 21296 21230  20   0   8540  1460 -      S    ?          0:00  |   \_ sshd: [email protected]/0
    0 10001 21297 21296  20   0   4592  1864 -      Ss   pts/0      0:00  |       \_ -bash
    0 10001 21304 21297  20   0   6980  2848 -      S+   pts/0      0:00  |           \_ mc
    0 10001 21306 21304  20   0   4608  1872 -      Ss+  pts/1      0:00  |               \_ bash -rcfile .bashrc
    4     0 21426  1985  20   0   8408  2684 -      Ss   ?          0:00  \_ sshd: MyUser [priv]
    5 10001 21488 21426  20   0   8540  1456 -      S    ?          0:00  |   \_ sshd: [email protected]
    1 10001 21491 21488  20   0   8508  1252 -      Ss   ?          0:00  |       \_ sshd: [email protected]
    4     0 21585  1985  20   0   8544  2808 -      Ss   ?          0:00  \_ sshd: [email protected]/2
    4     0 21647 21585  20   0   4632  1872 -      Ss   pts/2      0:00      \_ -bash
    0     0 21662 21647  20   0   7528  3508 -      S+   pts/2      0:00          \_ mc
    0     0 21664 21662  20   0   4636  1896 -      Ss   pts/3      0:00              \_ bash -rcfile .bashrc
    4     0 21795 21664  20   0   2692   900 -      R+   pts/3      0:00                  \_ ps flax
    . . .
    
    Thanks!
     
  2. gragus

    gragus New Member

    Ping.. :)

    Any clues anyone?
     
  3. hairydog2

    hairydog2 New Member

    Last edited: Sep 19, 2012
  4. hairydog2

    hairydog2 New Member

    Still an issue

    I am a bit surprised that in more than six months no-one has been able to offer any help at all.

    Are we flogging a dead horse here?
     

Share This Page