You are not logged in.

Pages: 1

#1 2020-03-01 10:48:17

broken pipe
Member
Registered: 2010-12-10
Posts: 238

[SOLVED] Chrooted SFTP only works under certain circumstances

Hi all,

I followed the instructions and it works very well so far.

https://wiki.archlinux.org/index.php/SFTP_chroot

In the test i can mount the sftp share from another computer in the network and only see the jailed folder. it also works from another server over the internet. but it doesn't always work if i give all necessary login information to a colleague to mount that folder. I'm pretty clueless what is causing these errors and thankful for any help smile

Working: Debian Buster sshfs mount (OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019), Windows putty/WinSCP, FileZilla

Not working: Ubuntu/Debian/Raspbian (OpenSSH_7.9p1 Raspbian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019) sshfs mount


Client command 

sshfs test1@example.org:/ /mnt/test -o IdentityFile=/home/test1/key.prv
also added: -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no

Client error

The authenticity of host '[example.org]:22 ([ip]:22)' can't be established.

SSHD server error

Connection closed by authenticating user test1 ip port 37010 [preauth]
Mär 01 11:41:51 NAS sshd[19319]: Connection from ip port 39202 on 192.168.1.6 port 5522 rdomain ""
Mär 01 11:41:51 NAS sshd[19319]: Connection closed by authenticating user test1 ip port 39202 [preauth]
Mär 01 11:41:51 NAS audit[19319]: USER_ERR pid=19319 uid=0 auid=4294967295 ses=4294967295 subj=_ msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/bin/sshd" hostname=ip addr=ip terminal=ssh res=failed'
Mär 01 11:41:51 NAS kernel: audit: type=1109 audit(1583059311.869:4965): pid=19319 uid=0 auid=4294967295 ses=4294967295 subj=_ msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/bin/sshd" hostname=ip addr=ip terminal=ssh res=failed'

SSHD Config

# IPv4 Only
AddressFamily inet

UseDNS no

AuthorizedKeysFile /etc/ssh/authorized_keys/%u .ssh/authorized_keys
PermitRootLogin No
LoginGraceTime 2m


HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

#KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
#MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

## Ciphers new
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 
HostKeyAlgorithms ssh-ed25519,ssh-rsa 
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com 
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

AuthenticationMethods publickey

LogLevel VERBOSE

UsePAM yes

X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2

MaxAuthTries 60

Compression no
AllowTcpForwarding No
ClientAliveCountMax 2
MaxSessions 2
TCPKeepAlive no
AllowAgentForwarding no

AllowUsers markus test1
PasswordAuthentication no

#Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
Subsystem sftp /usr/lib/ssh/sftp-server

Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no

Last edited by broken pipe (2020-03-01 16:38:36)

Offline

#2 2020-03-01 16:38:16

broken pipe
Member
Registered: 2010-12-10
Posts: 238

Re: [SOLVED] Chrooted SFTP only works under certain circumstances

solved:

sshfs mounting only works in raspbian/ubuntu server with the key added to the ssh-agent

Offline

Pages: 1

Board footer

Powered by FluxBB