[BlueOnyx:24575] Re: Issues with jailed sftp on 5210R - fixed

David Hahn blueonyx at sb9.com
Wed Dec 9 13:17:49 -05 2020 

Hi all,

Tried the update but still have the same error on 2 machines.

David

On 12/9/2020 11:22 AM, Michael Stauber wrote:
> Hi Dirk,
>
>> since the last CentOS8 release update I have a problem with jailed SFTP
>> connections "Chrooted SFTP, SCP and RSYNC" on a server with CentOS8/BO
>> 5210R.
>>
>> No connection is established. The SFTP client asks if there is a SFTP
>> server on the other side.
>>
>> SFTP connections of users with unlimited shell access are no problem.
>>
>> Yes, the server was restarted. Yes, the jailkit.service is running.
> I just tested it and I can replicate it.
>
> It doesn't even matter if you use either one of these two options:
>
> Chrooted SFTP, SCP and RSYNC
> Chrooted Shell, SFTP, SCP and RSYNC
>
> The net result is the same:
>
> ftp <username>@<domain>    <--- Works
>
> sftp <username>@<domain>   <-- doesn't work, but should
>
> ssh <username>@<domain>    <--- Works (if "Chrooted Shell,
>                                  SFTP, SCP and RSYNC" enabled)
>
> scp file.txt <username>@<domain>:<path> <-- fails with error:
>
> /usr/bin/scp: error while loading shared libraries: libcrypto.so.1.1:
> cannot open shared object file: No such file or directory
> lost connection
>
> That gives us an indication about the nature of the problem.
>
> Let's see what we have:
>
> [root at 5210r lib64]# ls -k1 /home/sites/<vsite>/lib64/libcry*
> libcrypt.so.1
> libcrypt.so.1.1.0
>
> If I set up a new Vsite with Jails enabled (or disable and re-enable
> Jails), I get this instead:
>
> [root at 5210r lib64]# ls -k1 /home/sites/<vsite>/lib64/libcry*
> libcrypto.so.1.1
> libcrypto.so.1.1.1g
> libcrypt.so.1
> libcrypt.so.1.1.0
>
> So that's the issue: Jails that were created BEFORE the CentOS 8.3 YUM
> updates don't have all the dependencies in them anymore that they need
> for "sftp" and "scp".
>
>
> Work around:
> =============
>
> Go to the Vsite in question and under "Shell & FTP" set "Shell Access"
> to "None" and save. Then set it back to what it should be and save again.
>
> PLEASE NOTE: This will remove all pre-existing Shell & FTP provisions
> from all users of that Vsite. So this is not ideal and these rights need
> to be granted to the users again.
>
>
> Proper fix via YUM update:
> ===========================
>
> We do have a daily cronjob /etc/cron.daily/jail_warden.pl which is
> supposed to check all Vsites with enabled jails and runs "jk_update"
> over the two jails of each Vsite to keep their jails current with any OS
> related changes such as this.
>
> However: It appears as if "jk_update" is not picking up the OS changes
> introduced by the CentOS 8.3 update.
>
> So I just modified /etc/cron.daily/jail_warden.pl to run a full
> "jk_init" against existing jails instead. That fixes the problem.
>
> Updated base-vsite-* RPMs have just been published.
>
>
> TL;DR:
> ======
>
> yum clean all
> yum update
> /etc/cron.daily/jail_warden.pl
>
> Many thanks for the report!
>
-- 
Thank you
David Hahn
----
Hey Super Users! - su
Get E Mail Alerts when sites or services are up or down.
Remotely Monitor Website and/or Service Absolutely Free in seconds.
http://mon.pagekeeperservice.com

More information about the Blueonyx mailing list