Today I ran into a still open bug of ISPConfig (ISPConfig 3.1.3 under Debian Jessie).
The problem occurred, when I tried to clone a BitBucket repository with a non root SSH-user in his own website root (where permission rights generally should be no problem).
Hence I wanted to use key-based authentication for BitBucket, I generated a new key with ssh-keygen. Here I struggled the first time, because the key-gen command wanted to create the key in the Base Dir folder of the user and hadn’t the right permissions:
$> ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/.ssh/id_rsa_sheldon Could not create directory '/var/www/clients/client2/web8/.ssh': Permission denied Enter passphrase (empty for no passphrase): Enter same passphrase again: key_save_private: No such file or directory Saving the key failed: /var/www/clients/client2/web8/.ssh/id_rsa_sheldon.
I could work around this by adding the correct path to the users Home Dir:
$> ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/www/clients/client2/web8/.ssh/id_rsa): /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon. Your public key has been saved in /var/www/clients/client2/web8/home/ssh_user_folder/.ssh/id_rsa_sheldon.pub. ...
Afterwards I copied the public key to BitBucket. But when I tried to clone the repository, I still got an error:
web8@valhallaa:/var/www/clients/client2/web8/web$ git clone firstname.lastname@example.org:Sheldon/nicerepo.git Cloning into 'nicerepo'... Could not create directory '/var/www/clients/client2/web8/.ssh'. The authenticity of host 'bitbucket.org (220.127.116.11)' can't be established. RSA key fingerprint is 55:8c:1b:f5:6f:14:6b:5c:b3:ec:aa:64:46:74:8c:20. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/var/www/clients/client2/web8/.ssh/known_hosts). Permission denied (publickey). fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
With the help of google I found this still open bug report for ISPConfig.
What brought me the solution was:
- Add an entry to ~/.ssh/config ($> nano ~/.ssh/config )
Host bitbucket.org HostName bitbucket.org User Sheldon PreferredAuthentications publickey IdentityFile ~/.ssh/id_rsa_sheldon
But that didn’t solve the problem at all. Additionally I had to …
- Symlink the ssh folder in the Base Dir of the site to the ssh folder in the Home Dir of the user with the help of a root account:
$> su root ... $> chattr -i . # remove the immutable flag so ssh user can create symlink in Base Dir $> exit ... $> ln -fs ~/.ssh .ssh $> su root ... $> chattr +i . # set the immutable flag again (write protected Base Dir) $> exit ... $> ls -al ... lrwxrwxrwx 1 web8 client2 59 Jun 12 12:12 .ssh -> /var/www/clients/client2/web8/home/ssh_user_folder/.ssh ...
All these commands where executed from within /var/www/clients/client2/web8 which ist the Base Dir of the website.
That finally solved my problem and I was able to clone my repo.
Disadvantage of ISPConfig hack
The disadvantage of that workaround is, that only the respective ssh user is able to use this .ssh folder. So other users created via ISPConfig won’t be able to connect to other services via SSH. I hope there will be a better solution very soon! fingerscrossed