[SOLVED] internal-sftp

millz · 2014-12-16 22:49:50

Hey guys,

i got an issue with additional users, ssh and sftp following these instructions [1].

Problem:
I've two relevent users (user1, user2) on my system, like here:

# cat /etc/passwd
...
user1:x:1000:1000::/home/user1:/bin/bash
user2:x:1001:1001::/home/user2:/usr/bin/false

Everything is working well for user1. Getting a connection by using ssh or sftp works well for user1. If I want to connect with user2 by using sftp, it doesnt. I tried this:

[millz@workstation ~]$ ssh user1@localhost
millz@localhost's password: 
Last login: Tue Dec 16 23:07:25 2014 from workstation.fritz.box
[millz@localhost ~]$ exit
logout
Connection to localhost closed.
[millz@workstation ~]$ ssh user2@localhost
user2@localhost's password:
Permission denied, please try again.
...
[millz@workstation ~]$ sftp user2@localhost
user2@localhost's password: 
Permission denied, please try again.
...

This is the result, if you check sshd status for given tries:

# systemctl status sshd.service
? sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
   Active: active (running) since Tue 2014-12-16 23:20:03 CET; 1min 2s ago
 Main PID: 2229 (sshd)
   CGroup: /system.slice/sshd.service
           +-2229 /usr/bin/sshd -D
           +-2250 sshd: user2 [priv]
           +-2251 sshd: user2 [net]

Dec 16 23:20:03 localhost systemd[1]: Started OpenSSH Daemon.
Dec 16 23:20:03 localhost sshd[2229]: Server listening on 0.0.0.0 port 22.
Dec 16 23:20:03 localhost sshd[2229]: Server listening on :: port 22.
Dec 16 23:20:23 localhost sshd[2235]: Accepted password for user1 from 192.168.178.50 port 60054 ssh2
Dec 16 23:20:23 localhost sshd[2235]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Dec 16 23:20:51 localhost sshd[2243]: Failed password for user2 from 192.168.178.50 port 60056 ssh2
Dec 16 23:20:57 localhost sshd[2243]: Connection closed by 192.168.178.50 [preauth]
Dec 16 23:21:06 localhost sshd[2250]: Failed password for user2 from 192.168.178.50 port 60059 ssh2

I've the following sshd_config:

# cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	/etc/ssh/authorized_keys/%u

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem	sftp	/usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
Subsystem sftp internal-sftp

Match Group sftpusers
     ChrootDirectory /mnt/container/sftp_root
     ForceCommand internal-sftp
     AllowTcpForwarding no
     PermitTunnel no
     X11Forwarding no

these are the files in /etc/ssh/authorized_keys

# ls -al /etc/ssh/authorized_keys/
total 16
drwxr-xr-x 2 root sftpusers 4096 Dec 16 22:52 .
drwxr-xr-x 3 root root      4096 Dec 16 23:19 ..
-rw-r--r-- 1 root sftpusers  397 Dec 16 22:33 user1.pub
-rw-r--r-- 1 root sftpusers  397 Dec 16 22:52 user2.pub

And these are the permissions for the /home directories:

# ls -al /home/
total 20
drwxr-xr-x  5 root  root  4096 Dec 16 22:27 .
drwxr-xr-x 17 root  root  4096 Oct 31 13:48 ..
drwxr-xr-x  8 user1 user1 4096 Dec 16 22:24 user1
drwxr-xr-x  3 root  root  4096 Dec 16 22:55 user2

Hope you have some advice, guys. I would like to see user2 using sftp but declining a connection via ssh.

Thanks in advance.

millz

[1] https://wiki.archlinux.org/index.php/SFTP_chroot

Last edited by millz (2014-12-17 23:50:09)

ewaller · 2014-12-16 23:00:20

First, the keys are not being used. user1 and user2 both drop to password authentication.
Are you logged in as either user1 or user2 when doing this?
Can user2 log in to to the console?

millz · 2014-12-17 00:25:04

ewaller wrote:

First, the keys are not being used. user1 and user2 both drop to password authentication.
Are you logged in as either user1 or user2 when doing this?
Can user2 log in to to the console?

No, I'm not logged in while doing this. To be precise:

$ ssh user1@192.168.1.1
user1@192.168.1.1's password: 
Last login: Wed Dec 17 01:16:52 2014 from workstation.fritz.box
[user1@192.168.1.1 ~]$ exit
logout
Connection to 192.168.1.1 closed.
$ ssh user2@192.168.1.1
user2@192.168.1.1's password: 
Permission denied, please try again.

