possible ubuntu 20.04 jailkit issue.

Discussion in 'Installation/Configuration' started by nhybgtvfr, Sep 8, 2020.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    hi.
    just an heads up on a possible problem with client ssh users on ubuntu 20.04.
    i've got a test server, originally installed with ubuntu 18.04 and ispconfig 3.1.15p3
    i've recently upgraded the OS to ubuntu 20.04. i have run ispconfig_update.sh to reconfigure services, but i can't remember if i chose git-stable or something else. and so far it's all been working ok, not noticed any problems until now, having just tried to create a client jailkit ssh user.

    ispconfig doesn't appear to throw any errors creating the jailkit user, all the etc home bin et all folders are creating in the /var/www/clients/client#/web#/ folder as expected, except for the run folder, but i'm not sure off hand if that's only created when needed.

    when trying to login as the client user, it successfully logs in, and then immediately gets disconnected.
    i've got this from the /var/log/auth.log:

    Code:
    Sep  8 12:05:20 hub sshd[163382]: Accepted publickey for c2demo3 from 192.168.40.22 port 55128 ssh2: RSA SHA256:lpnBGz8pSTd7UBD1fHajECimO8db1aPBkL3pN/G+icM
    Sep  8 12:05:20 hub sshd[163382]: pam_unix(sshd:session): session opened for user c2demo3 by (uid=0)
    Sep  8 12:05:20 hub systemd-logind[822]: New session 344 of user web17.
    Sep  8 12:05:20 hub systemd: pam_unix(systemd-user:session): session opened for user web17 by (uid=0)
    Sep  8 12:05:21 hub jk_chrootsh[163483]: now entering jail /var/www/clients/client2/web17 for user c2demo3 (5020) with arguments
    Sep  8 12:05:21 hub jk_chrootsh[163483]: ERROR: failed to execute shell /bin/bash for user c2demo3 (5020), check the permissions and libraries of /var/www/clients/client2/web17//bin/bash
    Sep  8 12:05:21 hub sshd[163482]: Received disconnect from 192.168.40.22 port 55128:11: disconnected by user
    Sep  8 12:05:21 hub sshd[163482]: Disconnected from user c2demo3 192.168.40.22 port 55128
    Sep  8 12:05:21 hub sshd[163382]: pam_unix(sshd:session): session closed for user c2demo3
    Sep  8 12:05:21 hub systemd-logind[822]: Session 344 logged out. Waiting for processes to exit.
    Sep  8 12:05:21 hub systemd-logind[822]: Removed session 344.
    
    i've checked all the jailkit settings in ispconfig against a known good production 18.04 server, and they are all match. i've also checked the jk_init.ini file against the production server and that matches as well. jailkit version is 2.21

    i've also checked a couple of the jailkit folder contents, etc and bin.
    the 18.04 production server contains:
    Code:
    alternatives  group      hosts  jailkit      ld.so.conf  nsswitch.conf  php      protocols    ssl       vim
    bash.bashrc   host.conf  issue  ld.so.cache  localtime   passwd         profile  resolv.conf  terminfo
    
    and
    Code:
    bash   cp    dd     false  gunzip  lesspipe  mkdir   mv    rm     sh     tar    uncompress
    cat    cpio  echo   fgrep  gzip    ln        mktemp  nano  rmdir  sleep  touch  zcat
    chmod  date  egrep  grep   less    ls        more    pwd   sed    sync   true
    
    on the problem 20.04 server they contain:
    Code:
    alternatives  bash.bashrc  ld.so.cache  localtime  passwd
    
    and
    Code:
    nano  rm  tar
    
    i don't believe it's any problem with ispconfig, purely just something between 20.04 and jailkit.
    only thing i've found so far is a suggestion from jesse norell about paths in the basicshell section of jk_init.ini here: https://www.howtoforge.com/community/threads/chroot-shell-jailkit-not-working.78958/
    but that's for the debian jessie to stretch upgrade. i've tried it anyway, and it doesn't resolve the issue.

