Shell-User cannot access SFTP and SSH Commands

Discussion in 'Installation/Configuration' started by andcha, Oct 9, 2013.

  1. andcha

    andcha New Member

    Hi
    My system is running ISPConfig3 Latest Stable on Ubuntu 12.04 x64.
    Problem is that shell users created in ISPConfig panel are not able to SFTP and execute even basic SSH Commands

    Here is what I have done till now

    I have created two shell users for two websites, one located in web1 folder and other in web2. I have tried both, keeping the user in Jailkit and in None, this is what happens:

    If I keep the user defaultchotu as "Chroot Shell:None":

    a) defaultchotu can access SSH but cannot execute even basic commands like: wget
    -Without sudo prefix I get, file.zip: Permission denied
    -With sudo, it asks for password (of course) but for user web1 and not defaultchotu. Even the putty screen shows [email protected]:~$ as the user logged in, not defaultchotu. So when I enter the password for defaultchotu, it does not accepts and apache2 log shows following error lines
    Code:
    Oct  9 13:08:30 ns01 sudo: pam_unix(sudo:auth): authentication failure; logname=defaultchotu uid=5004 euid=0 tty=/dev/pts/0 ruser=web1 rhost=  user=web1
    Oct  9 13:08:41 ns01 sudo: pam_unix(sudo:auth): conversation failed
    Oct  9 13:08:41 ns01 sudo: pam_unix(sudo:auth): auth could not identify password for [web1]
    Oct  9 13:08:41 ns01 sudo:     web1 : 2 incorrect password attempts ; TTY=pts/0 ; PWD=/var/www/clients/client0/web1 ; USER=root ; COMMAND=/usr/bin/wget https://www.dropbox.com/s/gibberish/file.zip
    b) defaultchotu CAN login to SFTP through Filezilla and see all directories but cannot upload files (only download possible)

    Filezilla log reads
    Code:
    Status:	Starting upload of D:\DL\testscript.sh
    Status:	Retrieving directory listing...
    Command:	ls
    Status:	Listing directory /var/www/clients/client0/web1
    Command:	put "D:\DL\testscript.sh" "testscript.sh"
    Error:	/var/www/clients/client0/web1/testscript.sh: open for write: permission denied
    Error:	File transfer failed
    Status:	Retrieving directory listing...
    Command:	ls
    Status:	Listing directory /var/www/clients/client0/web1
    Status:	Directory listing successful
    Status:	Disconnected from server
    /var/log/auth.log reads
    Code:
    Oct  9 13:16:21 ns01 sshd[21863]: Accepted password for defaultchotu from xxx.xxx.xxx.xxx port xxxxx ssh2
    Oct  9 13:16:21 ns01 sshd[21863]: pam_unix(sshd:session): session opened for user defaultchotu by (uid=0)
    Oct  9 13:16:21 ns01 sshd[22020]: subsystem request for sftp by user defaultchotu
    If I keep the user defaultchotu2 as "Chroot Shell:Jailkit":

    a) defaultchotu2 can access ssh but no shell commands are available to it. For example:
    - I cannot list the web root directory with ls command (with webroot I mean /var/www/clients/client0/web2)
    - If I do wget command, I get
    Code:
    Resolving www.dropbox.com (www.dropbox.com)... failed: Name or service not known. wget: unable to resolve host address `www.dropbox.com'
    - I surely can go to cd /web and ls that directory but still wget or other basic commands doesn't work
    - In both directories, web2 and web, if I use sudo, an error pops:
    Code:
    bash: sudo: command not found
    FYI, Logs of /var/log/auth.log after defaultchotu2 login
    Code:
    	Oct  9 13:44:56 ns01 sshd[2669]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port xxxxx ssh2
    Oct  9 13:44:56 ns01 sshd[2669]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
    Oct  9 13:44:57 ns01 jk_chrootsh[2827]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments 
    b) defaultchotu2 cannot login through SFTP with the following errors
    Filezilla
    Code:
    Status:	Connecting to server1.in:4xxxx...
    Response:	fzSftp started
    Command:	open "[email protected]" 4xxxx
    Command:	Pass: ******
    Status:	Connected to server1.in
    Error:	Connection closed by server with exitcode 1
    Error:	Could not connect to server
    /var/log/auth.log
    Code:
    Oct  9 14:03:24 ns01 sshd[5408]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xxx8 ssh2
    Oct  9 14:03:24 ns01 sshd[5408]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
    Oct  9 14:03:24 ns01 sshd[5565]: subsystem request for sftp by user defaultchotu2
    Oct  9 14:03:24 ns01 jk_chrootsh[5566]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server
    Oct  9 14:03:25 ns01 sshd[5408]: pam_unix(sshd:session): session closed for user defaultchotu2
    Oct  9 14:03:32 ns01 sshd[5567]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xx29 ssh2
    Oct  9 14:03:32 ns01 sshd[5567]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0)
    Oct  9 14:03:33 ns01 sshd[5724]: subsystem request for sftp by user defaultchotu2
    Oct  9 14:03:33 ns01 jk_chrootsh[5725]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server
    Oct  9 14:03:33 ns01 sshd[5567]: pam_unix(sshd:session): session closed for user defaultchotu2

