Current time: 12-22-2024, 10:50 PM Hello There, Guest! (LoginRegister)


Post Reply 
SSH Support
Author Message
sseitz Offline
Junior Member
*

Posts: 17
Joined: Mar 2009
Reputation: 0
Post: #1
SSH Support
Hi there!

I've written a small howto http://www.isp-control.net/documentation...ssh_chroot to enable ssh support based on the ispcp.ftp_users mysql table.

I'ld like to suggest an enhancement of the ispcp daemon scripts, to add a chroot() environment at the main-domains home-directory (e.g. user vu2002 /var/www/virtual/example.org)

This chroot environment could stay persistent regardless if there are ftp users available or added. It would enable ssh access to ftp users with access to the main-domain without any further action.
ftp users in alias-domains placed in subfolders would be unable to ssh. Though, a chroot() environment below main-domain's DOCUMENT_ROOT would be less than ideal anyway.
(This post was last modified: 09-23-2009 11:44 PM by sseitz.)
09-23-2009 11:44 PM
Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #2
RE: SSH Support
Really interesting idea. The problems you raise may be solved by using the "admins" (panel users) table instead of "ftp_users" Wink

Despite that, patching SSH is (IMHO) a no-go for our project. We don't have the manpower to support such a strong commitment. Anyways:
Quote:It's not possible to change the ownership and umask because we do need access for www-data.
From what I understand in the code, the required things are:
1. The homedir and all its parent directories must be owned by root.
2. The homedir and all its parent directories must not be writable by group nor everyone.

So I would try assigning the following permissions:
Code:
/var/www/virtual   root:root   rwx rx rx
/var/www/virtual/domain.tld    vuXXXX:root rwx rx rx

Obviously, individual files inside "domain.tld" should then be protected carefully. This is, never allow reading to anyone, so choose:
Code:
vuXXXX:vuXXXX for user and/or php only files.
vuXXXX:www-data for the "htdocs" folder.
root:vuXXXX for user-readable but non-writable files (like the "backups" folder)

Tell us how it goes if you try it please! Thx!
(This post was last modified: 09-24-2009 01:05 AM by kilburn.)
09-24-2009 01:05 AM
Visit this user's website Find all posts by this user Quote this message in a reply
sseitz Offline
Junior Member
*

Posts: 17
Joined: Mar 2009
Reputation: 0
Post: #3
RE: SSH Support
thanks for your response!

Quote:The problems you raise may be solved by using the "admins" (panel users) table instead of "ftp_users"

Well, it was obvious to utilize ftp_users Wink This way a customer might be able to add ssh users without handout his panel login. I also find it reasonable to have the same login for ftp and ssh. Both of these protocols are commonly used for work at the very same content, often by people not really involved in administrative tasks. I expect this to be closer at customer needs.
Indeed, technically the admins table would be better, as these accounts are definitely unique. Also no "special" treatment for users with different directories would be necessary. Anyway, it would be pretty complex to get uid, gid, shell and homedir data without adding additional information to the tables.
Generally, I think it's not really a problem if you decide between ftp_users at the customers root directory and ftp_users in subfolders. Having a chroot environment only available at root directory includes an ugly solution just out of the box: Users in subfolders might try to login, but ssh would never be able to spawn a shell.
More sophisticated would be adding a where clause to the /etc/pam.d/sshd mysql parameters to check against ispcp.domains and/or ispcp.ftp_groups. That way authentication could be limited to ftp_users at root directory. I'm currently behind this.

Quote:From what I understand in the code, the required things are:
1. The homedir and all its parent directories must be owned by root.
2. The homedir and all its parent directories must not be writable by group nor everyone.

