[BlueOnyx:24574] Re: Issues with jailed sftp on 5210R - fixed

Michael Stauber mstauber at blueonyx.it
Wed Dec 9 12:22:12 -05 2020 

Hi Dirk,

> since the last CentOS8 release update I have a problem with jailed SFTP
> connections "Chrooted SFTP, SCP and RSYNC" on a server with CentOS8/BO
> 5210R.
> 
> No connection is established. The SFTP client asks if there is a SFTP
> server on the other side.
> 
> SFTP connections of users with unlimited shell access are no problem.
> 
> Yes, the server was restarted. Yes, the jailkit.service is running.

I just tested it and I can replicate it.

It doesn't even matter if you use either one of these two options:

Chrooted SFTP, SCP and RSYNC
Chrooted Shell, SFTP, SCP and RSYNC

The net result is the same:

ftp <username>@<domain>    <--- Works

sftp <username>@<domain>   <-- doesn't work, but should

ssh <username>@<domain>    <--- Works (if "Chrooted Shell,
                                SFTP, SCP and RSYNC" enabled)

scp file.txt <username>@<domain>:<path> <-- fails with error:

/usr/bin/scp: error while loading shared libraries: libcrypto.so.1.1:
cannot open shared object file: No such file or directory
lost connection

That gives us an indication about the nature of the problem.

Let's see what we have:

[root at 5210r lib64]# ls -k1 /home/sites/<vsite>/lib64/libcry*
libcrypt.so.1
libcrypt.so.1.1.0

If I set up a new Vsite with Jails enabled (or disable and re-enable
Jails), I get this instead:

[root at 5210r lib64]# ls -k1 /home/sites/<vsite>/lib64/libcry*
libcrypto.so.1.1
libcrypto.so.1.1.1g
libcrypt.so.1
libcrypt.so.1.1.0

So that's the issue: Jails that were created BEFORE the CentOS 8.3 YUM
updates don't have all the dependencies in them anymore that they need
for "sftp" and "scp".


Work around:
=============

Go to the Vsite in question and under "Shell & FTP" set "Shell Access"
to "None" and save. Then set it back to what it should be and save again.

PLEASE NOTE: This will remove all pre-existing Shell & FTP provisions
from all users of that Vsite. So this is not ideal and these rights need
to be granted to the users again.


Proper fix via YUM update:
===========================

We do have a daily cronjob /etc/cron.daily/jail_warden.pl which is
supposed to check all Vsites with enabled jails and runs "jk_update"
over the two jails of each Vsite to keep their jails current with any OS
related changes such as this.

However: It appears as if "jk_update" is not picking up the OS changes
introduced by the CentOS 8.3 update.

So I just modified /etc/cron.daily/jail_warden.pl to run a full
"jk_init" against existing jails instead. That fixes the problem.

Updated base-vsite-* RPMs have just been published.


TL;DR:
======

yum clean all
yum update
/etc/cron.daily/jail_warden.pl

Many thanks for the report!

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list