Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Unable to sftp when sshd is in chroot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
i0
n00b
n00b


Joined: 11 Oct 2006
Posts: 46

PostPosted: Tue Feb 03, 2009 12:35 pm    Post subject: [solved] Unable to sftp when sshd is in chroot Reply with quote

Hey

Problem: cannot connect with sftp but can connect with filezilla.

Config:

sshd_config
Code:


Port 22
Port 3333

Protocol 2

AllowUsers me you another

PermitRootLogin no

PasswordAuthentication no

UsePAM yes

Subsystem   sftp   /usr/lib/misc/sftp-server

Match Group users
   ChrootDirectory /home/%u
   X11Forwarding no
   AllowTcpForwarding no
   ForceCommand internal-sftp


Connecting with filezilla is ok. I can see directories and upload files etc.
But with command line sftp client:
Code:

sftp -oPort=3333 -s sftp_server me@myhost:folder/
Connecting to myhost...
Password:
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer


Now, trying to connect in debugger mode:
Code:

 sftp -oPort=3333 -v me@myhost
Connecting to myhost...
OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to myhost [xxx.xxx.xxx.xxx] port 3333.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[myhost]:3333' is known and matches the RSA host key.
debug1: Found key in /home/me/.ssh/known_hosts:50
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/me/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/me/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending subsystem: sftp
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer


Sshd in debug mode while connecting with sftp:
Code:

debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 3333 on ::.
Server listening on :: port 3333.
debug1: Bind to port 3333 on 0.0.0.0.
Server listening on 0.0.0.0 port 3333.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 7 out 7 newsock 7 pipe -1 sock 10
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 41695
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user me service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user me matched group list users at line 118
debug1: PAM: initializing for "me"
debug1: PAM: setting PAM_RHOST to "connectinghostname"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user me service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: userauth-request for user me service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=me devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: monitor_child_preauth: me has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 2804
debug1: PAM: establishing credentials
Changed root directory to "/home/me"
debug1: permanently_set_uid: 1001/100
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
Connection closed by xxx.xxx.xxx.xxx
debug1: channel 0: free: server-session, nchannels 1
debug1: session_close: session 0 pid 0
debug1: do_cleanup
Transferred: sent 1928, received 1760 bytes
Closing connection to xxx.xxx.xxx.xxx port 41695
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session


As i see problem is:
Code:
subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found


File /usr/lib/misc/sftp-server is actually there:
Code:
 ls -la /usr/lib/misc/sftp-server
-rwxr-xr-x 1 root root 42568 2009-01-31 08:37 /usr/lib/misc/sftp-server


Is sshd trying to use sftp-server after jail?

EDIT:
Sshd in debugger mode while connecting with filezilla:
Code:
debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 3333 on ::.
Server listening on :: port 3333.
debug1: Bind to port 3333 on 0.0.0.0.
Server listening on 0.0.0.0 port 3333.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 7 out 7 newsock 7 pipe -1 sock 10
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 47529
debug1: Client protocol version 2.0; client software version PuTTY_Local:_Feb__3_2009_11:16:49
debug1: no match: PuTTY_Local:_Feb__3_2009_11:16:49
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-ctr hmac-sha1 none
debug1: kex: server->client aes256-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user me service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user me matched group list users at line 118
debug1: PAM: initializing for "me"
debug1: PAM: setting PAM_RHOST to "connectinghostname"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user me service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: userauth-request for user me service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=me devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: monitor_child_preauth: me has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 13782
debug1: PAM: establishing credentials
Changed root directory to "/home/me"
debug1: permanently_set_uid: 1001/100
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request simple@putty.projects.tartarus.org reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req simple@putty.projects.tartarus.org
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
debug1: server_input_channel_req: channel 0 request exec reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug1: Forced command (config) 'internal-sftp'
Connection closed by xxx.xxx.xxx.xxx
debug1: channel 0: free: server-session, nchannels 1
debug1: session_close: session 0 pid 13783
debug1: do_cleanup
Transferred: sent 3656, received 3200 bytes
Closing connection to xxx.xxx.xxx.xxx port 47529
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session


EDIT2:

After experimenting with sftp options it turned out that sftp needs an subsystem argument.
Argument should start with slash and it does not matter what it is.

Eg:
Code:

sftp -oPort=3333 -s /whatever me@myhost
Connecting to myhost...
Password:
sftp> pwd
Remote working directory: /
sftp> bye

In debugger mode, sshd still complains about non existent sftp-server but everything is working.
Weird.

:?
Back to top
View user's profile Send private message
causality
Apprentice
Apprentice


Joined: 03 Jun 2006
Posts: 236

PostPosted: Thu Dec 10, 2009 7:18 pm    Post subject: Reply with quote

Try changing

Code:
Subsystem   sftp   /usr/lib/misc/sftp-server


to

Code:
Subsystem sftp internal-sftp


In a chrooted environment, /usr/ is unlikely to exist. That's alright though because you don't actually need to execute /usr/lib/misc/sftp-server to handle an SFTP connection. The SSH daemon has this functionality built-in.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum