Jailed SSH users just exit.

Discussion in 'Installation/Configuration' started by xrstokes, Dec 28, 2011.

  1. xrstokes

    xrstokes New Member

    Thanks for all the help so far too all those who contribute to the forums. I’ve gotten stuck on a real doozey this time though. As the title suggests I’m having trouble with jailing ssh users. Putty just exits. Here is some relevant info.
    Just followed the new opensuse 12.1 perfect server guide and bought the manual and tried again everything else I think is fine. I'd love to stick with opensuse if possible.
    I tried the following with no luck. Did I make a security hole?
    Code:
    chmod +s /usr/sbin/jk_addjailuser
    chmod +s /usr/sbin/jk_check
    chmod +s /usr/sbin/jk_chrootlaunch
    chmod +s /usr/sbin/jk_chrootsh
    chmod +s /usr/sbin/jk_cp
    chmod +s /usr/sbin/jk_init
    chmod +s /usr/sbin/jk_jailuser
    chmod +s /usr/sbin/jk_list
    chmod +s /usr/sbin/jk_lsh
    chmod +s /usr/sbin/jk_procmailwrapper
    chmod +s /usr/sbin/jk_socketd
    chmod +s /usr/sbin/jk_update
    It changed the nature of the problem but it still exists.
    Here is the output of etc/passwd
    Code:
    web3:x:5005:5004::/srv/www/clients/client1/web3/./home/web3:/bin/false
    grantstokes2:x:5005:5004::/srv/www/clients/client1/web3/./home/grantstokes2:/usr/sbin/jk_chrootsh
    Here is the relevant output from the log
    Code:
    Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: now entering jail /srv/www/clients/client1/web3 for user grantstokes2 (5005)
    Dec 28 17:33:39 webserv2 jk_chrootsh[3757]: ERROR: failed to execute shell /bin/bash#015 for user grantstokes2 (5005), check the permissions and libraries of /srv/www/clients/client1/web3//bin/bash#015
    Dec 28 17:33:39 webserv2 systemd-logind[1077]: Removed session 20.
    Hope this all Helps and thank you so much in advance.

    Grant
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There was a problem with jailkit in ISPConfig 3.0.4, it has been fixed in ISPConfig 3.0.4.1. So most likely your problem will get solved by updating to the latest ispconfig version. The jail will only recreated when the first shell user of a website gets added, so you should try to create a new website and then a new shell user and try to login with that user to see if the problem is solved,

    Most likely, yes.
     
  3. xrstokes

    xrstokes New Member

    WOW! Thanks for the fast response but still no luck. I'll run through the guide again and let you know how i go. i've got a sneaky suspision that the jailkit daemon wasn't running during install. could that effect it? out of curiousity. i dont suppose i can find a list somewhere with what services need to be running at install and all the time. i rekon the distro added a few i didn't need. i nginx to if that changes anythin?

    Grant
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats should not matter as the jailkit daemon is not used in that setup. so it can be stopped.

    Just follow the perfect server guide, at the end all services required by ispconfig are installed and running.
     
  5. xrstokes

    xrstokes New Member

    Still got the same problem after running thgough again.


    Code:
    web1:x:5004:5004::/srv/www/clients/client1/web1/./home/web1:/bin/false
    grantstokesssh:x:5004:5004::/srv/www/clients/client1/web1/./home/grantstokesssh:/usr/sbin/jk_chrootsh
    
    Without jailkit

    Code:
    Dec 29 00:34:32 webserv2 sshd[7519]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    Dec 29 00:34:45 webserv2 sshd[7519]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55612 ssh2
    Dec 29 00:34:45 webserv2 systemd-logind[1217]: New user web1 logged in.
    Dec 29 00:34:45 webserv2 systemd-logind[1217]: New session 17 of user web1.
    
