ssh within jailed user shell not working

Discussion in 'Installation/Configuration' started by martin.macko.47, Feb 11, 2014.

  1. martin.macko.47

    martin.macko.47 New Member

    I enabled users to use jailed shell command line interface for websites. So far, this works fine, the user can ssh to his jailed website, use the shell, editors and so:
    Code:
    [email protected]:~$ ssh [email protected]
    [email protected]'s password:
    [email protected]:~$
    [email protected]:~$ ls /web/
    error    favicon.ico    index.html    robots.txt    stats
    However, if he tries to ssh from his jailed environment outside to some other server, it doesn't work. The same happes if he tries to use scp:
    Code:
    [email protected]:~$ ssh [email protected]
    You don't exist, go away!
    [email protected]:~$ scp [email protected]:some/file.txt .
    unknown user 5004
    Why? How to make it work?

    Tested on fully updated fresh install of:
    • Ubuntu server 12.04.3 LTS (64bit)
    • Jailkit-2.17 used as chroot shell
    • ISPConfig 3.0.5.3
    Installed following The Perfect Server - Ubuntu 12.04 LTS (Apache2, BIND, Dovecot, ISPConfig 3) tutorial.
     
  2. martin.macko.47

    martin.macko.47 New Member

    I've found out that ISPConfig installator does not configure jailkit correctly on 64bit Ubuntu. The sections [uidbasics] and [netbasics] in /etc/jailkit/jk_init.ini should read as follows, with the highlighted paths to the libraries added:
    Code:
    [uidbasics]
    comment = common files for all jails that need user/group information
    libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, [b]/lib/x86_64-linux-gnu/libnsl.so.1[/b], /lib/libnss*.so.2, /lib64/libnss*.so.2, [b]/lib/x86_64-linux-gnu/libnss*.so.2[/b]
    regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf
    
    [netbasics]
    comment = common files for all jails that need any internet connectivity
    libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, [b]/lib/x86_64-linux-gnu/libnss_dns.so.2[/b]
    regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
    
    Otherwise, no program that needs user/group information or any internet connectivity works in the jailed environment. E.g. ssh, wget, etc.

    ISPConfig installator needs to have fixed ispconfig3_install/install/tpl/jk_init.ini.master accordingly...

    I've submited this bug to the bugtracker, so hopefully it will get fixed, thanks. http://bugtracker.ispconfig.org/index.php?do=details&task_id=3335
     
  3. millpark10

    millpark10 Member

    Hi Till
    (Notice that you "Say Thank You to martin.macko.47 For This Useful Post")

    I have problem with jailkit, if activated on shell user, the user can not login, or get kicked immidiatley.
    Also after a few tries with jailed shell-users, ssh-server seems to lock up.
    Resets after 10-20 min, at least it seems so, I can do new login tries.
    If not activated jailkit, user can login, but can also browse whole filesystem, NOT good.

    Some of the posts I read:
    http://www.howtoforge.com/forums/showthread.php?t=60401&highlight=jailkit
    http://www.howtoforge.com/forums/showthread.php?t=62263
    http://www.howtoforge.com/forums/showthread.php?t=63465&highlight=jailkit
    http://www.howtoforge.de/forum/34884-post7.html (not read but recognized the code)
    After reading a lot of posts in the forum I wonder if this thread has the "perfect solution"?
    I am on a 64bit ubuntu server.
    In short, is martin.macko.47's previous post the official solution?

    I really like ISPconfig3
    //millpark10
     
  4. millpark10

    millpark10 Member

    Please someone help me.
    Jailkit is not working, did changes suggested by martin.macko.47 but still not working.
    /var/log/auth.log gives:
    Mar 17 00:01:49 lenny1 sshd[29763]: User arnisshell not allowed because shell /usr/sbin/jk_chrootsh does not exist
    Mar 17 00:01:49 lenny1 sshd[29763]: input_userauth_request: invalid user arnisshell [preauth]
    Mar 17 00:01:52 lenny1 sshd[29763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1-1-1-24a.djh.sth.stream.ax user=arnisshell
    Mar 17 00:01:54 lenny1 sshd[29763]: Failed password for invalid user arnisshell from xx.xxx.xxx.xx port 34041 ssh2

    /usr/sbin/jk_chrootsh does not exist, Why is it missing? How to properly fix this?

