Issue: Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing. Background info: I know that there are several threads on chroot'ing users with ISPConfig, but I found them inconsistent. While some people are probably successful in setting this up, some clearly fail (links below). I hope to get some clarification here. I would like to thank Falko, Til and Co. for the great "Perfect Server" and other manuals. However, arguably, it is a security flaw that the manuals explain how to set up FTP. Many users (including myself up to a while ago) underestimate this security issue. If you could make setting up chroot'ed SFTP an integral part of your manuals and make non-local FTP access setup optional it would be awesome going forwards. In any case - thanks for your time. System: Ubuntu 10.04.4 LTS configured as explained here. It's a cloud-box, so I started in the middle of step 7. ISPConfig Version: 2.2.40 Aiming to set up chroot'ed users with ISPConfig I looked at a few sources: http://www.howtoforge.com/chrooted_ssh_howto_debian http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze http://www.howtoforge.com/forums/showthread.php?t=6370&highlight=chroot+ssh+ispconfig http://www.howtoforge.com/forums/showthread.php?t=4373 Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here). From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig. I did all of the above, but things do not work. I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed. I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig? Diagnostics: Here are some snippets from my system config/diagnostics that may be relevant: /home/admispconfig/ispconfig/lib/config.inc.php: Code: ... $go_info["server"]["ssh_chroot"] = 1; ... /etc/ssh/sshd_config: Code: ... #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp UsePAM yes [I](end of file)[/I] root@MyServer:~# ps flax: Code: F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND . . . 4 0 1985 1 20 0 5600 2132 - Ss ? 0:00 /usr/sbin/sshd -D 4 0 2033 1985 20 0 8408 2820 - Ss ? 0:00 \_ sshd: root@notty 5 0 2315 2033 20 0 8508 1440 - Ss ? 0:00 | \_ sshd: root@internal-sftp 4 0 21230 1985 20 0 8408 2740 - Ss ? 0:00 \_ sshd: MyUser [priv] 5 10001 21296 21230 20 0 8540 1460 - S ? 0:00 | \_ sshd: MyUser@pts/0 0 10001 21297 21296 20 0 4592 1864 - Ss pts/0 0:00 | \_ -bash 0 10001 21304 21297 20 0 6980 2848 - S+ pts/0 0:00 | \_ mc 0 10001 21306 21304 20 0 4608 1872 - Ss+ pts/1 0:00 | \_ bash -rcfile .bashrc 4 0 21426 1985 20 0 8408 2684 - Ss ? 0:00 \_ sshd: MyUser [priv] 5 10001 21488 21426 20 0 8540 1456 - S ? 0:00 | \_ sshd: MyUser@notty 1 10001 21491 21488 20 0 8508 1252 - Ss ? 0:00 | \_ sshd: MyUser@internal-sftp 4 0 21585 1985 20 0 8544 2808 - Ss ? 0:00 \_ sshd: root@pts/2 4 0 21647 21585 20 0 4632 1872 - Ss pts/2 0:00 \_ -bash 0 0 21662 21647 20 0 7528 3508 - S+ pts/2 0:00 \_ mc 0 0 21664 21662 20 0 4636 1896 - Ss pts/3 0:00 \_ bash -rcfile .bashrc 4 0 21795 21664 20 0 2692 900 - R+ pts/3 0:00 \_ ps flax . . . Thanks!
I'd like to chroot sftp users too. Until I can do that, I can't give them sftp access, which I want to do, so I can stop ftp. I've had a look at http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze but I'm not clear how to apply that to an ispconfig 2 setup that has many, many users already
Still an issue I am a bit surprised that in more than six months no-one has been able to offer any help at all. Are we flogging a dead horse here?
