Hi, I am running ispconfig debian for 4 years non stop till now. However, I have never figured out how to make the ssh shell access for users yet. For example, i created a new shell user like sites -> Shell-User -> Add new shell user site: example.com username[default]:john password: secre+13 however, when i try to access it like Code: ssh [email protected] i am not able to get access due to incorrect password or something. the question is should a real user named john be present in the server for this to work. note: i will provide the verbose output soon as i have a banned myself while trying to ssh into the server.
No, you don't create any system users, just add a Shell User via the ui and it will set things up. Are you trying to setup a shell user inside a jail, or in the base system? If you enable server debugging and run server.sh manually when adding a shell user, it will show what is going on and may identify what the problem is.
hi Jesse, you mean run server.sh from shell and add a shell user from ispconfig control panel at the same time. yes, i am trying to jail the user. meanwhile, here is the verbose output. Code: $ssh -v [email protected] Error loading configuration! [Errno 2] No such file or directory: '/home/whoami/.config/repassh/config.json' Warning: no keys found for identity whoami in: ['/home/whoami/.ssh/identities/whoami', '/home/whoami/.ssh'] All keys already loaded OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to example.com [45.76.177.132] port 22. debug1: Connection established. debug1: identity file /home/whoami/.ssh/id_rsa type -1 debug1: identity file /home/whoami/.ssh/id_rsa-cert type -1 debug1: identity file /home/whoami/.ssh/id_dsa type -1 debug1: identity file /home/whoami/.ssh/id_dsa-cert type -1 debug1: identity file /home/whoami/.ssh/id_ecdsa type -1 debug1: identity file /home/whoami/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/whoami/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/whoami/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/whoami/.ssh/id_ed25519 type -1 debug1: identity file /home/whoami/.ssh/id_ed25519-cert type -1 debug1: identity file /home/whoami/.ssh/id_ed25519_sk type -1 debug1: identity file /home/whoami/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/whoami/.ssh/id_xmss type -1 debug1: identity file /home/whoami/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u7 debug1: compat_banner: match: OpenSSH_7.4p1 Debian-10+deb9u7 pat OpenSSH_7.4* compat 0x04000006 debug1: Authenticating to example.com:22 as 'defaultjohn' debug1: load_hostkeys: fopen /home/whoami/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:9C9XIDMWAW1kZf3tlWZgT+KoNkqOukd+XSNSc9M8GrY debug1: load_hostkeys: fopen /home/whoami/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'example.com' is known and matches the ED25519 host key. debug1: Found key in /home/whoami/.ssh/known_hosts:4 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/whoami/.ssh/id_rsa debug1: Will attempt key: /home/whoami/.ssh/id_dsa debug1: Will attempt key: /home/whoami/.ssh/id_ecdsa debug1: Will attempt key: /home/whoami/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/whoami/.ssh/id_ed25519 debug1: Will attempt key: /home/whoami/.ssh/id_ed25519_sk debug1: Will attempt key: /home/whoami/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received [email protected]'s password: debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/whoami/.ssh/id_rsa debug1: Trying private key: /home/whoami/.ssh/id_dsa debug1: Trying private key: /home/whoami/.ssh/id_ecdsa debug1: Trying private key: /home/whoami/.ssh/id_ecdsa_sk debug1: Trying private key: /home/whoami/.ssh/id_ed25519 debug1: Trying private key: /home/whoami/.ssh/id_ed25519_sk debug1: Trying private key: /home/whoami/.ssh/id_xmss debug1: Next authentication method: password [email protected]'s password: debug1: Authentications that can continue: publickey,password Permission denied, please try again.
See https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ for the steps.
thanks jesse, as instructed, i have changed the ispconfig panel to debug mode. then, i ran the server script and i get the below output Code: root@server1:/usr/local/ispconfig/server/temp# /usr/local/ispconfig/server/server.sh 18.12.2021-11:43 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 18.12.2021-11:43 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. However, when i check for the lock file in the .../temp directory, there is no such file. what is going wrong.
You have to run server.sh when there are pending changes, eg. add a shell user to a website, then run it. You might try creating a new test website just for this.
