Homefolder permissions bug ISPConfig

ISPConfig Logo

Today I ran into a still open bug of ISPConfig (ISPConfig 3.1.3 under Debian Jessie).

The problem occurred, when I tried to clone a BitBucket repository with a non root SSH-user in his own website root (where permission rights generally should be no problem).
Hence I wanted to use key-based authentication for BitBucket, I generated a new key with ssh-keygen. Here I struggled the first time, because the key-gen command wanted to create the key in the Base Dir folder of the user and hadn’t the right permissions:

$> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/.ssh/id_rsa_sheldon
Could not create directory '/var/www/clients/client2/web8/.ssh': Permission denied
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
key_save_private: No such file or directory
Saving the key failed: /var/www/clients/client2/web8/.ssh/id_rsa_sheldon.

I could work around this by adding the correct path to the users Home Dir:

$> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon.
Your public key has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon.pub.

...

Afterwards I copied the public key to BitBucket. But when I tried to clone the repository, I still got an error:

web8@valhallaa:/var/www/clients/client2/web8/web$ git clone git@bitbucket.org:Sheldon/nicerepo.git
Cloning into 'nicerepo'...
Could not create directory '/var/www/clients/client2/web8/.ssh'.
The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established.
RSA key fingerprint is 55:8c:1b:f5:6f:14:6b:5c:b3:ec:aa:64:46:74:8c:20.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/clients/client2/web8/.ssh/known_hosts).
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

With the help of google I found this still open bug report for ISPConfig.

What brought me the solution was:

  1. Add an entry to ~/.ssh/config ($> nano ~/.ssh/config )
    Host bitbucket.org
        HostName bitbucket.org
        User Sheldon
        PreferredAuthentications publickey
        IdentityFile ~/.ssh/id_rsa_sheldon
    

    But that didn’t solve the problem at all. Additionally I had to …

  2. Symlink the ssh folder in the Base Dir of the site to the ssh folder in the Home Dir of the user with the help of a root account:
    $> su root
    ...
    $> chattr -i . # remove the immutable flag so ssh user can create symlink in Base Dir
    $> exit
    ...
    $> ln -fs ~/.ssh .ssh
    $> su root
    ...
    $> chattr +i . # set the immutable flag again (write protected Base Dir)
    $> exit 
    ...
    $> ls -al
    ...
    lrwxrwxrwx  1 web8 client2   59 Jun 12 12:12 .ssh -> /var/www/clients/client2/web8/home/ssh_user_folder/.ssh
    ...
    

    All these commands where executed from within /var/www/clients/client2/web8 which ist the Base Dir of the website.

That finally solved my problem and I was able to clone my repo.

Disadvantage of ISPConfig hack

The disadvantage of that workaround is, that  only the respective ssh user is able to use this .ssh folder. So other users created via ISPConfig won’t be able to connect to other services via SSH. I hope there will be a better solution very soon! fingerscrossed

 

Leave a Reply

Your email address will not be published.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.