    Settings,
    Client - Limits
    SSH-Chroot Options
    None
    Jailkit
    Sites - Shell User
    Chroot Shell: jailkit
    Chroot Shell

    I don't want to mess upp my system.
    This is really a showstopper, If jailkit is not working, no shell users can be allowed on my server.
    //millpark10
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    No, as there is no official solution required, jailkit works out of the box on servers installed as described in the perfect server guides. I just said thank you as he posted information that might be useful for some users to activate additional functions in jailkit (accessing other servers from within a jail by ssh). So in this thread s nothing that applies to your problem.

    Then you havent installed jailkit properly as described in the perfect servr guides. Please install jailkit again and then rerun the ispconfig update.php script and let it reconfigure services.
     
  6. millpark10

    millpark10 Member

    Can not understand what went wrong during install.
    Code:
    apt-get -y install build-essential autoconf automake1.9 libtool flex bison
    cd /tmp
    wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
    tar xvfz jailkit-2.14.tar.gz
    cd jailkit-2.14
    ./configure
    make
    make install
    cd ..
    rm -rf jailkit-2.14*
    It is pretty straight forward.
    Obviously something did go wrong.
    I will absolutely do that, (same code as above?)
    BUT, How much changes will the ispconfig update.php script change in my mirror/cluster-setup? Do I have to reconfigure other things as well?
    Really good to know before I run the script. Thank you.
    //millpark10
     
  7. millpark10

    millpark10 Member

    Well no confirmation about /usr/local/ispconfig/server/scripts/ispconfig_update.php so I did the update to jailkit by doing
    Code:
    apt-get -y install build-essential autoconf automake1.9 libtool flex bison
    cd /tmp
    wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
    tar xvfz jailkit-2.14.tar.gz
    cd jailkit-2.14
    ./configure
    make
    Got errror:
    gcc -lpthread -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o
    jk_socketd.o: In function `main':
    /tmp/jailkit-2.14/src/jk_socketd.c:474: undefined reference to `pthread_create'
    collect2: ld returnerade avslutningsstatus 1
    make[1]: *** [jk_socketd] Fel 1

    Read jailkit bugs: http://savannah.nongnu.org/bugs/?35249
    Changed line 41 and 42 accordingly,
    ran make again, no errors. And:
    Code:
    make install
    cd ..
    rm -rf jailkit-2.14*
    No errors.
    Did this on both mirrored servers.
    Then tried to run
    Code:
    [email protected]:/home/backup# /usr/local/ispconfig/server/scripts/ispconfig_update.php
    /usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 1: ?php: Filen eller katalogen finns inte
    /usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 3: /aquota.group: Åtkomst nekas
    /usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 4: syntaxfel nära den oväntade symbolen "c"
    /usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 4: `Copyright (c) 2009, Till Brehm, projektfarm Gmbh'
    Sorry for the Swedish error messages, but I think you get the message.
    Is this script supposed to be run from within ispconfig? I tried as admin user from CLI.

    Tried to login with ssh user and got thrown out immideatly.
    /var/log/auth.log
    Will this be fixed if ispconfig_update.php is run correctly?
    //millpark10
     
    Last edited: Mar 18, 2014
  8. millpark10

    millpark10 Member

    So I ran ispconfig_update.sh instead of ispconfig_update.php
    Read:
    http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/
    and the script finished in a second returning "There are no updates available for ISPConfig 3.0.5.3"
    Did the script make any changes? to what?
    Recreated the shell user, can now login and seems to be jailed in auth.log.
    Will do more tests. Especially cronjobs that did not work before.
    Do I need to do anything more?
    //millpark10
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

  10. millpark10

    millpark10 Member

    Hi Till
    Thank you for answering all my newbie questions.
    You wrote
    I am deeply sorry I did not understand it involved
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    Please,
    Still, I wonder if this will change things in my current setup, then how?
    Do I have to rerun other commands as well?
    //millpark10
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    If jailkit works already, then you dont have to rerun the update script. the update will reconfigure all services, so if you altered config files by hand that are managed by ispconfig, then manual changes might get lost.
     
  12. millpark10

    millpark10 Member

    So, I ran the update.php as described on my 1st server in the mirrored setup.
    Now I have to redo all changes done during install according to the guides I followed?
    Is that correct?
    /millpark10
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    No. Only changes that you did in config files managed by ispconfig that are not part of the ispconfig tutorials.
     
