chroot SSH IspConfig2

Discussion in 'General' started by kextra1, Jan 15, 2011.

  1. kextra1

    kextra1 ISPConfig Developer ISPConfig Developer

    How do I chroot SSH shell's for ISPConfig 2 users?

    I simply don't want them to be able to look at database passwords in files and stuff like that in other clients web's... not an unreasonable request.

    I found info on ispconfig 3 but no info on Ispconfig 2 the real ispconfig.

    I'm running Debian Lenny.

    Thanks if you can help.

    PS. Nothing against IspConfig 3, it just looks like it was made through the god aweful TYP03 CMS or something, but I'm sure it has as many ups as it does the virtual mail names for webs and stuff.
  2. falko

    falko Super Moderator ISPConfig Developer

    You must set this up manually. This link might help:

    ISPConfig 3 has absolutely nothing to do with Typo3. I wonder why you got this impression? :confused:
  3. kextra1

    kextra1 ISPConfig Developer ISPConfig Developer

    Thanks a million Falko, you're the best! As always! Actually I am going to login to my email. There is a compliment I want you to see. Your name was mentioned just the other day in an email conversation!

    My cousin jake who started me on ISPConfig doesn't even know you in real life, but just yesterday your name was mentioned when we were talking about ISPConfig. I'll paste his compliment below. He said,

    (pasting email below)

    "Don't you use the howtoforge forums anymore? Falko is the go to guy for ISPConfig 2 & 3, but not just that. The guy has written so many tutorials helping so many people, and done so on so many platforms! I mean the guy knows how to use every linux distro and is a true pioneer. When it comes to the Open Source community that guy is a true jewel, I wish there were a million more like him in the open source community.

    I don't know Falko very well, but he's the reason I started using ISPConfig CP instead of commercial CP's like WHMCS or Plesk. I met him on howtoforge ispconfig 2 forums. I thought you knew him. There are others who can help you like Till and Hans and many other great people who've helped me greatly with ispconfig on there that you can get help from if I'm not around. But that Falko guy has impressed me the most. He's one smart dude!"

    (end of paste)

    hehe, I would have to agree! I pasted that because I thought you'd like to hear that. I bet there are tons of people out there that are grateful for your help and tutorials.

    Well I know its seperate from Typo3, I apologize for the ranter. I have only used Typo3 a few times over a year ago and I think it was the top buttons with the new layout on the IspConfig 3 demo that reminded me sorta of the old default typo3 template thing.

    I'd LOVE to move all my IspConfig 2 web's and db's over to another server running IspConfig 3. I know how to manually .tgz up the web's and export/import the databases, but this is my problem.

    I had 2 servers running ISPConfig 2, I manually cloned or moved all the websites and databases to the 2nd new server running ISPConfig 2. When I pointed port 80 etc. etc. too the new server all the websites showed up great! It looked like I had successfully cloned all my ISPConfig 2 clients to the new server.

    Then I tried to send mail from my email address.


    I could not send/receive ANY mail! When I tried to send an email from any ispconfig email address which all worked on the original server, it would return with an error. Like a postfix missmatch or something.

    I'm not very educated with postfix let alone with moving or cloning it. The only thing I know about postfix is what I read from your tutorial for ispconfig2 & debian etch...back when postfix was not in the debian repository yet and your tutorial covered building postfix from source.

    I would HAPPILY do a manual backup/export and move all web content and databases from my ISPConfig 2 server to the new ISPConfig 3 server.

    However I'm not sure how to setup a new postfix or whatever is needed to make sure my email still goes through on the new server after the move. I used RoundCube.pkg and and a SQLite db for my webmail. I thought I had set it up on the second ISPConfig 2 server the same as I had on the first, but I could not send/receive mail. That was the only problem on the move, so I am still using ISPConfig 2 on the first server.

    I would like to clone every web on IspConfig 2 and do a new IspConfig 3 install and move the webs over, but the email must work. I don't know what I did wrong.

    If ISPConfig 3 has something like the remoting framework I can use for ISPConfig auto-account creation/autosignup, and if someone can help me make sure the email will work when i create email users on with the same usernames/email address accounts that existed on server 1, then I would LOVE to move to IspConfig 3 on server 2 and start helping with development on the newer ispconfig3 forums.

    Thanks again for the link for the chroot SSH jail link for Debian Lenny Falko!

    Hopefully I'll be able to migrate to IspConfig 3 with some help!

    Long live the ISPConfig Crew!!!!

    Last edited: Jan 19, 2011
  4. kextra1

    kextra1 ISPConfig Developer ISPConfig Developer

    Help! IspConfig 2 chroot question

    I need help with your tutorial and IspConfig 2 buddy!

    I see where you put this:

    Match Group users
        ChrootDirectory /home
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand /usr/lib/openssh/sftp-server
    For IspConfig 2 users and chroot jails should I use something like this below?

    Match Group web1
        ChrootDirectory /var/www/web1
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand /usr/lib/openssh/sftp-server
    Would that be right Falko? I thought I tried that and I got a Network Connection error in PuTTy. I did not do the:

    "chmod 700 /var/www/web1"

    to the home directory though.

    Also the script you use in the tutorial for users chroot doesn't give directions on how to use the script with groups instead of usernames.

    EXAMPLE: username [/path/to/chroot-shell [/path/to/chroot]]

    Can we put the group for example: "web1" in place of the username?

    Sorta like you showed with the /etc/ssh/sshd_config stanza using groups instead of individual users?

    Will that work with this script?

    Then simply instead of doing: falko /bin/bash /home

    Could I do something like: web1 /bin/bash /var/www/web1

    Would that work or must it be a username with the script?

    Thanks, sorry for all the questions, just dont want to mess up my server

    Any advice is appreciated! Thanks for your expertise again!
    Last edited: Jan 19, 2011
  5. falko

    falko Super Moderator ISPConfig Developer

    Are there any errors in your mail log?
    Are your DNS records ok (MX, PTR, SPF)? Did you update them to the new IP?

    I'm afraid I can't say much about the chroot problem - it's a long time since I have used it... :(

Share This Page