jailkit not working on ISPconfig v 3.0.2 Debian Lenny

Discussion in 'General' started by jwlinux, Mar 23, 2010.

  1. jwlinux

    jwlinux New Member

    As mentioned in other posts - I recently installed ISPConfig 3.0.2 on Debian Lenny. I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3 to the best of my knowledge I followed the instructions exactly.

    I made a reseller, reseller make a client, client made a website and FTP user and shell user. So far so good except for the shell user:

    In the reseller limits, SSH-Chroot Options I checked both "none" and "jailkit"
    In turn, the reseller checked "none" and "jailkit" for the client (limit is set to -1 in each)
    When the client made the "shell user" we set the "Chroot Shell" option to Jailkit

    However the shell user cannot log in via sftp, I see errors like this in the system logs:

    Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
    Mar 23 15:19:13 ccs090 sshd[27809]: subsystem request for sftp
    Mar 23 15:19:13 ccs090 snoopy[27810]: [unknown, uid:5004 sid:27810]: false -c /usr/lib/openssh/sftp-server
    Mar 23 15:19:13 ccs090 sshd[27807]: pam_unix(sshd:session): session closed for user site1

    I discovered that their shell was set to /bin/false.
    So I changed it manually:
    usermod -s /usr/sbin/jk_chrootsh site1

    Then in the logs I saw errors like:

    Mar 23 16:36:43 ccs090 sshd[28937]: Accepted password for site1 from 12.233.247.2 port 63729 ssh2
    Mar 23 16:36:43 ccs090 sshd[28937]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
    Mar 23 16:36:43 ccs090 sshd[28939]: subsystem request for sftp
    Mar 23 16:36:43 ccs090 snoopy[28940]: [unknown, uid:5004 sid:28940]: jk_chrootsh -c /usr/lib/openssh/sftp-server
    Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: path /var/www/clients/client5/web4/./home/web4 is group writable
    Mar 23 16:36:43 ccs090 jk_chrootsh[28940]: abort, path /var/www/clients/client5/web4/./home/web4 is group writable, set option 'relax_home_group_permissions' to relax this check

    So after some google research I set the following options in /etc/jailkit/jk_chrootsh.ini :

    [DEFAULT]
    relax_home_group=1
    relax_home_group_permissions=1
    relax_home_other_permissions=1


    Now, I get errors that chroot cannot find bash:

    Mar 23 16:38:31 ccs090 sshd[28957]: Accepted password for site1 from 12.233.247.2 port 60101 ssh2
    Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session opened for user site1 by (uid=0)
    Mar 23 16:38:31 ccs090 sshd[28959]: subsystem request for sftp
    Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: jk_chrootsh -c /usr/lib/openssh/sftp-server
    Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: path /var/www/clients/client5/web4/./home/web4 is group writable
    Mar 23 16:38:31 ccs090 jk_chrootsh[28960]: now entering jail /var/www/clients/client5/web4 for user web4 (5004)
    Mar 23 16:38:31 ccs090 snoopy[28960]: [unknown, uid:5004 sid:28960]: /bin/bash -c /usr/lib/openssh/sftp-server
    Mar 23 16:38:31 ccs090 snoopy[28960]: ERROR: failed to execute shell /bin/bash for user web4 (5004), check the permissions and libraries of /var/www/clients/client5/web4//bin/bash
    Mar 23 16:38:31 ccs090 sshd[28957]: pam_unix(sshd:session): session closed for user site1


    I also eventually changed the shell for user "web4":

    usermod -s /usr/sbin/jk_chrootsh web4

    All of the directories exist but bin/bash does not:

    drwxrwxr-x 2 web4 client5 48 2010-03-22 16:21 /var/www/clients/client5/web4/./home/web4
    drwxrwxr-x 4 root root 104 2010-03-23 15:19 /var/www/clients/client5/web4/./home/
    drwxr-xr-x 9 root root 304 2010-03-22 16:21 /var/www/clients/client5/web4/

    ls: cannot access /var/www/clients/client5/web4//bin/bash

    And in fact there is no ./bin/ directory at all:

    #ls /var/www/clients/client5/web4/
    cgi-bin etc home log ssl tmp var web

    I did not change any default setting for jailkit or for the user that I know of. It seems that jailkit/ISPConfig to not "create" the chroot jail correctly.