    With

    Code:
    Dec 29 00:38:01 webserv2 shadow[7806]: account already exists - account=grantstokesssh, by=0
    Dec 29 00:38:22 webserv2 shadow[11754]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/., old home=/srv/www/clients/client1/web1, by=0
    Dec 29 00:38:22 webserv2 shadow[11754]: shell changed - account=grantstokesssh, uid=5004, shell=/usr/sbin/jk_chrootsh, old shell=/bin/bash, by=0
    Dec 29 00:38:22 webserv2 shadow[11755]: home directory changed - account=grantstokesssh, uid=5004, home=/srv/www/clients/client1/web1/./home/grantstokesssh, old home=/srv/www/clients/client1/web1/., by=0
    Dec 29 00:38:22 webserv2 shadow[11757]: home directory changed - account=web1, uid=5004, home=/srv/www/clients/client1/web1/./home/web1, old home=/srv/www/clients/client1/web1, by=0
    Dec 29 00:38:46 webserv2 sshd[11767]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
    Dec 29 00:38:59 webserv2 sshd[11767]: Accepted keyboard-interactive/pam for grantstokesssh from 110.232.244.1 port 55641 ssh2
    Dec 29 00:38:59 webserv2 systemd-logind[1217]: New session 25 of user web1.
    Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
    Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
    Dec 29 00:39:00 webserv2 systemd-logind[1217]: User web1 logged out.
    
    out put from ls -la /usr/sbin/jk_chrootsh

    Code:
    webserv2:~ # ls -la /usr/sbin/jk_chrootsh
    -rwxr-xr-x 1 root root 27312 Oct 30 07:01 /usr/sbin/jk_chrootsh
    
    Maybe my default run level to high or somthing? My brain hurts.

    Grant
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you login with username and password or with ssh keys? The ssh key function is not working currently as described in the bugtracker, to fix that for your user you will have to chown the authorized keys folder and its contents in the home directory of the user from root to the user.

    http://bugtracker.ispconfig.org/index.php?do=details&task_id=1945
     
  7. xrstokes

    xrstokes New Member

    I'm not using keys. Just using username and password. i think it's related to this line.

    Code:
    Dec 29 00:39:00 webserv2 jk_chrootsh[11778]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
    Dec 29 00:39:00 webserv2 systemd-logind[1217]: Removed session 25.
    
    or maybe the process run level is to low. If it were a key issue it wouldn't work with jailkit disabled.
     
  8. pititis

    pititis Member

    go to the customer limits and check if only jailkit is selected

    cheers
     
  9. xrstokes

    xrstokes New Member

    Only jailkit is enabled. I plan to force users to use sftp with clients like filezilla.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Better use ftps instead oft ftp. Ftps is ftp over ssl and is jailed by the pure ftpd daemon, so you dont need jailkit. The jailkit jails are made for interactive connections e.g. With putty, they dont work for sftp by default.
     
  11. xrstokes

    xrstokes New Member

    I'll ook into that but i'd love to solve this issue first. I clean installed again and now the log looks abit different but essentially the same. I'm pulling my hair out over this one.
    Code:
    Dec 29 23:22:45 webserv2 sshd[6775]: Accepted keyboard-interactive/pam for cocwarragul1 from 110.232.244.1 port 57721 ssh2
    Dec 29 23:22:45 webserv2 systemd-logind[1003]: New user web1 logged in.
    Dec 29 23:22:45 webserv2 systemd-logind[1003]: New session 35 of user web1.
    Dec 29 23:22:45 webserv2 jk_chrootsh[6786]: abort, effective user ID is not 0, possibly jk_chrootsh is not setuid root
    Dec 29 23:22:45 webserv2 systemd-logind[1003]: Removed session 35
     
  12. xrstokes

    xrstokes New Member

  13. xrstokes

    xrstokes New Member

    Does anyone know if selinux needs to be disabled or something like that. i didn't enable it but maybe it is by default?
    I've moved over to try Ubuntu now. Half way through running it up now. After 3 years of love and torture it might be time to move away from the green team. :(
     
  14. falko

    falko Super Moderator ISPConfig Developer

    Yes, it needs to be disabled, and yes, it is on by default.
     
  15. xrstokes

    xrstokes New Member

    No luck. It was off already. I'll post back if i have any luck. Moving on to try and set up ftps. Using filezilla. not had any luck with that yet either. explicid gives the following.

    Response: 220 You will be disconnected after 15 minutes of inactivity.
    Command: AUTH TLS
    Response: 500 This security scheme is not implemented
    Command: AUTH SSL
    Response: 500 This security scheme is not implemented

    implicid gives nothing either. i havn't started looking into it yet.
     
  16. xrstokes

    xrstokes New Member

    Got the ftps working. just needed to open the passive port range in the firewall. thanks for all the help so far. moving on to the next hurdle.

    :):)
     
: chroot, jail, shell, ssh

Share This Page