Homefolder permissions bug ISPConfig

ISPConfig Logo

Today I ran into a still open bug of ISPConfig (ISPConfig 3.1.3 under Debian Jessie).

The problem occurred, when I tried to clone a BitBucket repository with a non root SSH-user in his own website root (where permission rights generally should be no problem).
Hence I wanted to use key-based authentication for BitBucket, I generated a new key with ssh-keygen. Here I struggled the first time, because the key-gen command wanted to create the key in the Base Dir folder of the user and hadn’t the right permissions:

$> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/.ssh/id_rsa_sheldon
Could not create directory '/var/www/clients/client2/web8/.ssh': Permission denied
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
key_save_private: No such file or directory
Saving the key failed: /var/www/clients/client2/web8/.ssh/id_rsa_sheldon.

I could work around this by adding the correct path to the users Home Dir:

$> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon.
Your public key has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon.pub.

...

Afterwards I copied the public key to BitBucket. But when I tried to clone the repository, I still got an error:

web8@valhallaa:/var/www/clients/client2/web8/web$ git clone git@bitbucket.org:Sheldon/nicerepo.git
Cloning into 'nicerepo'...
Could not create directory '/var/www/clients/client2/web8/.ssh'.
The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established.
RSA key fingerprint is 55:8c:1b:f5:6f:14:6b:5c:b3:ec:aa:64:46:74:8c:20.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/var/www/clients/client2/web8/.ssh/known_hosts).
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

With the help of google I found this still open bug report for ISPConfig.

What brought me the solution was:

  1. Add an entry to ~/.ssh/config ($> nano ~/.ssh/config )
    Host bitbucket.org
        HostName bitbucket.org
        User Sheldon
        PreferredAuthentications publickey
        IdentityFile ~/.ssh/id_rsa_sheldon
    

    But that didn’t solve the problem at all. Additionally I had to …

  2. Symlink the ssh folder in the Base Dir of the site to the ssh folder in the Home Dir of the user with the help of a root account:
    $> su root
    ...
    $> chattr -i . # remove the immutable flag so ssh user can create symlink in Base Dir
    $> exit
    ...
    $> ln -fs ~/.ssh .ssh
    $> su root
    ...
    $> chattr +i . # set the immutable flag again (write protected Base Dir)
    $> exit 
    ...
    $> ls -al
    ...
    lrwxrwxrwx  1 web8 client2   59 Jun 12 12:12 .ssh -> /var/www/clients/client2/web8/home/ssh_user_folder/.ssh
    ...
    

    All these commands where executed from within /var/www/clients/client2/web8 which ist the Base Dir of the website.

That finally solved my problem and I was able to clone my repo.

Disadvantage of ISPConfig hack

The disadvantage of that workaround is, that ¬†only the respective ssh user is able to use this .ssh folder. So other users created via ISPConfig won’t be able to connect to other services via SSH. I hope there will be a better solution very soon! fingerscrossed

 

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.