hi, here is the result Code: 18.12.2021-18:08 - DEBUG - Calling function 'insert' from plugin 'shelluser_base_plugin' raised by event 'shell_user_insert'. 18.12.2021-18:08 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client0/web48' - return code: 0 18.12.2021-18:08 - DEBUG - safe_exec cmd: useradd -d '/var/www/clients/client0/web48/home/defaultc' -g 'client0' -o -s '/bin/bash' -u '5043' 'defaultc' - return code: 0 18.12.2021-18:08 - DEBUG - Executed command: useradd -d ? -g ? -o -s ? -u ? ? 18.12.2021-18:08 - DEBUG - Added shelluser: defaultc 18.12.2021-18:08 - DEBUG - ssh-rsa setup shelluser_base 18.12.2021-18:08 - DEBUG - ssh-rsa authorisation keyfile created in /var/www/clients/client0/web48/home/defaultc/.ssh/authorized_keys 18.12.2021-18:08 - DEBUG - ssh-rsa key updated in /var/www/clients/client0/web48/home/defaultc/.ssh/authorized_keys 18.12.2021-18:08 - DEBUG - safe_exec cmd: chown -R 'web48':'client0' '/var/www/clients/client0/web48/home/defaultc/.ssh' - return code: 0 18.12.2021-18:08 - DEBUG - safe_exec cmd: chmod 600 '/var/www/clients/client0/web48/home/defaultc/.ssh/authorized_keys' - return code: 0 18.12.2021-18:08 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client0/web48' - return code: 0 18.12.2021-18:08 - DEBUG - Calling function 'insert' from plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_insert'. 18.12.2021-18:08 - DEBUG - Jailkit Plugin -> insert username:defaultcskipped, Jailkit not selected 18.12.2021-18:08 - DEBUG - Processed datalog_id 1198 18.12.2021-18:08 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php.
You didn't select jailkit for that user, but it should still allow login and appears to have been created without error. If that account doesn't work, see what shows in log files when you try to login.
Hi Jesse, 1) How/Where to select Jailkit ? 2) Which log should i check server or client. Sorry for my dumb question.
sorry missed it before. thanks till. now selected it. tried to login with new user Code: $ grep 'sshd' /var/log/auth.log input_userauth_request: invalid user defaultc [preauth] Dec 18 22:29:12 server1 sshd[31326]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xx.xxxx.xx user=defaultc Dec 18 22:29:14 server1 sshd[31326]: Failed password for invalid user defaultc from xxx.xx.xxxx.xx port 59494 ssh2 Dec 18 22:29:21 server1 sshd[31326]: Connection closed by xxx.xx.xxxx.xx port 59494 [preauth] $ sudo journalctl -t sshd -b0 Code: Dec 18 22:29:08 server1 sshd[31326]: User defaultc not allowed because shell /usr/sbin/jk_chrootsh does not exist Dec 18 22:29:08 server1 sshd[31326]: input_userauth_request: invalid user defaultc [preauth] Dec 18 22:29:12 server1 sshd[31326]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=$ Dec 18 22:29:14 server1 sshd[31326]: Failed password for invalid user defaultc from xxx.xxx.xxx.xxx port 59494 ssh2 Dec 18 22:29:21 server1 sshd[31326]: Connection closed by xxx.xxx.xxx.xxx port 59494 [preauth]
Yes, you are right. May be it was not there in the old perfect server i was following. Jaikit is not installed Installed the latest `Jailkit` and followed your instructions. It is working (both with and without jailkit) Thanks a lote I want to know one last thing. If user is given shell access, they are able to traverse throughout all directories till `/root` If a user is granted access through `Jailkit`, they get only bash and no access the web directory associated to that site user. I would love to provide user with a Python access alongwith the Jail. Is there any document out there to achieve this. I got one, but it is too complicated for me. I may try to experiment with xonsh instead of bash but I dont know, how much `ISPConfig` will like it I have two doubts 1) How can user be jailed yet be able to access the web directory of the website. 2) How can user be jailed yet be able to run python script from within the jail
The web directory is inside the jail, so jailed users can access it. A jailed shell user can change to the web directory with: cd /web Applications that you want to use in the jail must be installed in that jail. See System > server config in ISPConfig for jailkit settings.
thanks @till. I see that Jailkit had loaded many commands in the bin directory. However, I cannot find any python binary in there. This is even after configuring Jailkit in the server settings. Can you please provide me with System->Server Configt->Jaikit tab settings required to make Python work in the jail.
I've never installed python in a jail myself, but you would need the binary (or possibly multiple?) as well as any paths for libraries and modules that it would need, and possibly config files. Probably just list the package contents from the OS's python package as a good starting point.
There are very few questions asked about Jailkit generally in this forum. Based on @till 's reply in the past, users are warned against setting their own Jailkit configuration and encouraged only to use the provisions provided in the control panel. That's why i am very skeptical. Ps: python being the most popular language currently and providing shell jail will be great addition to ISPConfig,
I would say jailed accounts are not meant for programmers. Jail is a restricted environment for untrusted users so they can not break things and to prevent access to system files.
I have a 1.compelling reason to ask Jailkit python. To be precise, I have few customers for whom i make custom python trading bots which they usually run from the desktop or from (amazon) windows cloud . I was wondering why i could not offer them python jails. I see ISPConfig Jailkit GUI options to run `/usr/bin/perl` and `/usr/bin/php`. so it is logical for someone to reason why not `/usr/bin/python`. 1. pythonanywhere is a leading provider of python shells. so if they were using chroot for their customers, then it should be possible technically for us. Note: i am not affiliated to pythonanywhere
I don't think it is not possible nor difficult based on google results with some results showing that it can be secured (old but seems useful), how to do it for python 3, etc but of course you should test implementing them in ISPConfig yourself since you are in need of it, not others.
