Add new user does not offer option for SSH -- unable to force SFTP for new users

This is either a bug in VirtualMin or some peculiar configuration issue with CentOS 6.2. In any event. on any virtual server, I am unable to create a user who has

Email, FTP, and SSH

only

Email and FTP

And to spice things up: when I added the user to the server and set the directory for him to "automatic"

VirtualMin moved the entire content of public_html folder into

/home/devdomain/homes/newuser/[all public_html content here! Yikes, site off line!]

VirtualMin in effect did this (my guess)

mkdir /home/devdomain/homes/newuser mv /home/devdomain/public_html/* home/devdomain/homes/newuser/* rm public_html

wow!

I suddenly got calls from my team "our staging server/site just disappeared!" hehe.. fortunately it is a staging/devserver and I retraced all my actions history in root showed no mv or rm activity so i looked into /devdomain/ found the content, moved it back out and rename "newuser" to "public_html" and the site was up again whew! VirtualMin New Unix User playing tricks on us.

So, there is some serious bug there..

and back to the main point: no option to grant "new user" any ftp-over-ssh privileges. It matters not whether I chose "FTP user" (link toward the right) or the New Unix User (link toward the left in the GUI)

please see this thread on the forums where someone in Vancouver was trying to help me.

http://www.virtualmin.com/node/24954

Screen shots attached...

Status: 
Active

Comments

Can you also post a screenshot of your System Customization -> Custom Shells screen? That screen affects what you see in the screenshots you posted.

Here you go... What does "Mailbox" column indicate in Custom shells, does this refer to some kind of user?

Any updates since I posted the custom Shells Screen shot?

For enabling SFTP on VSFTP:

There's settings on the miscellaneous settings page to enable ssl. You first need to create the certificate or if you already have a signed cert, provide the path to it. After SSL is enabled you need to force data and logins to be secure.

This is in my vsftpd.conf file:

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem

Okay, I think I see the issue. And if this doesn't help, I'll get Jamie to help us out :-)

In the custom shells screen, next to the /bin/sh option labeled "Email, FTP, and SSH", check the box named "Mailbox". That should offer non-admin users the option to do SSH, in addition to Email and FTP.

Well that worked. But FYI: you do need to uncheck the first two lines dev/null and bin/false, because VirtualMin will not allow two options to have Mailbox checked.

Now, I want to pursue this just a bit further. I was able to set up a user for the domain who can SFTP in ... but I wanted to jail him into the public_html folder. I tried to uncheck the Main Website Directory option and entered in:

Web sub-directory public_html

But Virtual Min will not accept this option. he replies:

"Failed to save mailbox : Home directory must be an existing directory for website FTP users"

For these users who we want to allow onto the staging server to tweak CSS and help with html design, I really don't want them looking "up" further, as there are sensitive data in the /cgi-bin and /etc directories. ACL lists and other such things for admin eyes only.

I really would rather not have anyone see anything outside of public_html for the domain.

Can we do that? If so how? I see the other option there: /usr/bin/scponly which is checked, and possibly gives us more options? I tried also entering /home/domain/public_html for the Web sub-directory and Virtual Min told me that the user directory is relative to the domain root or something and cannot begin with a slash...

There unfortunately isn't a simple way to jail SSH/SCP/SFTP users.

While it's possible -- it's not simple, and Virtualmin doesn't provide a way to set it up.

There are some details about restricting directories here in the security docs:

http://www.virtualmin.com/documentation/security/faq

Two other things you may want to look into are the scponlyc shell, and lshell.

You would need to set them up manually, as they aren't directly supported by Virtualmin.

For scponlyc, you can run "man scponlyc" to get documentation on it.

Alternatively, the shell named "lshell" can also setup restricted access, and information on it is here:

http://lshell.ghantoos.org/

Note though that as the security docs above describe, jailing a user for a specific service, such as FTP or SSH, doesn't actually prevent the users from accessing files they have rights to see (such as uploading a PHP-based file manager).

Well it's not so much the service that we want to restrict but to allow only read and write on a single public_html folder for a single domain.

i.e. restrict access to /home/someDomain/public_html

Look at the man for scponly on our server describes the feature we want: "chroot: scponly can chroot to the user's home directory (or any other directory the user has permission for) disallowing access to the rest of the file system."

but there are no details on how to do it.

More research.....