Yes. That is exactly what is coded into OpenSSH. From OpenSSH's point of view, the "homedir" can be seen as "/home/", not "/home/user/". For ancient 1.3 OpenSSH there has been a chroot patch available which separated by path directive (e.g. /home/./user/), SSH.com also uses this directive, but I assume chroot into /var/www/virtual/ having domain.tld owned by the user is out of discussion. This would add more abstraction layers without adding real security.
I've tried your suggested directory permissions, but sshd complains about the /var/www/virtual/domain.tld to be owned by root as expected.
I've found a working set:

Code:
/var/www/virtual                   root:root      rwx rx rx
/var/www/virtual/domain.tld        root:vuXXXX    rwx rx rx

That way a user is no longer able to change anything at root level. I don't know if this is a feature or a bug Wink This behaviour is also known from swsoft's panels.
Anyway, leaving all permissions inside /var/www/virtual/domain.tld untouched, I was able to login via FTP, via SSH also static html and dynamic php content is delivered as expected.
Free for discussion. I'ld also prefer to get rid of a patched ssh daemon. We should find some greater audience, as I'ld prefer to see ssh support included in ispCP's mainline ( this is an offer, not a claim).
(This post was last modified: 09-24-2009 08:37 AM by sseitz.)
09-24-2009 08:16 AM
Find all posts by this user Quote this message in a reply
sseitz Offline
Junior Member
*

Posts: 17
Joined: Mar 2009
Reputation: 0
Post: #4
RE: SSH Support
As described in the former post, the following access rights are sufficient:

Code:
/var/www/virtual                   root:root      rwx rx rx
/var/www/virtual/domain.tld        root:vuXXXX    rwx rx rx

Former, originial access rights are:

Code:
/var/www/virtual                   vu2000:www-data      rwx rx rx
/var/www/virtual/domain.tld        vuXXXX:www-data    rwx rxw ---


To change ownership and access bits to the new, SSH working ones I did two small patches:

Code:
--- /var/www/ispcp/engine/setup/ispcp-setup.orig        2009-09-24 13:25:56.000000000 +0200
+++ /var/www/ispcp/engine/setup/ispcp-setup     2009-09-24 13:26:43.000000000 +0200
@@ -521,7 +521,7 @@

        push_el(\@main::el, 'setup_system_dirs()', 'Starting...');

-       $rs = make_dir($main::cfg{'APACHE_WWW_DIR'}, $main::cfg{'APACHE_USER'}, $main::cfg{'APACHE_GROUP'}, 0755);
+       $rs = make_dir($main::cfg{'APACHE_WWW_DIR'}, $main::cfg{'ROOT_USER'}, $main::cfg{'ROOT_GROUP'}, 0755);
        return $rs if ($rs != 0);

        $rs = make_dir($main::cfg{'APACHE_USERS_LOG_DIR'}, $main::cfg{'APACHE_USER'}, $main::cfg{'APACHE_GROUP'}, 0755);

Code:
--- /var/www/ispcp/engine/ispcp-dmn-mngr.orig   2009-09-24 13:04:36.000000000 +0200
+++ /var/www/ispcp/engine/ispcp-dmn-mngr        2009-09-24 13:32:44.000000000 +0200
@@ -1351,6 +1351,7 @@
        my $dmn_id              = @$dmn_data[0];
        my $dmn_name            = @$dmn_data[1];
        my $root_dir            = $main::cfg{'ROOT_DIR'};
+       my $root_user           = $main::cfg{'ROOT_USER'};
        my $www_dir             = $main::cfg{'APACHE_WWW_DIR'};
        my $pear_dir            = $main::cfg{'PEAR_DIR'};
        my $starter_dir         = $main::cfg{'PHP_STARTER_DIR'};
@@ -1419,9 +1420,9 @@
        #
        $rs = make_dir(
                "$www_dir/$dmn_name",
-               $sys_user,
-               $httpd_gid,
-               0770
+               $root_user,
+               $sys_group,
+               0755
        );
        return $rs if ($rs != 0);


Could some developer sign-off these patches?
09-24-2009 09:43 PM
Find all posts by this user Quote this message in a reply
a.dangel Offline


Posts: 1
Joined: Jan 2011
Reputation: 0
Post: #5
RE: SSH Support
Hi there,

the files changed in version 1.0.7 omega (maybe earlier versions too).

So here are new patches for version 1.0.7.