  14. millpark10

    millpark10 Member

    Ok, sounds a bit more positive than I felt some moments ago.
    :|
    I followed guides as of below the line here. Added roundcube and my own checkphpreplication-script. Don't know if I did other changes outside the install-instructions.
    Guess I will go over my bootstrap document and check.
    Still cant get cron via GUI to work with jailed site/user.
    /millpark10
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    How does your cronjob looks like and what does it execute? All software that you want to use must be installed inside the jail and all paths must be relative to the jail root. and the jail is setup when the first jailed cronjob or ssh user of a website gets created, if jailkit was not installed at that time, then the jail is broken or at least incomplete.
     
  16. millpark10

    millpark10 Member

    Ok Till,
    Checking everything, with jailkit/cron and config-files. Hopefully everything will run as supposed to.
    I also ran the command:
    Code:
    scp -p /usr/local/ispconfig/interface/lib/config.inc.php [email protected]:/usr/local/ispconfig/interface/lib/config.inc.php
    according to "Installing A Web, Email & MySQL Database Cluster On Debian 6.0 With ISPConfig 3" on page 35.
    "This command has to be excuted after each ISPConfig update again after you updated ISPConfig on the master and on the slave with the normal ISPConfig
    update command"
    //millpark10
     
  17. millpark10

    millpark10 Member

    Had problem with cron not running a script, site is jailed and shelluser seems to login correctly in jailed environment.
    When trying to run test.sh from commandline i get error:
    Fatal error: date(): Timezone database is corrupt - this should *never* happen! in /private/webstuff/h_test/test.php on line 3
    Cron job to run:
    */10 * * * * /private/webstuff/h_test/test.sh
    test.sh:
    Code:
    #!/bin/sh
    tid=$(date +%H%M%S)
    cd /private/webstuff/h_test
    echo $tid > $tid.txt
    php test.php
    test.php:
    Code:
    <?php
    $file = fopen('test.txt', 'a+');
    fwrite($file, date('YmdHis')."\n");
    fclose($file);
    Added to jk_init.ini:
    Code:
    [uidbasics]
    comment = common files for all jails that need user/group information
    libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2
    regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf
    
    [netbasics]
    comment = common files for all jails that need any internet connectivity
    libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2
    regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
    
    [php]
    comment = the php interpreter and libraries
    executables = /usr/bin/php5
    directories = /usr/lib/php5, /usr/share/php, /usr/share/php5, /etc/php5, /usr/share/php-geshi, /usr/share/zoneinfo
    includesections = env
    
    [env]
    comment = environment variables
    executables = /usr/bin/env
    passwd:
    Code:
    root:x:0:0:root:/root:/bin/bash
    web5:x:10005:10005::/home/web5:/bin/bash
    varnisshell:x:10005:10005::/home/web5:/bin/bash
    Is this correct in order to run .sh and php in jail?
    If this is the wrong way to do this, Please correct me.
    //millpark10
     
    Last edited: Mar 19, 2014
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    You can add global sections to jk init and then activate them for new jails in ispconfig in the server config settings.
     
  19. millpark10

    millpark10 Member

    Thanks Till
    I like ISPconfig more and more, soon my environment will actually be a "perfect setup"!
    So the changes I manually did in /etc/jailkit/jk_init.ini is shown under 'System-ServerConfig-Jailkit'?
    Or is it the reverse, if I add something in ISPconfig-GUI under 'System-ServerConfig-Jailkit' it will be entered in /etc/jailkit/jk_init.ini ?
    This is what I have when I look in 'System-ServerConfig-Jailkit':
    Code:
      Jailkit chroot home
    /home/[username]
    
     Jailkit chroot app sections
    basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh
    
     Jailkit chrooted applications
    /usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico
    
     Jailkit cron chrooted applications
    /usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php
    Is this right?
    If the errormessage with timezone only shows when i run my script from cli and not when cron is running the script it might be because "Jailkit cron chrooted applications" as of above have /usr/bin/php but not "Jailkit chrooted applications"?
    //millpark10
     
  20. millpark10

    millpark10 Member

    Sorry,
    can't get the test.sh as above to run as cron job.
    Seems that maybe some php instructions are missing in jail?
    Is there a howto to activate php in jail?
    Can I test that php is correct in jail?
    Tried /usr/bin/php /web/index.php and got error message from wordpress that PHP seems to miss MySQL-addon??
    Pls point me in a direction to look för mistakes (or where to find a solution)
    //millpark10
     

Share This Page