    Can anyone tell me what I need to do to fix this?

    Thank you,

    JW
     
    Last edited: Mar 23, 2010
  2. jwlinux

    jwlinux New Member

    Just for testing I also tried having the client change the "shell user's" Chroot Shell option from "Jailkit" to "none".

    The user is now able to log in, but of course they can see the entire host FS, which is certainly not desirable.

    Thanks,

    JW
     
  3. jwlinux

    jwlinux New Member

    Also in the Reseller's account, viewing the System > Server Config > Jailkit tab, everything is set to the defaults (I did not change them) and the defaults are these:


    Jailkit chroot home
    /home/[username]

    Jailkit chroot app sections
    basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh

    Jailkit chrooted applications
    /usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico

    Jailkit cron chrooted applications
    /usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php


    Is there anything wrong with that?

    JW
     
  4. till

    till Super Moderator

    Do not modify an ispconfig user manually. The only thing that you can achieve with that is to break your setup. Please delete the users and sites that you modified manually in ispconfig and recreate them afterwards in ispconfig.


    Jailkit is working fine in ispconfig 3.0.2, so we have to find out whats wrong with your installation. Have you installed jailkit before you installed ispconfig or after you installed ispconfig.
     
  5. jwlinux

    jwlinux New Member

    I used the Debian Lenny Perfect Setup instructions http://www.howtoforge.com/perfect-se...nny-ispconfig3, so yes I installed jailkit (on page 4 in Step 15 Install Jailkit) before ISPConfig, which is later, step 18 in those instructions.

    I can delete and create as many users / sites as you would like me to. They all behave the same.

    Here I have created a whole new client account and new shell user. On the client ssh/sftp side I see this:

    ssh bvc1@myserver
    bvc1@myserver's password:
    Linux ccs089 2.6.26-2-amd64 #1 SMP Tue Mar 9 22:29:32 UTC 2010 x86_64

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Connection to myserver closed.

    sftp bvc1@myserver
    Connecting to myserver...
    bvc1@myserver's password:
    Connection closed

    On the server I see the following in the logs:


    Mar 24 09:59:05 myserver snoopy[18200]: [unknown, uid:0 sid:18200]: /usr/sbin/sshd -R
    Mar 24 09:59:13 myserver sshd[18200]: Accepted password for bvc1 from 2.123.123.123 port 61215 ssh2
    Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
    Mar 24 09:59:13 myserver snoopy[18203]: [bvc1, uid:5005 sid:18203]: -false
    Mar 24 09:59:13 myserver sshd[18200]: pam_unix(sshd:session): session closed for user bvc1
    Mar 24 09:59:39 myserver snoopy[18204]: [unknown, uid:0 sid:18204]: /usr/sbin/sshd -R
    Mar 24 09:59:45 myserver sshd[18204]: Accepted password for bvc1 from 2.123.123.123 port 61218 ssh2
    Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session opened for user bvc1 by (uid=0)
    Mar 24 09:59:45 myserver sshd[18206]: subsystem request for sftp
    Mar 24 09:59:45 myserver snoopy[18207]: [unknown, uid:5005 sid:18207]: false -c /usr/lib/openssh/sftp-server
    Mar 24 09:59:45 myserver sshd[18204]: pam_unix(sshd:session): session closed for user bvc1


    I have not edited or changed this user in anyway.
    By default, these new users are being created with /bin/false for a shell. If this correct behavior?

    What other information can I provide to debug this problem?

    These are 2 new Debian Lenny installs. The only difference I can think of is that I did install some additional packages and perl modules on the system before installing ISPConfig (not after). Does ISPConfig use any perl modules?

