ssh within jailed user shell not working

I enabled users to use jailed shell command line interface for websites. So far, this works fine, the user can ssh to his jailed website, use the shell, editors and so:

Code:

user@hisdesktop:~$ ssh [email protected]
[email protected]'s password:
[email protected]:~$
[email protected]:~$ ls /web/
error    favicon.ico    index.html    robots.txt    stats

However, if he tries to ssh from his jailed environment outside to some other server, it doesn't work. The same happes if he tries to use scp:

Code:

[email protected]:~$ ssh [email protected]
You don't exist, go away!
[email protected]:~$ scp [email protected]:some/file.txt .
unknown user 5004

Why? How to make it work?

Tested on fully updated fresh install of:

• Ubuntu server 12.04.3 LTS (64bit)
• Jailkit-2.17 used as chroot shell
• ISPConfig 3.0.5.3

Installed following The Perfect Server - Ubuntu 12.04 LTS (Apache2, BIND, Dovecot, ISPConfig 3) tutorial.

 

I've found out that ISPConfig installator does not configure jailkit correctly on 64bit Ubuntu. The sections [uidbasics] and [netbasics] in /etc/jailkit/jk_init.ini should read as follows, with the highlighted paths to the libraries added:

Code:

[uidbasics]
comment = common files for all jails that need user/group information
libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, [b]/lib/x86_64-linux-gnu/libnsl.so.1[/b], /lib/libnss*.so.2, /lib64/libnss*.so.2, [b]/lib/x86_64-linux-gnu/libnss*.so.2[/b]
regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf

[netbasics]
comment = common files for all jails that need any internet connectivity
libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, [b]/lib/x86_64-linux-gnu/libnss_dns.so.2[/b]
regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols

Otherwise, no program that needs user/group information or any internet connectivity works in the jailed environment. E.g. ssh, wget, etc.

ISPConfig installator needs to have fixed ispconfig3_install/install/tpl/jk_init.ini.master accordingly...

I've submited this bug to the bugtracker, so hopefully it will get fixed, thanks. http://bugtracker.ispconfig.org/index.php?do=details&task_id=3335

 

Hi Till
(Notice that you "Say Thank You to martin.macko.47 For This Useful Post")

I have problem with jailkit, if activated on shell user, the user can not login, or get kicked immidiatley.
Also after a few tries with jailed shell-users, ssh-server seems to lock up.
Resets after 10-20 min, at least it seems so, I can do new login tries.
If not activated jailkit, user can login, but can also browse whole filesystem, NOT good.

Some of the posts I read:
http://www.howtoforge.com/forums/showthread.php?t=60401&highlight=jailkit
http://www.howtoforge.com/forums/showthread.php?t=62263
http://www.howtoforge.com/forums/showthread.php?t=63465&highlight=jailkit
http://www.howtoforge.de/forum/34884-post7.html (not read but recognized the code)
After reading a lot of posts in the forum I wonder if this thread has the "perfect solution"?
I am on a 64bit ubuntu server.
In short, is martin.macko.47's previous post the official solution?

I really like ISPconfig3
//millpark10

 

Please someone help me.
Jailkit is not working, did changes suggested by martin.macko.47 but still not working.
/var/log/auth.log gives:
Mar 17 00:01:49 lenny1 sshd[29763]: User arnisshell not allowed because shell /usr/sbin/jk_chrootsh does not exist
Mar 17 00:01:49 lenny1 sshd[29763]: input_userauth_request: invalid user arnisshell [preauth]
Mar 17 00:01:52 lenny1 sshd[29763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1-1-1-24a.djh.sth.stream.ax user=arnisshell
Mar 17 00:01:54 lenny1 sshd[29763]: Failed password for invalid user arnisshell from xx.xxx.xxx.xx port 34041 ssh2

/usr/sbin/jk_chrootsh does not exist, Why is it missing? How to properly fix this?

Settings,
Client - Limits
SSH-Chroot Options
None
Jailkit
Sites - Shell User
Chroot Shell: jailkit
Chroot Shell

I don't want to mess upp my system.
This is really a showstopper, If jailkit is not working, no shell users can be allowed on my server.
//millpark10

 

Can not understand what went wrong during install.

Code:

apt-get -y install build-essential autoconf automake1.9 libtool flex bison
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./configure
make
make install
cd ..
rm -rf jailkit-2.14*

It is pretty straight forward.
Obviously something did go wrong.

I will absolutely do that, (same code as above?)
BUT, How much changes will the ispconfig update.php script change in my mirror/cluster-setup? Do I have to reconfigure other things as well?
Really good to know before I run the script. Thank you.
//millpark10

 

Well no confirmation about /usr/local/ispconfig/server/scripts/ispconfig_update.php so I did the update to jailkit by doing

Code:

apt-get -y install build-essential autoconf automake1.9 libtool flex bison
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./configure
make

Got errror:
gcc -lpthread -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o
jk_socketd.o: In function `main':
/tmp/jailkit-2.14/src/jk_socketd.c:474: undefined reference to `pthread_create'
collect2: ld returnerade avslutningsstatus 1
make[1]: *** [jk_socketd] Fel 1

Read jailkit bugs: http://savannah.nongnu.org/bugs/?35249
Changed line 41 and 42 accordingly,
ran make again, no errors. And:

Code:

make install
cd ..
rm -rf jailkit-2.14*

No errors.
Did this on both mirrored servers.
Then tried to run

Code:

root@lenny1:/home/backup# /usr/local/ispconfig/server/scripts/ispconfig_update.php
/usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 1: ?php: Filen eller katalogen finns inte
/usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 3: /aquota.group: Åtkomst nekas
/usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 4: syntaxfel nära den oväntade symbolen "c"
/usr/local/ispconfig/server/scripts/ispconfig_update.php: rad 4: `Copyright (c) 2009, Till Brehm, projektfarm Gmbh'

Sorry for the Swedish error messages, but I think you get the message.
Is this script supposed to be run from within ispconfig? I tried as admin user from CLI.

