View previous topic :: View next topic |
Author |
Message |
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Wed May 21, 2014 8:28 pm Post subject: sftp session disconnects right after passwd enter [solved] |
|
|
Greetings All,
I have a ssh server which allows sftp connections from the Internet while ssh connections from within the local net, here is the config:
Code: | Port 11111
Port 11113
Protocol 2
LogLevel DEBUG
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
Match LocalPort 11113 Address *,!192.168.0.0/24
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
AllowUsers sftp_user
ForceCommand /usr/lib/openssh/sftp-server
AuthenticationMethods publickey,password publickey,keyboard-interactive
RSAAuthentication yes
PubkeyAuthentication yes
AcceptEnv LANG LC_* |
now when I try to connect I from outside the net to test it I see this in the client:
Code: | dagg@NCC-5001-D ~/.ssh/sftp_keys $ sftp -oPort=11113 -oIdentityFile=id_rsa sftp_user@111.111.111.111
Authenticated with partial success.
Password:
Connection closed |
I'm sure the passwd is correct because su - sftp_user with that same passwd works and if I enter a worng passwd I'm prompted with another "Password: " line.
the server logs are:
Code: | May 21 22:56:30 NCC-5001-D sshd[30467]: debug1: Forked child 30708.
May 21 22:56:30 NCC-5001-D sshd[30708]: Set /proc/self/oom_score_adj to 0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: inetd sockets after dupping: 3, 3
May 21 22:56:30 NCC-5001-D sshd[30708]: Connection from 111.111.111.111 port 41017 on 192.168.0.1 port 11113
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: HPN Disabled: 0, HPN Buffer Size: 87380
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Version;Remote: 111.111.111.111-41017;Protocol: 2.0;Client: OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: match: OpenSSH_6.6p1-hpn14v4 pat OpenSSH* compat 0x04000000
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Enabling compatibility mode for protocol 2.0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Local version string SSH-2.0-OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: permanently_set_uid: 22/22 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: AUTH STATE IS 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Kex;Remote: 111.111.111.111-41017;Enc: aes128-ctr;MAC: hmac-md5-etm@openssh.com;Comp: none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: KEX done [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Authname;Remote: 111.111.111.111-41017;Name: sftp_user [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 0 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is protocol
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is loglevel
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is passwordauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is usepam
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printmotd
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printlastlog
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is useprivilegeseparation
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is subsystem
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is match
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 192.168.0.1 matched 'LocalPort 11113' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 111.111.111.111 matched 'Address *,!192.168.0.0/24' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is chrootdirectory
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowtcpforwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is x11forwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowusers
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is forcecommand
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is authenticationmethods
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is rsaauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is pubkeyauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is acceptenv
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password"
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: initializing for "sftp_user"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_RHOST to "red.unlimited.net"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_TTY to "ssh"
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password" [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 1 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: test whether pkalg/pkblob are acceptable [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: Postponed publickey for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 2 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: ssh_rsa_verify: signature correct
May 21 22:56:30 NCC-5001-D sshd[30708]: Partial publickey for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method keyboard-interactive [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 3 failures 1 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: keyboard-interactive devs [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge: user=sftp_user devs= [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kbdint_alloc: devices 'pam' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
May 21 22:56:31 NCC-5001-D sshd[30708]: Postponed keyboard-interactive for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [preauth]
May 21 22:56:34 NCC-5001-D sshd[30713]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: num PAM env strings 0
May 21 22:56:34 NCC-5001-D sshd[30708]: Postponed keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: Accepted keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_child_preauth: sftp_user has been authenticated by privileged process
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_read_log: child log fd closed
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: establishing credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session opened for user sftp_user by (uid=0)
May 21 22:56:34 NCC-5001-D sshd[30708]: User child is on pid 30721
May 21 22:56:34 NCC-5001-D sshd[30721]: debug1: PAM: establishing credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: closing session
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session closed for user sftp_user
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: deleting credentials |
why I'm not able to get a ftp cli?
Thanks. _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Last edited by DaggyStyle on Mon Jun 02, 2014 5:29 am; edited 1 time in total |
|
Back to top |
|
|
windex n00b
Joined: 09 Dec 2012 Posts: 70
|
Posted: Sat May 31, 2014 12:51 am Post subject: |
|
|
Can you confirm that you're able to connect from localhost, and then from inside of your network? |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Sun Jun 01, 2014 7:05 pm Post subject: |
|
|
windex wrote: | Can you confirm that you're able to connect from localhost, and then from inside of your network? |
good idea, will check _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Sun Jun 01, 2014 7:09 pm Post subject: |
|
|
removing the internet limitation didn't worked. _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Sun Jun 01, 2014 7:48 pm Post subject: |
|
|
ok, got some lead, this happens only of I set the ChrootDirectory directive _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
windex n00b
Joined: 09 Dec 2012 Posts: 70
|
Posted: Mon Jun 02, 2014 2:02 am Post subject: chrooting sshd |
|
|
Can you please post the ChrootDirectory component of your sshd_config. If it's deemed sensitive, please
PM it to me instead. What specifically are you attempting to accomplish by chrooting? Can you please
confirm that you can chroot successfully into that folder? |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Mon Jun 02, 2014 5:29 am Post subject: solved! |
|
|
it seems that chrootdir behaves well only when paired with internal sftp instead of external binary.
here is the working config:
Code: | Port 11111
Port 11113
Protocol 2
LogLevel DEBUG
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp internal-sftp
Match LocalPort 11113 Address *,!192.168.0.0/24
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
AllowUsers sftp_user
ForceCommand internal-sftp
AuthenticationMethods publickey,password publickey,keyboard-interactive
RSAAuthentication yes
PubkeyAuthentication yes
AcceptEnv LANG LC_* |
I wonder why but it works and that is what I need it to do. _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|