Following the instructions on https://wiki.archlinux.org/index.php/SFTP-chroot, setting the login shell with
# usermod -s /bin/false sftpuser1
does not allow me to sftp into the user account.
Sshd debug output is
debug1: userauth-request for user sftpuser1 service ssh-connection method password [preauth] debug1: attempt 4 failures 3 [preauth] debug1: PAM: password authentication failed for sftpuser1: Authentication failure Failed password for sftpuser1 from <IP> port 42482 ssh2
When replaced with the following two steps, I am able to sftp into the user account
# usermod -s /sbin/nologin sftpuser1
and add the following line to /etc/shells
Should the wiki page be updated or am I missing something?
Last edited by willemw (2013-02-21 12:44:56)
I followed those same instructions and mine worked fine from the start (and still does). I suspect that whether you realized it or not, there was probably a PEBKAC, and the second time, with /sbin/nologin, you didn't commit this error. But that is just pure speculation.
If it really really concerns you, you should bring this up on the wiki talk page rather than on these forums.
The only difference I can think of is that instead of "usermod -g sftpusers" mentioned on the wiki page, I created a new user account which is only in the sftpusers user group.
I had a similar Problem, I had /sbin/nologin for the users, but I didn't put it into /etc/shells. That worked fine until one of the last updates to openssh, the sftp-users couldn't login after that.
I did some investigating and found the cause: the file /etc/pam.d/sshd was changed in one of the last updates, changing the way logins are checked against pam for ssh. In the old file there was no check against /etc/shells, which basically meant you could have anything set as shell for the sftp-users. But with the change in the pam file (its now referencing the base pam files), /etc/shells is now also checked on ssh login, which renders the logins created like discribed on the wiki-page unusable.
So it seems the way the OP used (/sbin/nologin and entry in /etc/shells) is the right one. I have edited the wiki to reflect this change.
Set to solved.
@seiichiro0185: Thanks. I also looked at /etc/pam.d/sshd, however, how did you compare it to a previous version? With A.R.M. or etckeeper?