Hi My system is running ISPConfig3 Latest Stable on Ubuntu 12.04 x64. Problem is that shell users created in ISPConfig panel are not able to SFTP and execute even basic SSH Commands Here is what I have done till now I have created two shell users for two websites, one located in web1 folder and other in web2. I have tried both, keeping the user in Jailkit and in None, this is what happens: If I keep the user defaultchotu as "Chroot Shell:None": a) defaultchotu can access SSH but cannot execute even basic commands like: wget -Without sudo prefix I get, file.zip: Permission denied -With sudo, it asks for password (of course) but for user web1 and not defaultchotu. Even the putty screen shows web1@ns01:~$ as the user logged in, not defaultchotu. So when I enter the password for defaultchotu, it does not accepts and apache2 log shows following error lines Code: Oct 9 13:08:30 ns01 sudo: pam_unix(sudo:auth): authentication failure; logname=defaultchotu uid=5004 euid=0 tty=/dev/pts/0 ruser=web1 rhost= user=web1 Oct 9 13:08:41 ns01 sudo: pam_unix(sudo:auth): conversation failed Oct 9 13:08:41 ns01 sudo: pam_unix(sudo:auth): auth could not identify password for [web1] Oct 9 13:08:41 ns01 sudo: web1 : 2 incorrect password attempts ; TTY=pts/0 ; PWD=/var/www/clients/client0/web1 ; USER=root ; COMMAND=/usr/bin/wget https://www.dropbox.com/s/gibberish/file.zip b) defaultchotu CAN login to SFTP through Filezilla and see all directories but cannot upload files (only download possible) Filezilla log reads Code: Status: Starting upload of D:\DL\testscript.sh Status: Retrieving directory listing... Command: ls Status: Listing directory /var/www/clients/client0/web1 Command: put "D:\DL\testscript.sh" "testscript.sh" Error: /var/www/clients/client0/web1/testscript.sh: open for write: permission denied Error: File transfer failed Status: Retrieving directory listing... Command: ls Status: Listing directory /var/www/clients/client0/web1 Status: Directory listing successful Status: Disconnected from server /var/log/auth.log reads Code: Oct 9 13:16:21 ns01 sshd[21863]: Accepted password for defaultchotu from xxx.xxx.xxx.xxx port xxxxx ssh2 Oct 9 13:16:21 ns01 sshd[21863]: pam_unix(sshd:session): session opened for user defaultchotu by (uid=0) Oct 9 13:16:21 ns01 sshd[22020]: subsystem request for sftp by user defaultchotu If I keep the user defaultchotu2 as "Chroot Shell:Jailkit": a) defaultchotu2 can access ssh but no shell commands are available to it. For example: - I cannot list the web root directory with ls command (with webroot I mean /var/www/clients/client0/web2) - If I do wget command, I get Code: Resolving www.dropbox.com (www.dropbox.com)... failed: Name or service not known. wget: unable to resolve host address `www.dropbox.com' - I surely can go to cd /web and ls that directory but still wget or other basic commands doesn't work - In both directories, web2 and web, if I use sudo, an error pops: Code: bash: sudo: command not found FYI, Logs of /var/log/auth.log after defaultchotu2 login Code: Oct 9 13:44:56 ns01 sshd[2669]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port xxxxx ssh2 Oct 9 13:44:56 ns01 sshd[2669]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0) Oct 9 13:44:57 ns01 jk_chrootsh[2827]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments b) defaultchotu2 cannot login through SFTP with the following errors Filezilla Code: Status: Connecting to server1.in:4xxxx... Response: fzSftp started Command: open "[email protected]" 4xxxx Command: Pass: ****** Status: Connected to server1.in Error: Connection closed by server with exitcode 1 Error: Could not connect to server /var/log/auth.log Code: Oct 9 14:03:24 ns01 sshd[5408]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xxx8 ssh2 Oct 9 14:03:24 ns01 sshd[5408]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0) Oct 9 14:03:24 ns01 sshd[5565]: subsystem request for sftp by user defaultchotu2 Oct 9 14:03:24 ns01 jk_chrootsh[5566]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server Oct 9 14:03:25 ns01 sshd[5408]: pam_unix(sshd:session): session closed for user defaultchotu2 Oct 9 14:03:32 ns01 sshd[5567]: Accepted password for defaultchotu2 from 182.xxx.xxx.xxx port 5xx29 ssh2 Oct 9 14:03:32 ns01 sshd[5567]: pam_unix(sshd:session): session opened for user defaultchotu2 by (uid=0) Oct 9 14:03:33 ns01 sshd[5724]: subsystem request for sftp by user defaultchotu2 Oct 9 14:03:33 ns01 jk_chrootsh[5725]: now entering jail /var/www/clients/client0/web2 for user defaultchotu2 (5005) with arguments -c /usr/lib/openssh/sftp-server Oct 9 14:03:33 ns01 sshd[5567]: pam_unix(sshd:session): session closed for user defaultchotu2 Weird thing is that I cannot even transfer files from my main user account (with root privileges 'sudo su') to /var/www/clients/client0/web2 or /var/www/clients/client0/web1 directories Additional Info: 1. /etc/passwd contains following Code: web1:x:5004:5005::/var/www/clients/client0/web1:/bin/false web2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh defaultchotu:x:5004:5005::/var/www/clients/client0/web1:/bin/bash defaultchotu2:x:5005:5005::/var/www/clients/client0/web2/./home/defaultchotu2:/usr/sbin/jk_chrootsh 2. Before even installing ISPConfig3, I had: Disabled root login in /etc/ssh/sshd_config Changed SSH port from 22 to xxxxx in /etc/ssh/sshd_config Changed protocol from 1,2 to 2 in /etc/ssh/sshd_config Added UsePAM yes in /etc/ssh/sshd_config UseDNS no in /etc/ssh/sshd_config AllowGroups sshdusers in /etc/ssh/sshd_config 3. etc/sudoers contains following lines Code: Defaults env_reset Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d www-data ALL=(root) NOPASSWD: /usr/sbin/repquota 4. Now to cope up with this security measure, I ran following commands right after adding users in ISPConfig > Shell-Users; to add these users to allowed groups Code: addgroup defaultchotu admin addgroup defaultchotu sshdusers addgroup web1 admin addgroup web1 sshdusers service ssh restart service sudo restart addgroup defaultchotu2 admin addgroup defaultchotu2 sshdusers addgroup web2 admin addgroup web2 sshdusers service ssh restart service sudo restart reboot Update 1 a) Can this be a quota problem? Because I skipped quota settings as mentioned in step 16 of The Perfect Server - Ubuntu 12.04 LTS. Why I feel this is because ISPC created few lines in /etc/fstab Code: /var/log/ispconfig/httpd/example.in /var/www/clients/client0/web1/log none bind,nobootwait 0 0 /var/log/ispconfig/httpd/example2.in /var/www/clients/client0/web2/log none bind,nobootwait 0 0 b) Although I tried this before also, but I tried once again, to create a ftp user in ISPC Panel from Sites > FTP Account > New User, but still no success. I can connect to the ftp in the base directory (web2) but cannot upload files (download works). Here is the error I get in filezilla: Code: Command: TYPE A Response: 200 TYPE is now ASCII Command: PASV Response: 227 Entering Passive Mode (198,xxx,xx,xx,xxx,xxx) Command: STOR testscript.sh Response: 553 Can't open that file: Permission denied Error: Critical file transfer error
Maybe it would be appropriate to post the solution you found that other users could benefit from it if they having the same problem. Thanks.
