Can't login when ssh user shell chroot with jailkit

Discussion in 'Installation/Configuration' started by webcimes, Oct 24, 2019.

  1. webcimes

    webcimes New Member

    Hi,

    I use debian 10 with ISPConfig 3.1 and I have try to create a "user shell" for connect with ssh.

    All works perfectly when I don't chroot the shell and I can login with ssh, but if I try to select "jailkit" for chroot I can't connect with ssh and I get :
    "Connection to myvps.com closed."

    When I look inside /etc/passwd I see my user shell "webskyssh" (client1 / web1) :
    web1:x:5004:5005::/var/www/clients/client1/web1/./home/web1:/usr/sbin/jk_chrootsh
    webskyssh:x:5004:5006::/var/www/clients/client1/web1/./home/webskyssh:/usr/sbin/jk_chrootsh

    So I don't understand why I can't login when I chroot the "user shell" with jailkit ?

    Thanks for your help
     
    zakjakub likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe jailkit is not installed correctly?
     
  3. webcimes

    webcimes New Member

    Maybe but I have got no error during the installation / setup of ispconfig (I have also look in the log).
    I will try to install again all ISPConfig on fresh debian and I will see if the problem come back.
    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Any additional errors in syslog or auth.log file (in /var/log/ directory)?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    And just to be sure, you used an ssh client like putty for the connection, you did not try to use SFTP? As SFTP components are not in the jail by default.
     
  6. webcimes

    webcimes New Member

    Thanks for your answer.

    I have try with "bash" to connect with ssh, and also with SFTP, and the both don't work if I put "jailkit" (the both works if I don't put "jailkit").

    I have look into the log, in syslog I see nothing special, but in auth log I have this error (permissions problem ?) :

    Oct 25 09:11:36 vps745325 sshd[2153]: Accepted password for webskyssh from 91.171.117.74 port 3533 ssh2
    Oct 25 09:11:36 vps745325 sshd[2153]: pam_unix(sshd:session): session opened for user webskyssh by (uid=0)
    Oct 25 09:11:36 vps745325 systemd-logind[472]: New session 43 of user web1.
    Oct 25 09:11:36 vps745325 systemd: pam_unix(systemd-user:session): session opened for user web1 by (uid=0)
    Oct 25 09:11:36 vps745325 jk_chrootsh[2173]: now entering jail /var/www/clients/client1/web1 for user webskyssh (5004) with arguments
    Oct 25 09:11:36 vps745325 jk_chrootsh[2173]: ERROR: failed to execute shell /bin/bash for user webskyssh (5004), check the permissions and libraries of /var/www/clients/client1/web1//bin/bash
    Oct 25 09:11:36 vps745325 sshd[2172]: Received disconnect from 91.171.117.74 port 3533:11: disconnected by user
    Oct 25 09:11:36 vps745325 sshd[2172]: Disconnected from user webskyssh 91.171.117.74 port 3533
    Oct 25 09:11:36 vps745325 systemd-logind[472]: Session 43 logged out. Waiting for processes to exit.
    Oct 25 09:11:36 vps745325 sshd[2153]: pam_unix(sshd:session): session closed for user webskyssh
    Oct 25 09:11:36 vps745325 systemd-logind[472]: Removed session 43.

    Thank you
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Please run:

    ls -la /var/www/clients/client1/web1/bin/bash

    and post the result
     
  8. webcimes

    webcimes New Member

    No folder like this in this repertory :

    ls: cannot access to '/var/www/clients/client1/web1/bin/bash': no such file or directory
     
  9. webcimes

    webcimes New Member

    Why the "bin/bash" folder doesn't create, have you an idea ?
    You think it's better than I install again ISPConfig ?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    bash is a file and not a folder. Does the folder /var/www/clients/client1/web1/bin/ exists?
     
  11. webcimes

    webcimes New Member

    No it also doesn't exist, here all the folders that I have inside "web1" folder :

    drwxr-xr-x 2 web1 client1 4096 oct. 24 17:05 cgi-bin
    drwxr-xr-x 2 root root 4096 oct. 24 23:51 etc
    drwxr-xr-x 4 root root 4096 oct. 24 22:11 home
    drwxr-xr-x 2 root root 4096 oct. 25 09:03 log
    drwx--x--- 2 web1 client1 4096 oct. 24 17:05 private
    drwxr-xr-x 2 root root 4096 oct. 24 17:05 ssl
    drwxrwxrwx 2 web1 client1 12288 oct. 25 11:03 tmp
    drwxr-xr-x 3 root root 4096 oct. 24 22:11 var
    drwx--x--x 10 web1 client1 4096 oct. 24 23:00 web
    drwx--x--- 2 web1 client1 4096 oct. 24 17:05 webdav
     
  12. webcimes

    webcimes New Member

    You think the problem come from jailkit ?
    I have try to create other website (web2) and the "/bin" folder isn't create too, but it's jailkit who create this folder or ISPConfig ?