This might be interesting as well:

$ ssh user1@192.168.1.1
user1@192.168.1.1's password: 
Last login: Wed Dec 17 01:19:18 2014 from workstation.fritz.box
[user1@192.168.1.1 ~]$ su user2
Password: 
[user1@192.168.1.1 ~]$

foppe · 2014-12-17 02:43:41

Try giving user2 a shell. I suspect /usr/bin/false is not going to do much.

ewaller · 2014-12-17 03:33:01

foppe wrote:

Try giving user2 a shell. I suspect /usr/bin/false is not going to do much.

Damn, I cannot believe I missed that. Nice catch.

millz · 2014-12-17 08:57:24

foppe wrote:

Try giving user2 a shell. I suspect /usr/bin/false is not going to do much.

As given in the linked article [1], I setted the shell to /usr/bin/false to prevent a ssh login, but allow a sftp login.
Nevertheless, for testing reasons and as adviced by foppe, I setted the shell /bin/bash to user2. It doesn't work either.

Here the results from shell:

$ ssh user1@192.168.1.1
user1@192.168.1.1's password: 
Last login: Wed Dec 17 01:23:09 2014 from workstation.fritz.box
[user1@192.168.1.1 ~]$ su
Password: 
[root@192.168.1.1 user1]# usermod -s /bin/bash user2
[root@192.168.1.1 user1]# exit
exit
[user1@192.168.1.1 ~]$ ssh user2@localhost
user2@localhost's password: 
Write failed: Broken pipe
[user1@192.168.1.1 ~]$ exit
logout
Connection to 192.168.1.1 closed.
$ ssh user1@192.168.1.1
user1@192.168.1.1's password: 
Last login: Wed Dec 17 09:48:50 2014 from workstation.fritz.box
[user1@192.168.1.1 ~]$ exit
logout
Connection to 192.168.1.1 closed.
$ ssh user2@192.168.1.1
user2@192.168.1.1's password: 
Write failed: Broken pipe

foppe · 2014-12-17 16:41:26

Change ownership of ~ (/home/user2) to user2:user2

drwxr-xr-x  3 root  root  4096 Dec 16 22:55 user2

millz · 2014-12-17 18:02:24

foppe wrote:

Change ownership of ~ (/home/user2) to user2:user2
drwxr-xr-x  3 root  root  4096 Dec 16 22:55 user2

Changed it, but getting a connection is still not possible. Again, here are the results given:

# chown user2 /home/user2
# exit
exit
$ ssh user2@localhost
user2@localhost's password: 
Write failed: Broken pipe
$ sftp user2@localhost
user2@localhost's password: 
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
$ ls -al ../
total 20
drwxr-xr-x  5 root  root  4096 Dec 16 22:27 .
drwxr-xr-x 17 root  root  4096 Oct 31 13:48 ..
drwxr-xr-x  3 user2 root  4096 Dec 16 22:55 user2
$ exit
logout
Connection to 192.168.1.1 closed.
$ ssh user2@192.168.1.1
user2@192.168.1.1's password: 
Write failed: Broken pipe
$ sftp user2@192.168.1.1
user2@192.168.1.1's password: 
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
$

foppe · 2014-12-17 21:03:27

What's the difference between

$ id user1

and

$ id user2

I'd go from a working ssh + sftp like user1 to a secure set-up the way you propose. Working backwards and not forwards the way you try to tackle this. When vrifying each step you might find out what's going on.

millz · 2014-12-17 23:49:34

foppe wrote:

What's the difference between
$ id user1
and
$ id user2
I'd go from a working ssh + sftp like user1 to a secure set-up the way you propose. Working backwards and not forwards the way you try to tackle this. When vrifying each step you might find out what's going on.

indeed. you're damn right! Did it this way.

Works, if ChrootDirectory in sshd_config is commented out!

$ ssh user2@192.168.1.1
user2@192.168.1.1's password: 
This service allows sftp connections only.
Connection to 192.168.1.1 closed.
$ sftp user2@192.168.1.1
user2@192.168.1.1's password: 
Connected to 192.168.1.1.
sftp> ls

Thanks!

MichelN1986 · 2015-01-04 11:56:27

Hi all,

I need some help with this one too, got everything set-up and running but my problem now is SSH. I try to enter my home network to access my sat-receiver (has no password protection) but i cant access it with arch (and yet i can with windows 7). I read the arch wiki and changed some settings like it is written there but it's still not working. I am a new user to arch (and linux), i use arch since 2 days ago and a few days tried in vmware. Since oktober i used debian/ubuntu based distro's but mostly had random freezes. With arch based i don't have any issue at all. I hope someone can help me with this.

