ISPconfig Jaikit / SSH Chroot not working (Lenny)

Discussion in 'Installation/Configuration' started by edge, Mar 6, 2009.

  1. edge

    edge Active Member Moderator

    Not sure where I did go wrong, but I did install Jaikit (according to The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3] - Page 4 - step 15 - Install Jailkit) before I installed ISPconfig 3

    Whatever option I try for a Shell-User (none / Jailkit / SSH CHroot), they can cd into other directorys, and read the data.

    Is it me who made a mistake, or does it not work on Lenny?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Jailkit works for me fine on lenny, there are no known bugs. SSH-Chroot will only work if you patch your SSH daemon like it was nescessary for ispconfig 2.
  3. edge

    edge Active Member Moderator

    Hi Falko,

    I'm 100% sure that I did install it according to the howto.

    Also the directory /etc/jailkit and the needed files do exist, and jk_sockeetd.ini does point to the "jailed" user directory
    When I login with the created shell-user I get this back as prompt.
    Is the $USER correct, or should it say the user name?

    Also.. Is there an other way of checking that Jailkit is installed correct?
    Last edited: Mar 7, 2009
  4. edge

    edge Active Member Moderator

    I've created a new domain / user, and now jailkit is working fine!
    The 1st domain / user that I tested it with was the main host name of the server. I guess that this was kind of mixing things up.

    All is working fine for the new user.

    However! I do still see the deleted test user accounts in "/var/clients/client1/web1/home"
    Last edited: Mar 7, 2009
  5. falko

    falko Super Moderator ISPConfig Developer

    I see you've posted this in the bugtracker, so we will check it.
  6. oncletom

    oncletom New Member

    Hi, I think I have a similar problem.

    I created a client, then a website and at least, at shell account with a Jailkit chroot.
    Its dir is `/var/www/clients/client1/web1`. When I login, I'm located in `/var/www/clients/client1/web1/home/[clientname]`. I can browse the whole filesystem (according to the user permissions at least).

    A last thing, I let the username empty because a shell login with [clientname] was fine. Could it be related? No chroot created because of no username given?

    PS: I've installed Jailkit before ISPConfig ;-)
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you really sure that you can broser the complete filesystem? Please login with that user and then execute:

    cd /

    and post the output of:

    ls -la
  8. oncletom

    oncletom New Member

    Hello :)

    Thanks for your prompt reply. Here is the output:
    Is it the expected result?
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, the user is really not chrooted. Did you get any errors in the log files (see monitoring module) as you created the jailed user? Please try to create a different new jailed user and check if this gets jailed.
  10. oncletom

    oncletom New Member

    I'll check for that. I'll keep you in touch thanks.
  11. oncletom

    oncletom New Member

    I reinstalled the whole box, created 2 accounts (with login suffix now, like [CLIENTNAME]test1 & test2) but I encounter the same issue: `cd /` brings me to the very root of the server.

    However I noticed whem I just connected, I'm in `/var/www/clients/client1/web1/./home/[CLIENTNAME]test1`. When I do `cd`, I'm then in `/var/www/clients/client1/web1/home/[CLIENTNAME]test1`.

    Does it help?
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    If you have a . in the path then you selected the wrong chrooting method and this explains all your problems. You have to select jailkit and not ssh chroot if your ssh daemon has not been patched for chrooting.
  13. oncletom

    oncletom New Member

    I have only 2 choice for Chroot Shell: None or Jailkit.
    I patched nothing else (I followed the install guide step by step except for the webmail and FTP server I don't want) so I'm wondering where its comes from.

    I'm on a Debian Lenny (5.0.1).
  14. oncletom

    oncletom New Member

    I investigated a little more but I find nothing.

    I've only installed jailkit with the configure/make/make install and nothing more. It was the version 2.7.

    I checked files within /etc/jailkit and the only one with a different modified date was jk_socketd.ini:

    In the Monitor tab of ISPConfig, I don't have anything related to Jailkit, only Fail2ban:
  15. till

    till Super Moderator Staff Member ISPConfig Developer

  16. Ovidiu

    Ovidiu Active Member

    Just wondering if this is still valid, as far as I know the latest openssh contains the patch so it is not needed anymore.

    Besides, I followed the how to for the perfect debian lenny webserver for ispcfg3 completely and I am not offered the chroot option only the jailkit one.

    besides, what is the difference in a few sentences between those two?
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    This is still valid. The patch in openssh is not compatible with the way the chroot was configured with the patch thatw as available before.
  18. oncletom

    oncletom New Member

    In fact I just saw these logs (/var/log/auth.log) after creating a user:
    Finally, when the user log-in, the path is good as it's the setuped one. But it's not the expected one.

    Hope it helps
  19. till

    till Super Moderator Staff Member ISPConfig Developer

  20. oncletom

    oncletom New Member

    I applied the update, reconfigured the services, switched a Shell User account from Jailkit to None then None to Jailkit and now I'm dropped in the good directory (the one of the Dir option in the Options tab of ISPConfig.

    If I do "cd /", I can still access the root of the server. Is it normal?

Share This Page