Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

sftp session disconnects right after passwd enter [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909
PostPosted: Wed May 21, 2014 8:28 pm    Post subject: sftp session disconnects right after passwd enter [solved] Reply with quote
Greetings All,

I have a ssh server which allows sftp connections from the Internet while ssh connections from within the local net, here is the config:
Code:
Port 11111
Port 11113
Protocol 2
LogLevel DEBUG
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem       sftp    /usr/lib64/misc/sftp-server
Match LocalPort 11113 Address *,!192.168.0.0/24
   ChrootDirectory /home/%u
   AllowTCPForwarding no
   X11Forwarding no
   AllowUsers sftp_user
   ForceCommand /usr/lib/openssh/sftp-server
   AuthenticationMethods publickey,password publickey,keyboard-interactive
   RSAAuthentication yes
   PubkeyAuthentication yes
AcceptEnv LANG LC_*


now when I try to connect I from outside the net to test it I see this in the client:
Code:
dagg@NCC-5001-D ~/.ssh/sftp_keys $ sftp -oPort=11113 -oIdentityFile=id_rsa sftp_user@111.111.111.111
Authenticated with partial success.
Password:
Connection closed

I'm sure the passwd is correct because su - sftp_user with that same passwd works and if I enter a worng passwd I'm prompted with another "Password: " line.

the server logs are:
Code:
May 21 22:56:30 NCC-5001-D sshd[30467]: debug1: Forked child 30708.
May 21 22:56:30 NCC-5001-D sshd[30708]: Set /proc/self/oom_score_adj to 0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: inetd sockets after dupping: 3, 3
May 21 22:56:30 NCC-5001-D sshd[30708]: Connection from 111.111.111.111 port 41017 on 192.168.0.1 port 11113
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: HPN Disabled: 0, HPN Buffer Size: 87380
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Version;Remote: 111.111.111.111-41017;Protocol: 2.0;Client: OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: match: OpenSSH_6.6p1-hpn14v4 pat OpenSSH* compat 0x04000000
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Enabling compatibility mode for protocol 2.0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Local version string SSH-2.0-OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: permanently_set_uid: 22/22 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT sent [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: AUTH STATE IS 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Kex;Remote: 111.111.111.111-41017;Enc: aes128-ctr;MAC: hmac-md5-etm@openssh.com;Comp: none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: KEX done [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Authname;Remote: 111.111.111.111-41017;Name: sftp_user [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 0 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is protocol
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is loglevel
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is passwordauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is usepam
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printmotd
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printlastlog
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is useprivilegeseparation
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is subsystem
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is match
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 192.168.0.1 matched 'LocalPort 11113' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 111.111.111.111 matched 'Address *,!192.168.0.0/24' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is chrootdirectory
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowtcpforwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is x11forwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowusers
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is forcecommand
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is authenticationmethods
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is rsaauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is pubkeyauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is acceptenv
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password"
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: initializing for "sftp_user"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_RHOST to "red.unlimited.net"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_TTY to "ssh"
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password" [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 1 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: test whether pkalg/pkblob are acceptable [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: Postponed publickey for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 2 failures 0 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: ssh_rsa_verify: signature correct
May 21 22:56:30 NCC-5001-D sshd[30708]: Partial publickey for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method keyboard-interactive [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 3 failures 1 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: keyboard-interactive devs  [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge: user=sftp_user devs= [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kbdint_alloc: devices 'pam' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
May 21 22:56:31 NCC-5001-D sshd[30708]: Postponed keyboard-interactive for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [preauth]
May 21 22:56:34 NCC-5001-D sshd[30713]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: num PAM env strings 0
May 21 22:56:34 NCC-5001-D sshd[30708]: Postponed keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: Accepted keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_child_preauth: sftp_user has been authenticated by privileged process
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_read_log: child log fd closed
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: establishing credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session opened for user sftp_user by (uid=0)
May 21 22:56:34 NCC-5001-D sshd[30708]: User child is on pid 30721
May 21 22:56:34 NCC-5001-D sshd[30721]: debug1: PAM: establishing credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: closing session
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session closed for user sftp_user
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: deleting credentials


why I'm not able to get a ftp cli?

Thanks.
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein

Last edited by DaggyStyle on Mon Jun 02, 2014 5:29 am; edited 1 time in total
Back to top
View user's profile Send private message
windex
n00b
n00b


Joined: 09 Dec 2012
Posts: 70
PostPosted: Sat May 31, 2014 12:51 am    Post subject: Reply with quote
Can you confirm that you're able to connect from localhost, and then from inside of your network?
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909
PostPosted: Sun Jun 01, 2014 7:05 pm    Post subject: Reply with quote
windex wrote:
Can you confirm that you're able to connect from localhost, and then from inside of your network?


good idea, will check
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909
PostPosted: Sun Jun 01, 2014 7:09 pm    Post subject: Reply with quote
removing the internet limitation didn't worked.
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909
PostPosted: Sun Jun 01, 2014 7:48 pm    Post subject: Reply with quote
ok, got some lead, this happens only of I set the ChrootDirectory directive
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
windex
n00b
n00b


Joined: 09 Dec 2012
Posts: 70
PostPosted: Mon Jun 02, 2014 2:02 am    Post subject: chrooting sshd Reply with quote
Can you please post the ChrootDirectory component of your sshd_config. If it's deemed sensitive, please
PM it to me instead. What specifically are you attempting to accomplish by chrooting? Can you please
confirm that you can chroot successfully into that folder?
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909
PostPosted: Mon Jun 02, 2014 5:29 am    Post subject: solved! Reply with quote
it seems that chrootdir behaves well only when paired with internal sftp instead of external binary.
here is the working config:
Code:
Port 11111
Port 11113
Protocol 2
LogLevel DEBUG
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem       sftp    internal-sftp
Match LocalPort 11113 Address *,!192.168.0.0/24
   ChrootDirectory /home/%u
   AllowTCPForwarding no
   X11Forwarding no
   AllowUsers sftp_user
   ForceCommand internal-sftp
   AuthenticationMethods publickey,password publickey,keyboard-interactive
   RSAAuthentication yes
   PubkeyAuthentication yes
AcceptEnv LANG LC_*


I wonder why but it works and that is what I need it to do.
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy