Security risk with Jailkit

Discussion in 'Installation/Configuration' started by bethebeast, Jun 10, 2013.

  1. bethebeast

    bethebeast New Member


    I just realize that there is a security risk with Jailkit.

    When I create a shell user, the user can connect to FTP with a FTP client. And when I turn off the jailkit user, he can still connect via FTP!

    How to prevent the FTP connection to a shell user even when the shell user is disabled

    Thx and best regards ^^

    PS : sorry for my english :)
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes off course and thats not a security risk. FTP and shall users are separated. If you want to remove a ftp user, then delete the ftp user and not the shell user.
  3. bethebeast

    bethebeast New Member

    thx till for your answer ^^

    Are you sure ?

    For exemple :

    I create FTP account "ftp_account1" for the site1, and the shell user "ssh_user_1" for the same site 1.

    1- the both accounts are activated : both account can connec via FTP, ok.

    2- i disabled "ftp_account1" : ssh_user_1 can connect via FTP :eek:

    3- i delet the ftp_account1 : ssh_user_1 can connect via FTP :eek:

    either I misunderstood or something is wrong ... :confused:

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The account ftp_account1 is so called virtual user, it exists only in the ispconfig database. These virtual usersare the nromal ftp users in ispconfig.

    The shell users ( jailkit users) are normal linux users. Most likely ftp is enabled for shell and system users in the pure-ftpd configuration file, in this case you can use a ftp user to connect with ftp while shell users are allowed to connect by ftp and ssh. When you delete a shell user, then its login details in /etc/passwd and /etc/shadow are deleted and you can not login with that user neither by ftp nor ssh afterwards.
  5. bethebeast

    bethebeast New Member

    Thank you for this explanations, it's clear for me now :)

    But i have a question : how can i disable FTP login for shell users ?

    For account ssh_user_1, i want only SSH access and not FTP.

    If i want an FTP access, then i creat a (virtual) FTP user in ISPC.

  6. dclardy

    dclardy Member

    What OS are you using?

    In my Debian Wheezy VPS, there are options called PAMAuthentication and UnixAuthentication. If you set both of those to no, you should not be able to login as a shell user.
  7. bethebeast

    bethebeast New Member

Share This Page