One shell user for ssh access to few websites

Discussion in 'Installation/Configuration' started by Poliman, Jul 19, 2017.

Page 1 of 2
  1. Poliman

    Poliman Member

    Is it possible to get console access to files websites which are belong to one client using one shell user account?
     
    Poliman, Jul 19, 2017
    #1
  2. sjau

    sjau Local Meanie Moderator

    when setting up ISPConfig, did you install Jailkit as well?
     
    sjau, Jul 19, 2017
    #2
  3. Poliman

    Poliman Member

    Yes, I have Jailkit and it works nice. During creation shell user I choose Jailkit all time.
     
    Poliman, Jul 19, 2017
    #3
  4. sjau

    sjau Local Meanie Moderator

    ah, I misunderstood the question. it seems you can grant only access to a website and not to all websites belonging to a user.
     
    sjau, Jul 19, 2017
    #4
  5. Poliman

    Poliman Member

    I was afraid of that. Maybe is some kind of custom, not official, resolve in this case. It would be great. Now, one user who has i.e. five websites, need to create additional five ftp and shell users. Of course if he need ssh/ftp.
     
    Poliman, Jul 19, 2017
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You could probably do that using bind mounts to remap the user ids. Eg. create your 5 websites, say they are:

    /var/www/clients/client1/web1
    /var/www/clients/client1/web2
    /var/www/clients/client1/web3
    /var/www/clients/client1/web4
    /var/www/clients/client1/web5

    Then create one ssh account, maybe even inside another "fake" website (ie. bogus domain name) for security sake, so the ssh account root (using jailkit) is:

    /var/www/clients/client1/web6

    Then make a directory in web6 and bind mount all the first 5 websites (note: code untested):
    Code:
    for i in 1 2 3 4 5
do
  WEB=/var/www/clients/client1/web${i}/web
  MNT=/var/www/clients/client1/web6/sites/web${i}
  mkdir -p ${MNT}
  U=`stat --printf=%U ${WEB}`
  G=`stat --printf=%G ${WEB}`
  bindfs -r -u ${U} -g ${G} -p ug=rD ${WEB} ${MNT}
done
    You should then be able to login as your ssh user and have website root directories under /sites/web#. The mounts will be lost upon reboot, so add to fstab or write a script to mount them at boot or via cron if you need them to remain persistent.

    The reason for the fake website to hold the ssh account is because web6 won't actually have a website, and hence can't be compromised in that way - if you used say web5 to hold the ssh account, then the web5 website were hacked, the hackers would have access to all the other websites (mounted at /sites).
     
    Jesse Norell, Jul 19, 2017
    #6
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    On further thought, you'd be better off creating directories named after the website (eg. /var/www/clients/client1/web6/sites/domain.tld/) rather than the generic web# name, or at least symlink the website name to the web# directory like ispconfig does now.
     
    Jesse Norell, Jul 20, 2017
    #7
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Why can't aliasdomain with vhost do that? I mean, create one main website, then create websites under it using aliasdomain by giving each of them their own folders like /web/aliasdomain. I do think you should be able to use the "one" ssh and ftp account created for the main website to access other aliasdomain website(s) this way.
     
    ahrasis, Jul 20, 2017
    #8
  9. Poliman

    Poliman Member

    It could help, but in my case unfortunatelly I need independent domains (i.e. for mails).
     
    Poliman, Jul 20, 2017
    #9
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Mail domain? I think they should be independent from the websites. Do check just to make sure.
     
    ahrasis, Jul 20, 2017
    #10
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    yes, they are independent. Using vhost aliasdomains as @ahrasis pointed out should probably work fine if you really want to have just one SSH user for a client.
     
    till, Jul 20, 2017
    #11
  12. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Would an implementation based on bind mounts be worth a feature request in the issue tracker? (ie. anyone interested in adding support native to ispconfig for that?)
     
    Jesse Norell, Jul 20, 2017
    #12
  13. Poliman

    Poliman Member

    Creating aliasdomain under ISP make directories in proper /web/ ? After this could I just create in ISP mail domain and email account for it without any problems?
     
    Poliman, Jul 21, 2017
    #13
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes. You will need to specify its directory upon creating vhost aliasdomain as mentioned earlier.

    They (mail domain and account) when created should be independent as already confirmed by till above.
     
    ahrasis, Jul 21, 2017
    #14
  15. Poliman

    Poliman Member

    Does it mean I should put some path i.e. /web/somealiasdomain in RedirectPath field in tab "Aliasdomain for website"?
     
    Poliman, Jul 21, 2017
    #15
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    No. Not the aliasdomain for website. Use aliasdomain (vhost) and insert it in the web folder.
     
    ahrasis, Jul 21, 2017
    #16
  17. Poliman

    Poliman Member

    Hmm, so I probably didn't understand how "Use aliasdomain (vhost) and insert it in the web folder.". :)
     
    Poliman, Jul 21, 2017
    #17
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Funny because that should be easy instead of confusing. :p

    Anyway, under ISPC > Sites > Websites there is (at its end) menu to create aliasdomain for website and aliasdomain (vhost) where you should select the later.

    I can't be of much help if you can't even find the menu so please do see the attached picture. ;)

    Under its page, when you click add new aliasdomain button, it will show you a setting page to create the vhost aliasdomain including one setting for Web folder. In there, you should fill in your preferred directory as advised earlier.

    Do you need to be spoonfed with pictures for the above instructions too?
     

    Attached Files:

    ahrasis, Jul 22, 2017
    #18
  19. Poliman

    Poliman Member

    Thanks for message. Please take a look on my screenshot https://ibb.co/iB5T0Q. I don't have there those options which You mention.
     
    Poliman, Jul 24, 2017
    #19
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think to get this shown in the menu you have to first enable vhost in your Main Config.
     
    Last edited: Jul 26, 2017
    ahrasis, Jul 26, 2017
    #20
Page 1 of 2

Share This Page