hi. just an heads up on a possible problem with client ssh users on ubuntu 20.04. i've got a test server, originally installed with ubuntu 18.04 and ispconfig 3.1.15p3 i've recently upgraded the OS to ubuntu 20.04. i have run ispconfig_update.sh to reconfigure services, but i can't remember if i chose git-stable or something else. and so far it's all been working ok, not noticed any problems until now, having just tried to create a client jailkit ssh user. ispconfig doesn't appear to throw any errors creating the jailkit user, all the etc home bin et all folders are creating in the /var/www/clients/client#/web#/ folder as expected, except for the run folder, but i'm not sure off hand if that's only created when needed. when trying to login as the client user, it successfully logs in, and then immediately gets disconnected. i've got this from the /var/log/auth.log: Code: Sep 8 12:05:20 hub sshd[163382]: Accepted publickey for c2demo3 from 192.168.40.22 port 55128 ssh2: RSA SHA256:lpnBGz8pSTd7UBD1fHajECimO8db1aPBkL3pN/G+icM Sep 8 12:05:20 hub sshd[163382]: pam_unix(sshd:session): session opened for user c2demo3 by (uid=0) Sep 8 12:05:20 hub systemd-logind[822]: New session 344 of user web17. Sep 8 12:05:20 hub systemd: pam_unix(systemd-user:session): session opened for user web17 by (uid=0) Sep 8 12:05:21 hub jk_chrootsh[163483]: now entering jail /var/www/clients/client2/web17 for user c2demo3 (5020) with arguments Sep 8 12:05:21 hub jk_chrootsh[163483]: ERROR: failed to execute shell /bin/bash for user c2demo3 (5020), check the permissions and libraries of /var/www/clients/client2/web17//bin/bash Sep 8 12:05:21 hub sshd[163482]: Received disconnect from 192.168.40.22 port 55128:11: disconnected by user Sep 8 12:05:21 hub sshd[163482]: Disconnected from user c2demo3 192.168.40.22 port 55128 Sep 8 12:05:21 hub sshd[163382]: pam_unix(sshd:session): session closed for user c2demo3 Sep 8 12:05:21 hub systemd-logind[822]: Session 344 logged out. Waiting for processes to exit. Sep 8 12:05:21 hub systemd-logind[822]: Removed session 344. i've checked all the jailkit settings in ispconfig against a known good production 18.04 server, and they are all match. i've also checked the jk_init.ini file against the production server and that matches as well. jailkit version is 2.21 i've also checked a couple of the jailkit folder contents, etc and bin. the 18.04 production server contains: Code: alternatives group hosts jailkit ld.so.conf nsswitch.conf php protocols ssl vim bash.bashrc host.conf issue ld.so.cache localtime passwd profile resolv.conf terminfo and Code: bash cp dd false gunzip lesspipe mkdir mv rm sh tar uncompress cat cpio echo fgrep gzip ln mktemp nano rmdir sleep touch zcat chmod date egrep grep less ls more pwd sed sync true on the problem 20.04 server they contain: Code: alternatives bash.bashrc ld.so.cache localtime passwd and Code: nano rm tar i don't believe it's any problem with ispconfig, purely just something between 20.04 and jailkit. only thing i've found so far is a suggestion from jesse norell about paths in the basicshell section of jk_init.ini here: https://www.howtoforge.com/community/threads/chroot-shell-jailkit-not-working.78958/ but that's for the debian jessie to stretch upgrade. i've tried it anyway, and it doesn't resolve the issue. i've not found any solution yet, not much else is coming up on google. will keep looking. i do have oh-my-zsh installed as the shell for ubuntu and root. so i need to check if that could be a problem, although i don't think it should be for client users. just thought i'd post it here in case there is a real jailkit issue with ubuntu 20.04 to make sure everyone is aware and can test for it before using it in production. (hoping 3.2 is coming real soon )
Did you use latest stable-3.1 GIT version? The released 3.1.15p3 and older git versions will not work with ubuntu 20.04. I've tested the jails here on Ubuntu 20.04 and they work, but its a few weeks since I did that.
If you were able to run that, you probably upgraded to git-stable. You can verify this by logging in to the panel, and then opening the help module. It will show you the installed version there.
The jailkit fix has just been added recently and it can fix only new jails, not existing ones. He will probably see 3.1dev on his system, but he can't see if his system contains the fix or not.
i can't remember if i used git-stable or something else before, would have been a good 3-4 weeks ago at least. i've just run ispconfig_update.sh again now, using git-stable, and created a new jailkit ssh user, the bin and etc directories contain all the expected files, the run directory is created at the user creation time, and the client user logs in and remains connected. so it's all good now. thanks guys.
Do you still have the bad/failing shell account? If so, compare the /etc/passwd file entries for that vs. the new working shell user, and please post them if they differ (eg. I think failing one would be missing the /home/blah directory on the end). If that's the issue, new shell accounts will work, but older passwd file entries will still need fixed (I think change your shell user from jailkit to non-jailkit and back should do it; possibly resync shell users would too, but not positive).
i was deleting the ssh user and all the extra folders and then recreating the ssh user for the site i was testing. did still have an ssh user created on another site a couple of weeks ago, i've just tested that and it immediately gets logged out after login. c2demo1 (web15) is the non-working ssh user, and c2demo3 (web19) is the new working ssh user. entries in /etc/passwd look identical: Code: web15:x:5018:5006::/var/www/clients/client2/web15/./home/web15:/usr/sbin/jk_chrootsh web19:x:5022:5006::/var/www/clients/client2/web19/./home/web19:/usr/sbin/jk_chrootsh c2demo1:x:5018:5006::/var/www/clients/client2/web15/./home/c2demo1:/usr/sbin/jk_chrootsh c2demo5:x:5022:5006::/var/www/clients/client2/web19/./home/c2demo5:/usr/sbin/jk_chrootsh just running a resync of ssh users now..... and the previously missing jailkit /run folder and the missing executables in /bin and /etc are all in /var/www/clients/client2/web15 folder structure now. and ssh'ing using the previously non-working ssh user now logs in and stays connected. so looks like /etc/passwd is fine, and just a resync of shell users will fix any already existing ssh accounts. possibly a jk_init -j of the broken account would fix it, but for multiple accounts/servers a resync from the control panel's probably quicker/easier to do anyway.
@Jesse Norell is working on a jail update functionality already: https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1120
ah... automated daily jailkit updates... cool. one more thing we don't have to worry about forgetting to do regularly.
Ok, there were actually 2 issues that could have caused jailkit to fail, a bad [openvpn] jail definition in some recent jk_init.ini, as well as a bug in creating the passwd entry for jailkit users in some cases. I believe resync of shell accounts would fix the latter, but you seem to be running a fixed version of jk_init.ini now as well, so it could have probably been either issue. Now worries now, I'm just collecting data for the updater. (You and anyone else who would are certainly invited to test it out soon (not in 3.2beta1), on non-production or well backed up systems.)