Code:
--- /var/www/ispcp/engine/setup/ispcp-setup.orig        2011-01-27 16:32:19.000000000 +0100
+++ /var/www/ispcp/engine/setup/ispcp-setup     2011-01-27 16:32:31.000000000 +0100
@@ -306,7 +306,7 @@
        push_el(\@main::el, 'setup_system_dirs()', 'Starting...');

        for (
-               [$main::cfg{'APACHE_WWW_DIR'}, $main::cfg{'APACHE_USER'},$main::cfg{'APACHE_GROUP'}],
+               [$main::cfg{'APACHE_WWW_DIR'}, $main::cfg{'ROOT_USER'},$main::cfg{'ROOT_GROUP'}],
                [$main::cfg{'APACHE_USERS_LOG_DIR'}, $main::cfg{'APACHE_USER'},$main::cfg{'APACHE_GROUP'}],
                [$main::cfg{'APACHE_BACKUP_LOG_DIR'}, $main::cfg{'ROOT_USER'},$main::cfg{'ROOT_GROUP'}],
                [$main::cfg{'MTA_VIRTUAL_CONF_DIR'}, $main::cfg{'ROOT_USER'},$main::cfg{'ROOT_GROUP'}],

Code:
--- /var/www/ispcp/engine/ispcp-dmn-mngr.orig   2011-01-27 16:33:37.000000000 +0100
+++ /var/www/ispcp/engine/ispcp-dmn-mngr        2011-01-27 16:44:05.000000000 +0100
@@ -1551,6 +1551,7 @@
        my $dmn_id = @$dmn_data[0];
        my $dmn_name = @$dmn_data[1];
        my $root_dir = $main::cfg{'ROOT_DIR'};
+       my $root_user = $main::cfg{'ROOT_USER'};
        my $www_dir = $main::cfg{'APACHE_WWW_DIR'};
        my $pear_dir = $main::cfg{'PEAR_DIR'};
        my $starter_dir = $main::cfg{'PHP_STARTER_DIR'};
@@ -1592,7 +1593,7 @@

        # Domain WWW directories

-       $rs = make_dir("$www_dir/$dmn_name", $sys_user, $httpd_gid, 0770);
+       $rs = make_dir("$www_dir/$dmn_name", $root_user, $sys_group, 0755);
        return $rs if ($rs != 0);

        $rs = make_dir("$www_dir/$dmn_name/cgi-bin", $sys_user, $sys_group, 0755);

It would be really nice to get a statement on sseitz question from one of the developers.

Quote:Could some developer sign-off these patches?

kind regards
Alex
01-28-2011 02:24 AM
Find all posts by this user Quote this message in a reply
anarking Offline
Junior Member
*

Posts: 29
Joined: Nov 2009
Reputation: 0
Post: #6
RE: SSH Support
this would be an impressive addition if folks had the time Smile
07-13-2011 02:00 AM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #7
RE: SSH Support
is the given solution already working? What else need to be done? Could someone improve it by making it configurable on user level?
07-14-2011 06:20 AM
Visit this user's website Find all posts by this user Quote this message in a reply
mike548141 Offline
Junior Member
*

Posts: 49
Joined: Nov 2009
Reputation: 0
Post: #8
RE: SSH Support
(07-14-2011 06:20 AM)RatS Wrote:  is the given solution already working? What else need to be done? Could someone improve it by making it configurable on user level?

Hi, I was wondering if anyone got this functional?
I'm another one that would love to see SSH access brought into the panel so users could SSH to the host and use FTP via SSH

I'm no great developer but I'm happy to help this in anyway I can (documentation, scripting, making cups of coffee etc).

Cheers,

MC
03-09-2012 09:57 PM
Find all posts by this user Quote this message in a reply
seo_urani Offline
Banned

Posts: 1
Joined: Jun 2012
Post: #9
RE: SSH Support
Thanks for your support,
Regards,

tăng rank alexa, tăng thứ hạng website, tăng traffic, Dịch vụ SEO, tăng thứ hạng alexa , máy đo huyết áp , may do tieu duong , Thực phẩm chức năng , sữa ong chúa , nhau thai cừu , Thuốc bổ tổng hợp, thuốc giảm cân , truyện online
06-16-2012 01:22 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)