    Here's a list of all my extra debian packages (aside from perl):

    emacs22-nox less bzip2 vim wget ncftp w3m lynx wajig sudo ntp apt-show-versions cvs firehol ulogd screen psmisc openssl rsync iproute logwatch snoopy sysstat mysql-client
    gcc make automake autoconf bison flex libc6-dev

    Thanks,

    JW
     
  6. till

    till Super Moderator

    ISPConfig itself does not use perl. But it is possible that external packages like jailkit use it. The shell /bin/false is the correct shell for the main user of a website. Then you create a shell user with jailkit enabled and jailkit the changes the shell for this new user ti the jailkit shell.

    Which jailkit version did you install?
     
  7. jwlinux

    jwlinux New Member

    jailkit is not actually doing this, then.

    jailkit 2.5-1
     
  8. jwlinux

    jwlinux New Member

    Also for clarification, I did delete the old site & user as you asked. After recreating it - it's still the same.
     
  9. BorderAmigos

    BorderAmigos New Member

    I'm using Debian Lenny on 2 servers with ISPConfig 3.0.2 and jailkit is working fine. I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. Also what is 'snoopy' doing? I don't know the answer. Just things to look into.
     
  10. jwlinux

    jwlinux New Member

    " I do notice 'snoopy' and 'unknown UID:' in your logs. The unknown user ID seems wrong. "

    It actually doens't say "unknown UID", is says "unknown, uid:5004." unknown refers to some other field of information, I'm not sure what.

    uid:5004 was the users's UID in /etc/password, that part is correct (or was at the time).

    I also noticed that the user's directory tree files under web/ are owned by, for example:

    drwxr-xr-x 2 1061 users 216 2010-03-24 04:55 error

    and no such user 1061 exists in /etc/password. I don't know where it got 1061 from. I wonder if it's trying to use that in other places (such as while creating a shell user) and that's what's breaking it.

    "Also what is 'snoopy' doing? I don't know the answer. Just things to look into."

    Snoppy is a logging function. I have been using it for years on all kinds of servers, it works good, and is transparent to all programs. I'm sure there is some 0.01% possibility that snoopy is causing a problem but it is very, very unlikely.

    Till: please tell me where I can look or what tests I ran run to try to find _why_ the jailkit user is not being created correctly.

    On one of my two ISPConfig servers I also tried doing the automatic upgrade to 3.0.2.1, because I saw elsewhere on the forum that this was recommended in a few cases to fix jailkit problems.

    I tried creating new sites and shell users after the upgrade, and it is still the same.

    Thank you every one for your help,

    JW
     
  11. jwlinux

    jwlinux New Member

    One other thing - I did not enable quotas on my system, since I don't need or want them.

    Is if possible that for some reason jailkit is failing because of the lack of quota support? Everything else seems to be working fine . . .

    JW
     
  12. jwlinux

    jwlinux New Member

    I'm starting a completely fresh reinstall to see if it is better.

    Should I install a newer version of jailkit, or stick with 2.5? I noticed some talk of 2.8 elsewhere on the forums.

    JW
     
  13. till

    till Super Moderator

    Please install the latest jailkit version, which is 2.11 at the moment.
     
  14. jwlinux

    jwlinux New Member

    Well, like most folks on these forums I reinstalled fresh and it fixed the problem.

    For the record, this time I used the latest jailkit tarball (2.11) from the jailkit site.

    One other thing I noticed that I missed last time in the setup - having the full host+domain set as the hostname in /etc/hostname. I wonder if maybe that was what broke the previos setup -- last time I only had the hostname set.

    Till, just out of curiosity - what is it that requires having the whole hostname in /etc/hosts?

    JW
     
  15. lolo6tm

    lolo6tm New Member

    Jailkit SSH User do not work as expected... (ISPConfig 3.0.3.3)

    If you create zan SSH/Jailkit user using ISPConfig admin account it won't work, at least for me. You got to create it using the reseller/client account which owns the concerned website.

    Hope it will help ...
     

Share This Page