shrooted ssh environments for ispconfig users

Discussion in 'Tips/Tricks/Mods' started by hrvbid, Dec 23, 2009.

  1. hrvbid

    hrvbid New Member

    (ispconfig 2.2.35, ubuntu 9.10)
    With openssh 4.9.x/5.x, the logic to build chrooted ssh users in just built in. Because of the new
    logic, the magic separator "/./" within the users homedir assignment in passwd is no longer needed, but is
    now in trouble. See for the basics.
    To consider the history and also the new logic, a solution for ispconfig seems easy to adapt:
    One strategic parameter is in /root/ispconfig/scripts/lib/, where
    $go_info["server"]["ssh_chroot"] = or 1
    is responsible for two actions. In case of value 1, 1st, the magic separator "/./" is used, and 2nd, the
    script /root/ispconfig/scripts/shell/ is scheduled to build the users chrooted
    One solution is, to have a tri-state with $go_info["server"]["ssh_chroot"], where 0 leads to no chroot,
    where 1 leads to chroot with magic "/./" and script execution, and where a new value 2 leads to omit the
    magic "/./" but performs the script. The behaviour of option 0 and 1 are unchanged to support all those
    with the need of the old logic, but option 2 now becomes adjusted to the new logic. The changes are most easy:
    The essential file is /root/ispconfig/scripts/lib/config.lib.php, where lines
    # 772-774 (insert new user)
      if($go_info["server"]["ssh_chroot"] == && $user["user_shell"] && $web["web_shell"]) {
    exec("/root/ispconfig/scripts/shell/ $user_username");
    have to change to
      if($go_info["server"]["ssh_chroot"] > && $user["user_shell"] && $web["web_shell"]) {
    exec("/root/ispconfig/scripts/shell/ $user_username");
    and lines
    # 949-950 (update user)
      if($go_info["server"]["ssh_chroot"] == && $user["user_shell"] && $web["web_shell"]) {
    exec("/root/ispconfig/scripts/shell/ $user_username");
    also have to change to
      if($go_info["server"]["ssh_chroot"] > && $user["user_shell"] && $web["web_shell"]) {
    exec("/root/ispconfig/scripts/shell/ $user_username");
    Note, thats all to do - a really cheap solution. To be complete, a look to
    /root/ispconfig/scripts/lib/, where line #106
    $go_info["server"]["ssh_chroot"] = 2; // 0 = no, 1 = yes with old chroot path /./, 2 = yes without /./ (openssh 5.x logic)
    is the example to use the new logic.
    I would be happy, if the small changes would be confirmed with one of the next ispconfix 2.x releases.
  2. userman

    userman New Member



    I got ispconfig 2.2.35, centos 5.4 and OpenSSH_5.2p1.

    I add to sshd_config:
    Match Group web*
    ChrootDirectory ~/
    AllowTcpForwarding no

    I change 0 to 1:
    $go_info["server"]["ssh_chroot"] = 1;

    When I create a user from ispconfig, I get all library into the ftp account but i cant connect to sftp.
    I think I get the error in sshd_config because if i dont put the new config into sshd_config, its work!

    Whats the my problem?
    Thanks for the help!!

    ** Sorry for my bad english :)
  3. steve7680768

    steve7680768 New Member

    your English is not bad at all. I have consider your problem... I will try to sort it out..
  4. userman

    userman New Member

    i dont remember... do you active shell access from panel ispconfig for the user of the domain?
  5. rockstar9840

    rockstar9840 New Member

    Hi hrvbid, Thanks for the nice post you sharing with us. :)

Share This Page