jailkit el8 ispconfig 3.2.7

Discussion in 'Installation/Configuration' started by w3bservice, Dec 16, 2021.

Thread Status:
Not open for further replies.
  1. w3bservice

    w3bservice Member

    Hello,
    I'm struggling with jailkit.
    System is CentOS8/RHEL8/RockyLinux8 version 8.5.
    PHP and additional PHP versions from remi's repo.
    Web server is apache 2.4.51 Postfix 3.6.3
    Code:
    Dec 16 16:46:02 server2 useradd[519416]: new user: name=franke123592, UID=5008, GID=5006, home=/var/www/clients/client2/web5/home/franke123592, shell=/bin/false
Dec 16 16:46:03 server2 usermod[519434]: lock user 'franke123592' password
Dec 16 16:46:03 server2 usermod[519446]: change user 'franke123592' home from '/var/www/clients/client2/web5/home/franke123592' to '/var/www/clients/client2/web5/./home/franke123592'
Dec 16 16:46:03 server2 usermod[519454]: change user 'franke123592' shell from '/bin/false' to '/usr/sbin/jk_chrootsh'
Dec 16 16:46:04 server2 usermod[519471]: unlock user 'franke123592' password
Dec 16 16:47:09 server2 sshd[519764]: Accepted publickey for franke123592 from 192.168.168.244 port 46518 ssh2: RSA SHA256:751ms1GLqAzMRg95mq6D1B8wIEoQQCsbm/3JG64bXpA
Dec 16 16:47:09 server2 sshd[519764]: pam_systemd(sshd:session): Failed to create session: Failed to add required mount "/var/www/clients/client2/web5/./home/franke123592": Success
Dec 16 16:47:09 server2 sshd[519764]: pam_unix(sshd:session): session opened for user franke123592 by (uid=0)
Dec 16 16:47:09 server2 systemd[519769]: pam_unix(systemd-user:session): session opened for user franke123592 by (uid=0)
Dec 16 16:47:09 server2 sshd[519767]: Received disconnect from 192.168.168.244 port 46518:11: disconnected by user
Dec 16 16:47:09 server2 sshd[519767]: Disconnected from user franke123592 192.168.168.244 port 46518
Dec 16 16:47:09 server2 sshd[519764]: pam_unix(sshd:session): session closed for user franke123592
    The user can log in, but is logged out immediately.
    i hope you cann help me

    THX
     
    w3bservice, Dec 16, 2021
    #1
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I don't think I've run into that before, but I don't use Centos systems, so maybe that's normal. What version of jailkit do you have installed?
     
    Jesse Norell, Dec 16, 2021
    #2
  3. w3bservice

    w3bservice Member

    jailkit-2.23
    i had two server with centos7 and jailkit-2.21 they run
     
    Last edited: Dec 16, 2021
    w3bservice, Dec 16, 2021
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    [QUOTE = "w3bservice, post: 430293, member: 38758"] i had two servers with centos7 and jailkit-2.21 they run [/QUOTE]
    Do the centos7 systems have that same 'Failed to add required mount' message? The systemd setup from centos7 to 8 could be quite different, I'm sure, but maybe that does indicate a problem. What type of server environment is this, eg. a container or vm or ? (Eg. mounts will fail in unprivileged lxc containers at least.)
     
    Last edited: Dec 16, 2021
    Jesse Norell, Dec 16, 2021
    #4
  5. w3bservice

    w3bservice Member

    not a vm, or container.
    a baremetal rootserver

    i have updated systemd to 249.2
    Code:
    Dec 16 21:17:56 server2 sshd[22873]: Accepted publickey for w3bservice2 from 192.168.168.244 port 39578 ssh2: RSA SHA256:751ms1GLqAzMRg95mq6D1B8wIEoQQCsbm/3JG64bXpA
Dec 16 21:17:56 server2 systemd[22877]: pam_unix(systemd-user:session): session opened for user web27 by (uid=0)
Dec 16 21:17:56 server2 sshd[22873]: pam_unix(sshd:session): session opened for user w3bservice2 by (uid=0)
Dec 16 21:17:57 server2 sshd[22889]: Received disconnect from 192.168.168.244 port 39578:11: disconnected by user
Dec 16 21:17:57 server2 sshd[22889]: Disconnected from user w3bservice2 192.168.168.244 port 39578
Dec 16 21:17:57 server2 sshd[22873]: pam_unix(sshd:session): session closed for user w3bservice2
    the strangething ist Received disconnect from 192.168.168.244 port 39578:11: disconnected by user
     
    Last edited: Dec 16, 2021
    w3bservice, Dec 16, 2021
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I really have not much idea at this point, and no systems to test/compare. Do you have systemd-homed.service active? I wouldn't guess that's it, because:
    Code:
          Note that systemd-homed.service and homectl will not manage
      "classic" UNIX user accounts as created with useradd(8) or
      similar tools.
    But I don't know what else related to pam_systemd would try to mount a homedir offhand.
     
