Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
sftp: always get permission denied
#1
Good Morning:

I have been trying to get sftp on buddy-baker.us to work for months. The problem is that, If I make a user like brian (myself) I can sftp into my server no problem. HOWEVER: This is what I want to do:

I want to make it so that the following groups CAN sftp, and ONLY sftp - This way, they can be users of my server WITHOUT getting access to the shell on the box. The group I want to ONLY be able to sftp is sftponly. This group should NOT be able to login to the shell at all. ONLY to the sftp server.

This is the way I have it set up: I want a chroot'd directory in /home/chroot/username: This is the way I have that set up:
Code:
(Directory is /home2)
drwx--x---  7 root        sftponly    4096 Mar 21 06:42 chroot

Under that, I have

drwxr-x--- 4 root sftponly 4096 Mar 20 16:08 bbusftp
drwxr-x--- 3 root sftponly 4096 Mar 20 15:19 buddy
drwxr-x--- 3 root sftponly 4096 Mar 20 15:20 david
drwxr-x--- 3 root sftponly 4096 Mar 20 15:40 gary
drwxr-x--- 3 root sftponly 4096 Mar 21 06:51 kokadjo27
root@cardinal:/home2/chroot/bbusftp# ls -l

Under that I have (using bbusftp as example)
total 8
drwxr-x--- 2 root sftponly 4096 Mar 20 16:58 etc
drwxr-x--- 3 root sftponly 4096 Mar 20 14:56 home
root@cardinal:/home2/chroot/bbusftp# pwd
/home2/chroot/bbusftp
root@cardinal:/home2/chroot/bbusftp#
under that:

root@cardinal:/home2/chroot/bbusftp/etc# ls -l
total 8
-rw-r--r-- 1 root root 49 Mar 20 17:04 group
-rw-r--r-- 1 root root 70 Mar 20 16:59 passwd
root@cardinal:/home2/chroot/bbusftp/etc# pwd
/home2/chroot/bbusftp/etc
root@cardinal:/home2/chroot/bbusftp/etc#

under that (Home directory of bbusftp)

root@cardinal:/home2/chroot/bbusftp/home# pwd
/home2/chroot/bbusftp/home
root@cardinal:/home2/chroot/bbusftp/home# ls -la
total 12
drwxr-x--- 3 root sftponly 4096 Mar 20 14:56 .
drwxr-x--- 4 root sftponly 4096 Mar 20 16:08 ..
drwxr-x--- 2 root sftponly 4096 Mar 20 14:56 bbusftp
root@cardinal:/home2/chroot/bbusftp/home#

under bbusftp home directory:
root@cardinal:/home2/chroot/bbusftp/home/bbusftp# pwd
/home2/chroot/bbusftp/home/bbusftp
root@cardinal:/home2/chroot/bbusftp/home/bbusftp# ls -al
total 8
drwxr-x--- 2 root sftponly 4096 Mar 20 14:56 .
drwxr-x--- 3 root sftponly 4096 Mar 20 14:56 ..
root@cardinal:/home2/chroot/bbusftp/home/bbusftp#












This is the config file for/etc/ssh/sshd_conf:
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem  sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#for chroot sftp
Match Group sftponly
   X11Forwarding no
   AllowTcpForwarding no
   ChrootDirectory /chroot/%u
   ForceCommand internal-sftp

#for group only access to shell login (admin) or for group only shell access
AllowGroups admin logins sftponly

However, EVERYTIME I try to login with a password, it will tell me 'permission denied' when attempting a login to sftp: The ONLY way I can login is to use my own account - I CANNOT understand what the heck is going on: I believe I have the permissions on directories correct, I have the sftponly group as the group, and root is the owner of all of the directories, and I have the last stanza:
Code:
#for chroot sftp
Match Group sftponly
   X11Forwarding no
   AllowTcpForwarding no
   ChrootDirectory /chroot/%u
   ForceCommand internal-sftp
set up to the best of my knowledge. I tried to use the directory 'ChrootDirectory /home2.chroot/%u, but I am unable to login unless I have a shell access: I used a user I made called 'david' in honor of a late friend: he shows:
Code:
Login: david                                      Name: David Test User
Directory: /home2/chroot/david          Shell: /usr/sbin/nologin
Never logged in.
No mail.
No Plan.
brian@cardinal:~$
no login shell, yet he still cannot login to sftp.

The last section of sshd_config:
Code:
#for group only access to shell login (admin) or for group only shell access
AllowGroups admin logins sftponly

is supposed to make it so that ONLY users in the admin group or logins group get access to the server. However, it looks as though I have to put sftponly group the Allowgroups directive, because it will not allow any login without being a member of those three groups, and even after doing this change and restarting the sshd daemon (service ssh restart) I still get "'permission denied, try again'"

THE PLAN:
=======
The sftp only user option was conceived by me so that I do not have to have tons of users that have shell access to my server. Most of my users that could sftp files could use clients like Filezilla and the like to ftp files, or download them from a server. (mine) Most of my users in the sftponly group do not even know how to use a shell, but could figure out how to upload and download files to a home directory with ease if they could just connect to /home/chroot/username/home/username/ and put them in. I DO NOT want any sftponly user to have login ability to the shell - ONLY to the sftp server. The results below show me a problem:

LOGIN ATTEMPT (using -v option)
=========================
First, we change David Test User's Password:

