(I posted in another forum section previously, but did not get any replies. Chroot'ing ISPConfig users must be a common issue. Reposting here, perhaps this is a more suitable forum section. Any help is greatly appreciated!) Issue: Activating chroot'ed users via $go_info["server"]["ssh_chroot"] = 1 does not actually result in chroot'ing. I followed the instructions from the links below to set up a chroot-capable SSHD and activated the ISPConfig option. It looks like the home dir created by ISPConfig for new users has a "." in it as required, and that the files necessary for the jail to work are copied into the site directory, but the chroot'ing is not active - the users that meant to be chroot'ed can browse the entire file system. System configuration: Ubuntu 10.04.4 LTS configured as explained in the Perfect Server Manual (thanks Falko, Til & Co for the awesome work). It's a cloud-box, so I started in the middle of step 7. ISPConfig Version: 2.2.40 Aiming to set up chroot'ed users with ISPConfig I looked at a few sources: http://www.howtoforge.com/chrooted_ssh_howto_debian http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze http://www.howtoforge.com/forums/showthread.php?t=6370&highlight=chroot+ssh+ispconfig http://www.howtoforge.com/forums/showthread.php?t=4373 Essentially, [1] and [2] say that you need to first enable an SSH host that supports chroot'ing and then go on to explain how to copy files essential for a chroot'ed user. Although [1] says that you need to download and build a modified server, that article is quite old, and from [2] it seems that these days it is sufficient to install OpenSSH (also hinted on here). From [3] and [4] you learn that once you have a chroot-capable SSH host, you just need to set the flag '$go_info["server"]["ssh_chroot"]' in file '/home/admispconfig/ispconfig/lib/config.inc.php'. That will use the script '/root/ispconfig/scripts/shell/create_chroot_env.sh' to set up the necessary files for new users created by ISPConfig. I did all of the above, but things do not work. I see that files that should be copied by create_chroot_env.sh are indeed copied and that new users have a dot in their home directory path. However, when logging in under such a user I can see the entire file system which implies that I am not chroot'ed. I am not sure how to diagnose the issue. Is there a way to check that the active SSH host is the one I need and that it supports chroot'ing? What else could I be missing? Do I perhaps require some 'Match' configuration blocks in the SSHD config file as described in [2]? If so, how should they look like to interop well with ISPConfig? Diagnostics: Here are some snippets from my system config/diagnostics that may be relevant: /home/admispconfig/ispconfig/lib/config.inc.php: Code: ... $go_info["server"]["ssh_chroot"] = 1; ... /etc/ssh/sshd_config: Code: ... #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp UsePAM yes [I](end of file)[/I] root@MyServer:~# ps flax: Code: F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND . . . 4 0 1985 1 20 0 5600 2132 - Ss ? 0:00 /usr/sbin/sshd -D 4 0 2033 1985 20 0 8408 2820 - Ss ? 0:00 \_ sshd: root@notty 5 0 2315 2033 20 0 8508 1440 - Ss ? 0:00 | \_ sshd: root@internal-sftp 4 0 21230 1985 20 0 8408 2740 - Ss ? 0:00 \_ sshd: MyUser [priv] 5 10001 21296 21230 20 0 8540 1460 - S ? 0:00 | \_ sshd: MyUser@pts/0 0 10001 21297 21296 20 0 4592 1864 - Ss pts/0 0:00 | \_ -bash 0 10001 21304 21297 20 0 6980 2848 - S+ pts/0 0:00 | \_ mc 0 10001 21306 21304 20 0 4608 1872 - Ss+ pts/1 0:00 | \_ bash -rcfile .bashrc 4 0 21426 1985 20 0 8408 2684 - Ss ? 0:00 \_ sshd: MyUser [priv] 5 10001 21488 21426 20 0 8540 1456 - S ? 0:00 | \_ sshd: MyUser@notty 1 10001 21491 21488 20 0 8508 1252 - Ss ? 0:00 | \_ sshd: MyUser@internal-sftp 4 0 21585 1985 20 0 8544 2808 - Ss ? 0:00 \_ sshd: root@pts/2 4 0 21647 21585 20 0 4632 1872 - Ss pts/2 0:00 \_ -bash 0 0 21662 21647 20 0 7528 3508 - S+ pts/2 0:00 \_ mc 0 0 21664 21662 20 0 4636 1896 - Ss pts/3 0:00 \_ bash -rcfile .bashrc 4 0 21795 21664 20 0 2692 900 - R+ pts/3 0:00 \_ ps flax . . . Thanks!
I have the same result. If you change the owner of the path for the root user, the connection should work. chown root.webX -R /var/www/WebX
If i remeber correctly, chrooting in ispconfig 2 requires a recompiled and patched ssh daemon. These patches are not available anymore for recent sshd versions as the maintainer stopped the development a few years ago, for that reason ssh chroot in ispconfig 2 is not working anymore on recent linux distributions. ISPConfig 2 itself is not under developmenet anymore too since the new ispconfig version (ispconfig 3) is available and stable. So ispconfig 2 wont get updates anymore. You should really consider to use a ispconfig 3 setup on your server, its much more powerfull, easier to install and has full chroot support for ssh users and many more, is actively supported and gets bugfixes and new features.
But there is no way to upgrade from ispconfig2 to ispconfig3, is there? With a setup that has scores of websites and hundreds of users, doing it by hand would be a nightmare.
Ah well. Is there a way to enable sftp and lock ispconfig2 users to their own directories, as is possible with ftp? I'd like to switch ftp off if possible.
The chroot support in ispconfig 2 was for. Special atched version of sshd, these patches are not available since a few years as far as i know. So there is currently no builtin method for chrooting usrrs in ispconfig 2. the chroot support in ispconfig 3 is implemented differently and uses jailkit, so chrooted sftp work there. Ispconfig 2 is not under development since several years anymore, so its unlikely that a new chroot method gets implemented in ispconfig 2.