My configs:

cat /etc/passwd
...
michel:x:1000:100::/home/michel:/bin/bash

I try to access my sat-receiver (linux box) and the ip is correct BUT this box does not have a username or password. In Windows 7 i can just access it by clicking on the icon

$ ssh michel@192.168.1.73
michel@192.168.1.73's password: *when i enter my linux password i get this, even though the box has no code*
Permission denied, please try again.

systemtcl status on sshd

systemctl status sshd.service
● sshd.service - OpenSSH Daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: disabled)
   Active: active (running) since zo 2015-01-04 12:38:32 CET; 8min ago
 Main PID: 2613 (sshd)
   CGroup: /system.slice/sshd.service
           └─2613 /usr/bin/sshd -D

jan 04 12:38:32 Clevo-P170HM sshd[2613]: Server listening on 0.0.0.0 port 22.
jan 04 12:38:32 Clevo-P170HM sshd[2613]: Server listening on :: port 22.

I took over the sshd_config file from millz to see if i missed something

cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	/etc/ssh/authorized_keys/%u

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem	sftp	/usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
Subsystem sftp internal-sftp

Match Group sftpusers
     ChrootDirectory /mnt/container/sftp_root
     ForceCommand internal-sftp
     AllowTcpForwarding no
     PermitTunnel no
     X11Forwarding no

Now when i follow millz first post i dont understand this part, its not created on my side, translation: Cannot access file @ /etc/ssh/autorized_keys/: File or folder does not exist

ls -al /etc/ssh/authorized_keys/
ls: kan geen toegang krijgen tot /etc/ssh/authorized_keys/: Bestand of map bestaat niet

and here are the home permissions

$ ls -al /home/
totaal 12
drwxr-xr-x  3 root   root  4096  2 jan 20:20 .
drwxr-xr-x 17 root   root  4096  2 jan 20:16 ..
drwx------ 24 michel users 4096  4 jan 12:34 michel

Last edited by MichelN1986 (2015-01-04 11:56:59)

dice · 2015-01-04 12:10:08

The problem millz had was about configuring the server side of the ssh/sftp connection to allow logins to his machine.

As far as I have understood you are trying to login to your sat-receiver.
What do you do in windows to connect to your sat-receiver?

MichelN1986 · 2015-01-04 12:11:26

dice wrote:

The problem millz had was about configuring the server side of the ssh/sftp connection to allow logins to his machine.
As far as I have understood you are trying to login to your sat-receiver.
What do you do in windows to connect to your sat-receiver?

Just hit the network icon and i can get in my box, it's a linux box so i can see all the files (will post a few pictures)

Edit:

Linux: If i dont install open ssl i get a error on my box that there is no openssl program is installed (picture 1), so after i installed openssl i get a login promp (see picture 2 and 3)
Picture 1: http://i.imgur.com/Or0Pa9e.png
Picture 2: http://i.imgur.com/wEdVRFo.png
Picture 3: http://i.imgur.com/SCU58cI.png

Windows: In windows 7 i see more network option, i don't know why because i have setup everything correctly according the wiki.
Picture 1: http://i.imgur.com/nfA7uX7.jpg
Picture 2: http://i.imgur.com/tqqUmOJ.jpg
Picture 3: http://i.imgur.com/xCVtyi9.jpg

The only thing i have deleted after the arch install is dhcpcd.service and installed NetworkManager for cinnamon

Last edited by MichelN1986 (2015-01-04 12:25:13)

Trilby · 2015-01-04 14:45:21

MichelN1986. Stop spamming your issue all over our forums. You have a thread on this already, and I just closed the other one you opened on it. Don't hijack other threads - particularly solved ones.

Thread Closed.

Arch Linux

#1 2014-12-16 22:49:50

[SOLVED] internal-sftp

#2 2014-12-16 23:00:20

Re: [SOLVED] internal-sftp

#3 2014-12-17 00:25:04

Re: [SOLVED] internal-sftp

#4 2014-12-17 02:43:41

Re: [SOLVED] internal-sftp

#5 2014-12-17 03:33:01

Re: [SOLVED] internal-sftp

#6 2014-12-17 08:57:24

Re: [SOLVED] internal-sftp

#7 2014-12-17 16:41:26

Re: [SOLVED] internal-sftp

#8 2014-12-17 18:02:24

Re: [SOLVED] internal-sftp

#9 2014-12-17 21:03:27

Re: [SOLVED] internal-sftp

#10 2014-12-17 23:49:34

Re: [SOLVED] internal-sftp

#11 2015-01-04 11:56:27

Re: [SOLVED] internal-sftp

#12 2015-01-04 12:10:08

Re: [SOLVED] internal-sftp

#13 2015-01-04 12:11:26

Re: [SOLVED] internal-sftp

#14 2015-01-04 14:45:21

Re: [SOLVED] internal-sftp

Board footer