Can't enable SSH users through ISPConfig 3.0.5

Discussion in 'General' started by Elayne, Jul 7, 2016.

  1. Elayne

    Elayne Member

    Hi guys,

    I'm kinda trying to sort out why I can't activate any user through the ISPConfig panel.
    Here's long story short what I did:
    1. Assured that my SSH port is opened, even added it in the ISPConfig Firewall service (even though i think this feature is not working). Although I wouldn't be able to connect even with root if it was disabled.
    2. Double-checked the SSH user is showing in /etc/passwd
    3. Added it through Sites -> Shell-Users -> Add new shell user
    3. - screenshot to assure the configuration is fine.
    4. Trying to connect with the user which is blurred combined with extension "ssh" ex. userssh
    5. Tried even connecting with the website Linux User web2

    The putty is asking for user and password but doesn't connect like the user is wrong. I've had similar issues when the user isn't existing at all.

    Any ideas where am I mistaking?
  2. Jesse Norell

    Jesse Norell Active Member

    You do have JailKit installed, eg. you have the "jk_list" command? What does your /etc/passwd entry look like? What do you find in log files when you try to login (eg. maybe /var/log/auth.log for debian/ubuntu)?
  3. Elayne

    Elayne Member

    JailKit seems like it's not installed as I thought it was. jk_list command is not found. Will follow this guide tomorrow:

    /etc/passwd for the example user:
    web2:x:5005:5006::/var/www/clients/client2/web2/./home/XXXX:/usr/sbin/jk_chrootsh - Everything seems to be just fine here.

    /var/log/auth.log found:
    Jul 7 12:25:13 s1 sshd[10877]: User XXXX not allowed because shell /usr/sbin/jk_chrootsh does not exist - Perhaps confirms the lack of JailKit

    I guess everything will be fine when I complete the guide. I'll update this thread if I have any further issues with setting it up.

    Thank you for opening my eyes, I feel dumb now. :)
  4. Elayne

    Elayne Member

    Right, so here's what happened:
    1. I've installed JailKit according to the above guide.
    2. Re-created the user with option JailKit
    3. Executing jk_list doesn't show the jailed user
    4. Checked the passwd, it's still adding correctly according to the documentation
    5. Searched through the internet for the guide "The perfect server" so I can find on if there is any additional configuration when installing JailKit to be used with ISPConfig
    6. Found this:
    Aaaaand here is the step where seems like that maybe nothing is going to happen because the guide says exclusively:
    "(important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):"

    Any suggestions on why it won't work and how am I suppose to integrate it after the installation of ISPConfig?
    The problem is that it doesn't get automatically jailed. If I jail the user manually by running the command
    jk_jailuser XXXX and try to log it gets me in, but if a new user gets created I must enter it again and enter the jail directory manually. Anyway is it possible to jail a whole ISPConfig account so to be one user for every website he has? For example to get jailed at /var/www/clients/client2/? The automatic creation of the user jails him inside the www dir.
    Last edited: Jul 9, 2016
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you install jailkit after you installed ispconfig, then ensure to run an ispconfig update with "reconfigure services = yes" to reconfigure the system setup.

    No. A user is a website, a client is a group, a jail in Linux is based on users and not groups, so the jail is for a website. Beside that, having a jail on the whole client would allow an attacker to get full access to all sites of a client. E.g. a client ahs a show which contains credit card data and he has a company blog, if we wont run each website under a different user as we do now, then a simple hack in the blog would give the attacker access to the credit card data of the shop even if the show was secure and not hacked.
  6. Elayne

    Elayne Member

    Hi Till, appreciate the time taken to explain. I didn't know the ISPConfig account were groups and the website were users, if I knew it would make sense why we can't jail whole account. However I was asking the question because sometimes it's easier to login via SSH to operate with a website and definitely not with the root user. But a for example I've got clients with more than 4-5 websites and creating SSH user for each website is a big pain. I'm not saying that isolating the most gets you the most security, don't get me wrong, but I wished there was an option which I would just click and it would allow me to use the whole user and manipulate all websites under it. By the way just a suggestion: you could make the creation of SSH users to be able to enter a custom jail folder through the panel. What I would do is create an SSH user jailed in the ISPConfig account directory with all the websites and make SSH accessible only via VPN or exact subnet/IP.

    Thanks for the advise about reconfiguration, will try it later!
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    When a client wants to manage all his sites within one website without any isolation, then you can use the vhost alias domains in ispconfig 3.1.

Share This Page