You are not logged in.

#1 2013-02-19 14:07:55

willemw
Member
Registered: 2013-02-19
Posts: 21

[SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

Following the instructions on https://wiki.archlinux.org/index.php/SFTP-chroot, setting the login shell with

# usermod -s /bin/false sftpuser1

does not allow me to sftp into the user account.

Sshd debug output is

debug1: userauth-request for user sftpuser1 service ssh-connection method password [preauth]
debug1: attempt 4 failures 3 [preauth]
debug1: PAM: password authentication failed for sftpuser1: Authentication failure
Failed password for sftpuser1 from <IP> port 42482 ssh2

When replaced with the following two steps, I am able to sftp into the user account

# usermod -s /sbin/nologin sftpuser1

and add the following line to /etc/shells

/sbin/nologin

Should the wiki page be updated or am I missing something?

Last edited by willemw (2013-02-21 12:44:56)

Offline

#2 2013-02-19 23:01:25

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

I followed those same instructions and mine worked fine from the start (and still does).  I suspect that whether you realized it or not, there was probably a PEBKAC, and the second time, with /sbin/nologin, you didn't commit this error.  But that is just pure speculation. 

If it really really concerns you, you should bring this up on the wiki talk page rather than on these forums.

Offline

#3 2013-02-20 13:57:25

fsckd
Forum Moderator
Registered: 2009-06-15
Posts: 3,514

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

Moving from Networking, Server, and Protection to Forum & Wiki discussion.


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#4 2013-02-21 06:42:36

willemw
Member
Registered: 2013-02-19
Posts: 21

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

The only difference I can think of is that instead of "usermod -g sftpusers" mentioned on the wiki page, I created a new user account which is only in the sftpusers user group.

Offline

#5 2013-02-21 11:28:26

seiichiro0185
Member
From: Leipzig/Germany
Registered: 2009-04-09
Posts: 182
Website

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

I had a similar Problem, I had /sbin/nologin for the users, but I didn't put it into /etc/shells. That worked fine until one of the last updates to openssh, the sftp-users couldn't login after that.

I did some investigating and found the cause: the file /etc/pam.d/sshd was changed in one of the last updates, changing the way logins are checked against pam for ssh. In the old file there was no check against /etc/shells, which basically meant you could have anything set as shell for the sftp-users. But with the change in the pam file (its now referencing the base pam files), /etc/shells is now also checked on ssh login, which renders the logins created like discribed on the wiki-page unusable.

So it seems the way the OP used (/sbin/nologin and entry in /etc/shells) is the right one. I have edited the wiki to reflect this change.


My Scripts at github: github
My Homepage: Seiichiros HP

Offline

#6 2013-02-21 12:47:50

willemw
Member
Registered: 2013-02-19
Posts: 21

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

Set to solved.

@seiichiro0185: Thanks. I also looked at /etc/pam.d/sshd, however, how did you compare it to a previous version? With A.R.M. or etckeeper?

Offline

#7 2013-02-21 13:24:43

seiichiro0185
Member
From: Leipzig/Germany
Registered: 2009-04-09
Posts: 182
Website

Re: [SOLVED] SFTP-chroot Wiki incorrect? Use /sbin/nologin not /bin/false?

I compared with a backup of the server from before the update wink


My Scripts at github: github
My Homepage: Seiichiros HP

Offline

Board footer

Powered by FluxBB