    Weird thing is that I cannot even transfer files from my main user account (with root privileges 'sudo su') to /var/www/clients/client0/web2 or /var/www/clients/client0/web1 directories

    Additional Info:

    1. /etc/passwd contains following
    Code:
    web1:x:5004:5005::/var/www/clients/client0/web1:/bin/false
    web2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh
    defaultchotu:x:5004:5005::/var/www/clients/client0/web1:/bin/bash
    defaultchotu2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh

    2. Before even installing ISPConfig3, I had:
    Disabled root login in /etc/ssh/sshd_config
    Changed SSH port from 22 to xxxxx in /etc/ssh/sshd_config
    Changed protocol from 1,2 to 2 in /etc/ssh/sshd_config
    Added UsePAM yes in /etc/ssh/sshd_config
    UseDNS no in /etc/ssh/sshd_config
    AllowGroups sshdusers in /etc/ssh/sshd_config

    3. etc/sudoers contains following lines
    Code:
    Defaults        env_reset
    Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    # Host alias specification
    # User alias specification
    # Cmnd alias specification
    # User privilege specification
    root    ALL=(ALL:ALL) ALL
    # Members of the admin group may gain root privileges
    %admin ALL=(ALL) ALL
    # Allow members of group sudo to execute any command
    %sudo   ALL=(ALL:ALL) ALL
    # See sudoers(5) for more information on "#include" directives:
    #includedir /etc/sudoers.d
    www-data ALL=(root) NOPASSWD: /usr/sbin/repquota
    4. Now to cope up with this security measure, I ran following commands right after adding users in ISPConfig > Shell-Users; to add these users to allowed groups
    Code:
    addgroup defaultchotu admin
    addgroup defaultchotu sshdusers
    addgroup web1 admin
    addgroup web1 sshdusers
    service ssh restart
    service sudo restart
    
    addgroup defaultchotu2 admin
    addgroup defaultchotu2 sshdusers
    addgroup web2 admin
    addgroup web2 sshdusers
    service ssh restart
    service sudo restart
    reboot
    
    Update 1
    a) Can this be a quota problem? Because I skipped quota settings as mentioned in step 16 of The Perfect Server - Ubuntu 12.04 LTS. Why I feel this is because ISPC created few lines in /etc/fstab
    Code:
    /var/log/ispconfig/httpd/example.in /var/www/clients/client0/web1/log    none    bind,nobootwait    0 0
    /var/log/ispconfig/httpd/example2.in /var/www/clients/client0/web2/log    none    bind,nobootwait    0 0
    
    b) Although I tried this before also, but I tried once again, to create a ftp user in ISPC Panel from Sites > FTP Account > New User, but still no success. I can connect to the ftp in the base directory (web2) but cannot upload files (download works). Here is the error I get in filezilla:
    Code:
    Command:	TYPE A
    Response:	200 TYPE is now ASCII
    Command:	PASV
    Response:	227 Entering Passive Mode (198,xxx,xx,xx,xxx,xxx)
    Command:	STOR testscript.sh
    Response:	553 Can't open that file: Permission denied
    Error:	Critical file transfer error
     
    Last edited: Oct 9, 2013
  2. andcha

    andcha New Member

    Okay, It took some time but I figured it out.
     
  3. Quaxth

    Quaxth New Member

    Maybe it would be appropriate to post the solution you found that other users could benefit from it if they having the same problem.

    Thanks.
     
  4. GrafPorno

    GrafPorno New Member HowtoForge Supporter

Share This Page