    Jesse Norell, Dec 16, 2021
    #6
  7. w3bservice

    w3bservice Member

    systemctl status systemd-homed.service
    Unit systemd-homed.service could not be found.
    after updating systemd, it no longer tries to mount. i see the login and then the connection is interrupted. /var/log/secure says
    Code:
    Dec 16 21:17:57 server2 sshd[22889]: Received disconnect from 192.168.168.244 port 39578:11: disconnected by user
Dec 16 21:17:57 server2 sshd[22889]: Disconnected from user w3bservice2 192.168.168.244 port 39578
     
    w3bservice, Dec 16, 2021
    #7
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Enable verbosity/debugging in your ssh client and see what's going on from that side.
     
    Jesse Norell, Dec 16, 2021
    #8
  9. w3bservice

    w3bservice Member

    Code:
    ssh -i ~/.ssh/franke12359_rsa [email protected] -p32768 -vvv                                                                                                                         53 
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.168.168" port 32768
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.168.168 [192.168.168.168] port 32768.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/franke12359_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/franke12359_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.168.168:32768 as 'w3bservice1'
debug3: put_host_port: [192.168.168.168]:32768
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: ciphers stoc: [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:5Jsj8M6eHLMzyfR+8iN24XiZ+Iui3/4gMPq0Cbz+fck
debug3: put_host_port: [192.168.168.168]:32768
debug3: put_host_port: [192.168.168.168]:32768
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug1: checking without port identifier
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:47
debug3: load_hostkeys: loaded 1 keys from 192.168.168.168
debug1: Host '192.168.168.168' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:47
debug1: found matching key w/out port
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /root/.ssh/franke12359_rsa (0x558a946c0fa0), explicit, agent
debug2: key: /home/joerg/.ssh/id_rsa (0x558a946c6360), agent
debug2: key: /home/joerg/.ssh/tea_berlin_rsa (0x558a946bf530), agent
debug2: key: [email protected] (0x558a946c8ad0), agent
debug2: key: [email protected] (0x558a946c6870), agent
debug2: key: [email protected] (0x558a946c4ba0), agent
debug2: key: [email protected] (0x558a946c7810), agent
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/franke12359_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 535
debug2: input_userauth_pk_ok: fp SHA256:751ms1GLqAzMRg95mq6D1B8wIEoQQCsbm/3JG64bXpA
debug3: sign_and_send_pubkey: RSA SHA256:751ms1GLqAzMRg95mq6D1B8wIEoQQCsbm/3JG64bXpA
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.168.168 ([192.168.168.168]:32768).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /var/www/clients/client1/web2/./home/w3bservice1/.ssh/authorized_keys:22: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /var/www/clients/client1/web2/./home/w3bservice1/.ssh/authorized_keys:22: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Thu Dec 16 22:11:10 2021 from 192.168.168.244
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug3: send packet: type 1
Connection to 192.168.168.168 closed.
Transferred: sent 3888, received 3476 bytes, in 0.2 seconds
Bytes per second: sent 20287.1, received 18137.3
debug1: Exit status 53
     
    w3bservice, Dec 16, 2021
    #9
  10. pannet1

    pannet1 Member

    you may want to remove the actual user@host with something like [email protected] please.
     
    pannet1, Dec 17, 2021
    #10
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I don't see anything in problematic in that output right off. Have you tried creating a new jail since fixing your initial systemd issue? (not just add another user to the same jail, but eg. create a new website with ssh user to ensure the entire jail is new) Anything else reporting anything in log files when you connect?
     
    Jesse Norell, Dec 17, 2021
    #11
  12. w3bservice

    w3bservice Member

    A any new sites, any new users, the same problem.
     
    w3bservice, Dec 18, 2021
    #12
  13. w3bservice

    w3bservice Member

    This users, this IPs and Hosts are not exists, its fictiv.
    But thanks for the tip, but it doesn't help me either.
     
    w3bservice, Dec 20, 2021
    #13
    pannet1 likes this.
  14. w3bservice

    w3bservice Member

    what i found out is that it is the server that is doing something or not that is causing the client to close the connection. i will create a VM and test with it. i have now installed pure-ftpd as a stopgap. let's see, i will report back to you.
    Thanks
     
    w3bservice, Dec 20, 2021
    #14
  15. w3bservice

    w3bservice Member

    make this thread close, pls
     
    w3bservice, Dec 20, 2021
    #15
Thread Status:
Not open for further replies.

Share This Page