Tried to login with ssh user and got thrown out immideatly.
/var/log/auth.log

Will this be fixed if ispconfig_update.php is run correctly?
//millpark10

 

So I ran ispconfig_update.sh instead of ispconfig_update.php
Read:
http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/
and the script finished in a second returning "There are no updates available for ISPConfig 3.0.5.3"
Did the script make any changes? to what?
Recreated the shell user, can now login and seems to be jailed in auth.log.

Will do more tests. Especially cronjobs that did not work before.
Do I need to do anything more?
//millpark10

 

Hi Till
Thank you for answering all my newbie questions.
You wrote

I am deeply sorry I did not understand it involved

Code:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php

Please,
Still, I wonder if this will change things in my current setup, then how?
Do I have to rerun other commands as well?
//millpark10

 

So, I ran the update.php as described on my 1st server in the mirrored setup.
Now I have to redo all changes done during install according to the guides I followed?
Is that correct?
/millpark10

 

Ok, sounds a bit more positive than I felt some moments ago.
:|
I followed guides as of below the line here. Added roundcube and my own checkphpreplication-script. Don't know if I did other changes outside the install-instructions.
Guess I will go over my bootstrap document and check.
Still cant get cron via GUI to work with jailed site/user.
/millpark10

 

Ok Till,
Checking everything, with jailkit/cron and config-files. Hopefully everything will run as supposed to.
I also ran the command:

Code:

scp -p /usr/local/ispconfig/interface/lib/config.inc.php [email protected]:/usr/local/ispconfig/interface/lib/config.inc.php

according to "Installing A Web, Email & MySQL Database Cluster On Debian 6.0 With ISPConfig 3" on page 35.
"This command has to be excuted after each ISPConfig update again after you updated ISPConfig on the master and on the slave with the normal ISPConfig
update command"
//millpark10

 

Had problem with cron not running a script, site is jailed and shelluser seems to login correctly in jailed environment.
When trying to run test.sh from commandline i get error:
Fatal error: date(): Timezone database is corrupt - this should *never* happen! in /private/webstuff/h_test/test.php on line 3
Cron job to run:
*/10 * * * * /private/webstuff/h_test/test.sh
test.sh:

Code:

#!/bin/sh
tid=$(date +%H%M%S)
cd /private/webstuff/h_test
echo $tid > $tid.txt
php test.php

test.php:

Code:

<?php
$file = fopen('test.txt', 'a+');
fwrite($file, date('YmdHis')."\n");
fclose($file);

Added to jk_init.ini:

Code:

[uidbasics]
comment = common files for all jails that need user/group information
libraries = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/x86_64-linux-gnu/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /lib/x86_64-linux-gnu/libnss*.so.2
regularfiles = /etc/nsswitch.conf, /etc/ld.so.conf

[netbasics]
comment = common files for all jails that need any internet connectivity
libraries = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /lib/x86_64-linux-gnu/libnss_dns.so.2
regularfiles = /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols

[php]
comment = the php interpreter and libraries
executables = /usr/bin/php5
directories = /usr/lib/php5, /usr/share/php, /usr/share/php5, /etc/php5, /usr/share/php-geshi, /usr/share/zoneinfo
includesections = env

[env]
comment = environment variables
executables = /usr/bin/env

passwd:

Code:

root:x:0:0:root:/root:/bin/bash
web5:x:10005:10005::/home/web5:/bin/bash
varnisshell:x:10005:10005::/home/web5:/bin/bash

Is this correct in order to run .sh and php in jail?
If this is the wrong way to do this, Please correct me.
//millpark10

 

Thanks Till
I like ISPconfig more and more, soon my environment will actually be a "perfect setup"!
So the changes I manually did in /etc/jailkit/jk_init.ini is shown under 'System-ServerConfig-Jailkit'?
Or is it the reverse, if I add something in ISPconfig-GUI under 'System-ServerConfig-Jailkit' it will be entered in /etc/jailkit/jk_init.ini ?
This is what I have when I look in 'System-ServerConfig-Jailkit':

Code:

  Jailkit chroot home
/home/[username]

 Jailkit chroot app sections
basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh

 Jailkit chrooted applications
/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico

 Jailkit cron chrooted applications
/usr/bin/php /usr/bin/perl /usr/share/perl /usr/share/php

Is this right?
If the errormessage with timezone only shows when i run my script from cli and not when cron is running the script it might be because "Jailkit cron chrooted applications" as of above have /usr/bin/php but not "Jailkit chrooted applications"?
//millpark10

 

Sorry,
can't get the test.sh as above to run as cron job.
Seems that maybe some php instructions are missing in jail?
Is there a howto to activate php in jail?
Can I test that php is correct in jail?
Tried /usr/bin/php /web/index.php and got error message from wordpress that PHP seems to miss MySQL-addon??
Pls point me in a direction to look för mistakes (or where to find a solution)
//millpark10