I am a new ISPConfig user. I just created my first site. I then created a shell user. However, I cannot log in through SSH. I have been trying to resolve this issue and searching for hours. The shell user shows up in /etc/passwd, but not in sshusers. How can I resolve this?
Please post the exact error message from the auth log file. Also make sure that you used the correct username to login (incl. the username prefix) as it is displayed in the ssh user list.
from /var/log/auth.log: Code: May 23 23:52:21 li74-222 sshd[27633]: User [USERNAME] from [HOST] not allowed because none of user's groups are listed in AllowGroups May 23 23:52:21 li74-222 sshd[27633]: Failed none for invalid user [USERNAME] from [IP] port 49679 ssh2 May 23 23:52:29 li74-222 sshd[27633]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[HOST] user=[USERNAME] May 23 23:52:31 li74-222 sshd[27633]: Failed password for invalid user [USERNAME] from [IP] port 49679 ssh2 (I manually inserted [USERNAME] [HOST] [IP]) So then I checked /etc/ssh/sshd_config to see which groups are in AllowGroups. As expected, it is sshusers. So the error makes sense because the user created by ISPConfig is not in sshusers. My original question remains. How come it isn't?
ISPConfig does not use a group named sshusers. Please reconfigure your ssh and remove that group limit.
3 follow-up questions: 1) I didn't create that group. Shouldn't ISPConfig be taking care of all that stuff? Or at least mention it during installation or somewhere in the 300-page manual? 2) There is already a user web1 in sshusers. I think ISPConfig created that user. If so, doesn't that mean that ISPConfig is aware of sshusers group and should be adding other users to it? 3) If I remove that group limit, wouldn't that make the system less secure? If I have to modify system settings outside of ISPConfig, wouldn't it make more sense to just add that user to sshusers? It just doesn't make sense to me why I would have to modify system settings in order to make ISPConfig perform basic functions.
As I mentioned above, ispconfig has no support for group limits in SSH and ispconfig ahs not configured such a limit in your sshd_config file. Also such a limit is not the default in any of the supported linux distributions, so either you configured that limit or the person who installed the server or the hosting provider where you rented that server has altered the configuration in that way. The manual mentions only features of ispconfig and not something that is not supported of course. All ispconfig system users that are not allowed to login by ssh have logins globally disabled, so only users that you add in ispconfig as ssh users can login with ssh.
I understand what you are saying, but if ISPConfig has no support for group limits, why is user web1 part of sshusers? How do I know web1 was created by ISPConfig, you may ask. Looking at /etc/passwd, it was created after user ispconfig and before the shell user I created in ISPConfig. Also, the home directory is /var/www/clients/client1/web1/./home/web1 which was created by ISPConfig.
Either you added no ssh user for the other website yet (as a web1 user is not a ssh user, its just the owner of the website), ssh users are alias user with the same id of the website owner or you use jailkit only for some websites.
