security issue when creating ssh users

short description

When creating ssh users with jailkit, it takes a while to create the jail. The user is first created, the shell is disabled and the password locked. However these actions are done sequentially using separate commands. This leaves a very short time for attackers to access the server's OS with a valid user and password. It is very hard to exploit but during a security audit our system has been accessed this way, so it is possible.

correct behaviour

The newly created ssh user should be created with disabled login until the jail is created and login should be enabled after the shell is set to jk_chrootsh.

environment

Server OS: debian Server OS version: buster ISPConfig version: 3.1dev

proposed fix

add --disable-login to the adduser command and enable

log entries

Apr  1 17:27:02 ispcwebtest02 useradd[14214]: new user: name=c6crash, UID=10033, GID=10033, home=/var/www/clients/client15/web33, shell=/bin/bash
Apr  1 17:27:02 ispcwebtest02 usermod[14229]: change user 'c6crash' shell from '/bin/bash' to '/bin/false'
Apr  1 17:27:02 ispcwebtest02 usermod[14229]: lock user 'c6crash' password
Apr  1 17:27:56 ispcwebtest02 usermod[21527]: change user 'c6crash' home from '/var/www/clients/client15/web33' to '/var/www/clients/client15/web33/./home/c6crash'
Apr  1 17:27:56 ispcwebtest02 usermod[21534]: change user 'c6crash' shell from '/bin/false' to '/usr/sbin/jk_chrootsh'
Apr  1 17:27:56 ispcwebtest02 usermod[21539]: change user 'web33' home from '/var/www/clients/client15/web33' to '/var/www/clients/client15/web33/./home/web33'
Apr  1 17:27:56 ispcwebtest02 usermod[21557]: unlock user 'c6crash' password