    i've not found any solution yet, not much else is coming up on google. will keep looking. i do have oh-my-zsh installed as the shell for ubuntu and root. so i need to check if that could be a problem, although i don't think it should be for client users.

    just thought i'd post it here in case there is a real jailkit issue with ubuntu 20.04 to make sure everyone is aware and can test for it before using it in production. (hoping 3.2 is coming real soon :) )
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you use latest stable-3.1 GIT version? The released 3.1.15p3 and older git versions will not work with ubuntu 20.04. I've tested the jails here on Ubuntu 20.04 and they work, but its a few weeks since I did that.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If you were able to run that, you probably upgraded to git-stable. You can verify this by logging in to the panel, and then opening the help module. It will show you the installed version there.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The jailkit fix has just been added recently and it can fix only new jails, not existing ones. He will probably see 3.1dev on his system, but he can't see if his system contains the fix or not.
     
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i can't remember if i used git-stable or something else before, would have been a good 3-4 weeks ago at least.
    i've just run ispconfig_update.sh again now, using git-stable, and created a new jailkit ssh user, the bin and etc directories contain all the expected files, the run directory is created at the user creation time, and the client user logs in and remains connected.

    so it's all good now.:)
    thanks guys.
     
    Th0m and till like this.
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Do you still have the bad/failing shell account? If so, compare the /etc/passwd file entries for that vs. the new working shell user, and please post them if they differ (eg. I think failing one would be missing the /home/blah directory on the end). If that's the issue, new shell accounts will work, but older passwd file entries will still need fixed (I think change your shell user from jailkit to non-jailkit and back should do it; possibly resync shell users would too, but not positive).
     
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i was deleting the ssh user and all the extra folders and then recreating the ssh user for the site i was testing.
    did still have an ssh user created on another site a couple of weeks ago, i've just tested that and it immediately gets logged out after login.
    c2demo1 (web15) is the non-working ssh user, and c2demo3 (web19) is the new working ssh user. entries in /etc/passwd look identical:

    Code:
    web15:x:5018:5006::/var/www/clients/client2/web15/./home/web15:/usr/sbin/jk_chrootsh
    web19:x:5022:5006::/var/www/clients/client2/web19/./home/web19:/usr/sbin/jk_chrootsh
    c2demo1:x:5018:5006::/var/www/clients/client2/web15/./home/c2demo1:/usr/sbin/jk_chrootsh
    c2demo5:x:5022:5006::/var/www/clients/client2/web19/./home/c2demo5:/usr/sbin/jk_chrootsh
    
    just running a resync of ssh users now.....

    and the previously missing jailkit /run folder and the missing executables in /bin and /etc are all in /var/www/clients/client2/web15 folder structure now. and ssh'ing using the previously non-working ssh user now logs in and stays connected.

    so looks like /etc/passwd is fine, and just a resync of shell users will fix any already existing ssh accounts.

    possibly a jk_init -j of the broken account would fix it, but for multiple accounts/servers a resync from the control panel's probably quicker/easier to do anyway.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    nhybgtvfr likes this.
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ah... automated daily jailkit updates... cool. one more thing we don't have to worry about forgetting to do regularly. :oops:
     
  10. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Ok, there were actually 2 issues that could have caused jailkit to fail, a bad [openvpn] jail definition in some recent jk_init.ini, as well as a bug in creating the passwd entry for jailkit users in some cases. I believe resync of shell accounts would fix the latter, but you seem to be running a fixed version of jk_init.ini now as well, so it could have probably been either issue. Now worries now, I'm just collecting data for the updater. (You and anyone else who would are certainly invited to test it out soon (not in 3.2beta1), on non-production or well backed up systems.)
     
  11. Related? https://www.howtoforge.com/community/threads/debian-buster-jailkit-concern.85121/
     

Share This Page