Hey Fellas, It seems that no matter if I create a new shell user as the admin user or if create the new shell user as the client user, it results in a duplicate user ID in my /etc/passwd file. Shell user created as admin: Code: ssh login: ssh [email protected] [email protected]:~$ #getent passwd | cut -d: -f3 | sort -n | uniq -d 5008 /etc/passwd content web2:x:5007:5008::/var/www/clients/client1/web2:/bin/false web4:x:5008:5008::/var/www/clients/client1/web4/./home/web4:/usr/sbin/jk_chrootsh admin:x:5008:5008::/var/www/clients/client1/web4/./home/admin:/usr/sbin/jk_chrootsh If I manually change the duplicate key to Code: admin:x:5009:5009::/var/www/clients/client1/web4/./home/admin:/usr/sbin/jk_chrootsh I get locked out of ssh: Code: [email protected]: Permission denied (publickey). How do I resolve the duplicate uid issue?
There is no issue at all, all shell users of a website must share the same ID that the web user of that site has. That's to be expected of course as you replaced the correct ID of that user with a wrong ID. To fix your fault, change the ID back or delete the website incl. ssh users and recreate it and next time, do not alter any user ID's.
Understood...FYI, Lynis considers the duplicate IDs a problem, hence my concern: Code: -[ Lynis 3.0.4 Results ]- Warnings (2): ---------------------------- ! Multiple accounts found with same UID [AUTH-9208] https://cisofy.com/lynis/controls/AUTH-9208/
Don't follow blindly any automated scan tools, they are all more or less faulty, as you can see again here. Having duplicate ID's is perfectly fine and within the Linux user specifications, even mentioned in the manual pages if I remember correctly and it's necessary in this case, that's why ISPConfig is doing this. You are concerned about security? On web servers, websites get hacked because users tend to not update them, not the servers themself get hacked, just the websites. And when a server gets hacked, which is really rare, then this typically happens because users did not install available updates or did not upgrade the os when update support ended or users use weak passwords. Use the standard setup, take care to install updates, use ssh key-based auth for your ssh root user, and if you want to run services that shall not be reachable from the internet, then put a firewall in front. Don't use things like mod_security as I mentioned in the past, you learned already that it causes all kinds of issues unless you disable many rules. mod_security is fine in special cases when not being activated for the whole server but for an older site that got already hacked and can't be updated.
My apologies for the lost time on a "false positive", I lost a bit of time chasing the issue as well. However, in all fairness, I learned of Lynis from one of your posts: https://www.howtoforge.com/tutorial/how-to-scan-linux-for-malware-and-rootkits/ And, I do try to avoid wasting everyone's time with low level posts / false positives, but a "known bugs, conflicts, & issues" section doesn't exist in the manual or online wiki. And hoping to avoid, exactly this type of false positive post... I did previously ask if there were any potential conflicts between ispconfig and lynis that I should know about. https://www.howtoforge.com/communit...ween-lynis-needs-ispconfig.86833/#post-421734 In any case, thanks again for the feedback and I will double my efforts to identify false positives before posting.