    Thanks
     
  13. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What show commands
    Code:
    apt-cache policy jailkit
    jk_list
     
  14. webcimes

    webcimes New Member

    apt-cache policy jailkit :
    Code:
    jailkit:
      Installé : 2.20-1
      Candidat : 2.20-1
     Table de version :
     *** 2.20-1 100
            100 /var/lib/dpkg/status
    
    jk_list :
    Code:
    Pid    User    Jail               Command
    1169   dovecot /run/dovecot/empty /usr/lib/dovecot/stats
    548    dovecot /run/dovecot/empty /usr/lib/dovecot/anvil
    18755  sshd    /run/sshd          /usr/sbin/sshd
    14417  postfix /var/spool/postfix /usr/lib/postfix/sbin/pickup -l -t unix -u -c
    9900   postfix /var/spool/postfix /usr/lib/postfix/sbin/tlsmgr -l -t unix -u -c
    
    Thanks for your help
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The folder is created by Jailkit at the time the jail gets created. Did you change any jailkit settings under system > server config?
     
  16. webcimes

    webcimes New Member

    Okay thank you, no I have change nothing into jailkit, here a screenshot of what I see in the config :

    upload_2019-10-25_15-34-7.png

    All seems normal ?
     
  17. jcvieira

    jcvieira New Member

    Hello, i have the same problem, did you managed to resolve this?
     
  18. webcimes

    webcimes New Member

    Hi, no sorry I haven't found a solution for this problem :/ , if you found the solution, please tell me, thanks :)
     
    jcvieira likes this.
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The jailkit setup is not known to have any general "doesn't work" issues, so likely you will both have to troubleshoot your issues individually.

    Maybe start with ensuring jailkit is installed, run update.php from the ispconfig install source and let it reconfigure services if you haven't done that lately; add a jailkit ssh user and look at the /etc/passwd entry which gets added, which will point to the appropriate /var/www/clients/client#/web#/ directory, and see what got added there (eg. bin/ etc/ dev/ etc. ?).

    You might enable debug mode for your server and run server.sh manually to see what debugging info is printed when adding a jailkit user to a fresh website (ie. one for which you have not tried to configure jailkit previously).
     
    Last edited: Jan 21, 2020
    till likes this.
  20. webcimes

    webcimes New Member

    Thanks for your answer Jesse Norell.ls, I think it's working now, here all the steps :

    When I create a user for ssh with jailkit chroot I have this in the "/var/www/clients/client#/web#/" folder:
    etc : bash.bashrc, passwd
    home : web1, myuserssh
    But I don't have bin and dev folder here.

    If the user have jailtkit chroot set I can't login with it, and I got :
    systemd-logind[571]: New session 38914 of user web1.
    systemd: pam_unix(systemd-user:session): session opened for user web1 by (uid=0)
    jk_chrootsh[14248]: now entering jail /var/www/clients/client1/web1 for user myuserssh (5004) with arguments
    jk_chrootsh[14248]: ERROR: failed to execute shell /bin/bash for user myuserssh (5004), check the permissions and libraries of /var/www/clients/client1/web1//bin/bash

    So It's confirm that the problem is because of the bin directory that doesn't exist.

    After I have look the log in /var/log/ispconfig/cron.log and I see :
    ERROR: /var/www/clients/client1 is not owned by root:root!
    invalid shell, /var/www/clients/client1/web5/bin/bash does not exist

    So for me the problem was that the folder "client1" doesn't have the right user (I have probably change the folder user in the past I don't know why), so inside /var/www/clients/ I change the user to :
    chown root:root client1

    And if I retry to create a user ssh with chroot, the jail is working !

    But I have a new error in "/var/log/ispconfig/cron.log" :
    usermod: user newuserssh2 is currently used by process 20409
    failed to execute usermod -d /var/www/clients/client1/web5/. -s /usr/sbin/jk_chrootsh newuserssh2 failed to modify user newuserssh2

    So it's working for the jail but I don't know why I have this new error, I have no connexion from newuserssh2 which just create few seconds ago.
     
    zakjakub likes this.

Share This Page