Code:
root@cardinal:/etc/ssh# passwd david
Enter new UNIX password:
Retype new UNIX password:
Sorry, passwords do not match
passwd: Authentication token manipulation error
passwd: password unchanged
root@cardinal:/etc/ssh# passwd david
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@cardinal:/etc/ssh#
(it was not working before, and was giving me 'permission denied' and
'Failed password for invalid user david from 75.133.179.10 port 53907 ssh2')
Code:
NOW, we attempt to login using david's changed password:
======================================
brian@cardinal:/home2$ sftp -v david@buddy-baker.us


brian@cardinal:/etc/ssh$ sftp -v david@buddy-baker.us
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to buddy-baker.us [75.133.179.10] port 22.
debug1: Connection established.
debug1: identity file /home/brian/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/brian/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 5e:3a:9e:20:f4:d7:e2:77:a1:c7:3f:81:40:22:4a:1d
debug1: Host 'buddy-baker.us' is known and matches the ECDSA host key.
debug1: Found key in /home/brian/.ssh/known_hosts:4
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

                    --------------------------------------------------------------------
                                WELCOME TO BBUS (cardinal.buddy-baker.us)
                    --------------------------------------------------------------------
                           ADMINISTRATOR:  Brian S. "Buddy" Baker <brian@buddy-baker.us>


Debian GNU/Linux 8

Debian GNU/Linux 8
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/brian/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/brian/.ssh/id_dsa
debug1: Trying private key: /home/brian/.ssh/id_ecdsa
debug1: Trying private key: /home/brian/.ssh/id_ed25519
debug1: Next authentication method: password
david@buddy-baker.us's password:
debug1: Authentication succeeded (password).
Authenticated to buddy-baker.us ([75.133.179.10]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending subsystem: sftp
Connected to buddy-baker.us.
sftp>
It works now, but I got the following in the logs when I did not have sftponly group in AllowGroups:
my /var/log/auth/log has the following
Code:
brian@cardinal:/etc/ssh$ sudo tail /var/log/auth.log
Mar 21 08:42:56 cardinal sshd[21366]: Connection closed by 75.133.179.10 [preauth]
Mar 21 08:43:24 cardinal sshd[21370]: Connection closed by 75.133.179.10 [preauth]
Mar 21 08:43:30 cardinal sshd[21374]: User david from cardinal.buddy-baker.us not allowed because none of user's groups are listed in AllowGroups
Mar 21 08:43:30 cardinal sshd[21374]: input_userauth_request: invalid user david [preauth]
Mar 21 08:43:36 cardinal sshd[21374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cardinal.buddy-baker.us  user=david
Mar 21 08:43:38 cardinal sshd[21374]: Failed password for invalid user david from 75.133.179.10 port 53907 ssh2
Mar 21 08:43:45 cardinal sshd[21374]: Failed password for invalid user david from 75.133.179.10 port 53907 ssh2
Mar 21 08:43:47 cardinal sshd[21374]: Connection closed by 75.133.179.10 [preauth]
Mar 21 08:43:47 cardinal sshd[21374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cardinal.buddy-baker.us  user=david
Mar 21 08:44:07 cardinal sudo:    brian : TTY=pts/0 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log
brian@cardinal:/etc/ssh$

of particular interest is this line from the log
Code:
Mar 21 08:43:30 cardinal sshd[21374]: User david from cardinal.buddy-baker.us not allowed because none of user's groups are listed in AllowGroups
Is it necessary to have sftponly group in the sshd_config file when I DONT want users to login to the shell??
[/code]
I also changed david's shell to /usr/sbin/nologin - This I think is the other way that keeps logins off the shell server and group sftponly allowed to sftp?
-------------------------------------------------------------------------------------------------------------------------------------------------------
It appears to be so, as I got THIS from tfn.net using sftp client:
Code:
Debian GNU/Linux 8
david@buddy-baker.us's password:
Could not chdir to home directory /home2/chroot/david: No such file or directory
This service allows sftp connections only.
Connection to buddy-baker.us closed.
bsbaker@tfn01{pts/0}:~$
Code:
------------------------------------------------------------------------------
                                     WELCOME TO BBUS (cardinal.buddy-baker.us)
                    -------------------------------------------------------------------------------
                           ADMINISTRATOR:  Brian S. "Buddy" Baker <brian@buddy-baker.us>


Debian GNU/Linux 8
david@buddy-baker.us's password:
sftp>

It appears frfom all my login attempts, that it is working, however, I want to make sure that a person is placed in their home directory /home2/chroot/username/home/username, so I think for that, I would change this line, right?
Code:
ChrootDirectory /chroot/%u
[/code
to:
ChrootDirectory /chroot/%u/home/%u

What I need is a script that I can make that will make the user, the proper directories, the shell /usr/sbin/nologin change permissions, copy the passwd and group files to the /home2/chroot/username/group and /home2/chroot/username/passwd and then tell me that it is done. I used a file located at:

Setting Up Accounts for SFTP only Access within a chroot

This worked, but it is a lot of manual labor to set up, and I want to make it act like adduser and do all of the work for me - how do I make this into a script??

Thanks for reading my rambling.....

Brian
Brian S. Baker
Linux Enthusiast /Computer Consultant At Large/ "The Wizkid"
System Admin: buddy-baker.us
buddy-baker.us
Reply

#2
Try it this way;

https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.