Server is Ubuntu v20. ISPConfig is v3.2.2, soon 3.2.8. I created a Shell-User via ISPConfig. I added my SSH-RSA Public Key (for key-based logins). My private key is used for SSH to user ubuntu. It always works. I tried to SSH/SFTP with Filezilla and it reports the dreaded "Server refused our key". The debug trace in Filezilla shows a good connection, it found my .ppk and successfully loaded a key pair. It then offers the public key which is refused. I set sshd for DEBUG3 logging. It can't access site00/subdomain/home/user/.ssh/authorized_keys. As configured in the Options tab, the log shows the SSHD is temporarily using the web00 user to access the file and is getting a basic "permission denied". It turns out the "home" folder there is created with ownership root:root. When changed to web00:client00, and the tree is given owner read access, then the connection is successful. Bug or feature? Thanks!
that's an odd path, did you set a custom path/location for your web files? i would expect the path to be /var/www/<domainname>/home/<username>/.ssh/authorized_keys, there would also be a /var/www/<domainname>/home/web## folder, although this one doesn't contain a .ssh folder. (or replace <domainname> with <clients/client##/web##> how long did you wait for the new ssh account to be created before logging in? it's possible you just tried to connect too quickly. i've found it can take several minutes (or even longer, depending on how much you have in the jailkit) copying/creating the chroot file structure in the website area. it may still be copying files to /bin or /etc, as far as i can remember, the users home folder is created early, owned by root:root, and this ownership only gets changed to web##:client## once the entire jailkit file system has been created.
It's simply clouds/cloud00/site00 rather than clients/client##/web##. It's configured in ISPConfig as such and has not been an issue. Yes, ISPconfig creates /var/www/domain links to those paths as well. That doesn't seem to be an issue. That IS the correct path. I had changed my base dir to a subdomain which was not procedurally correct. I just did another test and need to re-explain this... The default base_dir for a SSH user in a default ISPConfig installation is client##/web##. Create a shell user and we get client##/web##/home/username = base_dir/home/username. Set a RSA key and the user can login without an issue. Change the base_dir. Use client##/web##/shell. As expected the user gets created under client##/web##/shell/home/username. Both .shell and .shell/home get created as root:root. But to accesss the authorized_keys, .shell permissions must be web##:client##. That is: root:root web## root:root web##/shell << Needs to be web##:client## root:root web##/shell/home web##:client## /shell/home/username/.ssh/authorized_keys I don't know if this is a bug but it's certainly something that an admin would need to know.
Similarly, switch a user to JailKit with the base folder: client##/web##/jailroot. With the default prefix, the user folders become: client##/web##/jailroot/home/username... That jailroot folder is created as root:root, but web##:client## is required for login to access down to the authorized_keys. (EDIT) OR: permissions 755, which I don't think is safe. I tried 754 and it didn't permit access. I've read that there must be a higher level root-owned folder for JailKit. I have not created a safe Jail and need to learn how to do this properly. I'm stuck on the paradox that this specific root folder needs to be accessible by the username to login. I'm doing more research on this but I'm hoping to get info here on how this is expected to work here. Thanks! Related doc update by @Jesse Norell https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2824
i've never changed the basedir, or created a specific folder for the jailkit chroot. it's always just been /var/www/clients/client##/web## it'll create the folder home, owned by root:root, permissions 755. and in home, it'll create a folder web## and <username> both of these will, by the end of jailkit creation, be owned by web##:client## with permissions 750, the username folder will contain a .ssh folder, owner web##:client## permissions 700, same ownership for the authorized_keys file, permissions 600.
