View previous topic :: View next topic |
Author |
Message |
i0 n00b
Joined: 11 Oct 2006 Posts: 46
|
Posted: Tue Feb 03, 2009 12:35 pm Post subject: [solved] Unable to sftp when sshd is in chroot |
|
|
Hey
Problem: cannot connect with sftp but can connect with filezilla.
Config:
sshd_config
Code: |
Port 22
Port 3333
Protocol 2
AllowUsers me you another
PermitRootLogin no
PasswordAuthentication no
UsePAM yes
Subsystem sftp /usr/lib/misc/sftp-server
Match Group users
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
|
Connecting with filezilla is ok. I can see directories and upload files etc.
But with command line sftp client:
Code: |
sftp -oPort=3333 -s sftp_server me@myhost:folder/
Connecting to myhost...
Password:
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer
|
Now, trying to connect in debugger mode:
Code: |
sftp -oPort=3333 -v me@myhost
Connecting to myhost...
OpenSSH_5.1p1, OpenSSL 0.9.8j 07 Jan 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to myhost [xxx.xxx.xxx.xxx] port 3333.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[myhost]:3333' is known and matches the RSA host key.
debug1: Found key in /home/me/.ssh/known_hosts:50
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/me/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /home/me/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending subsystem: sftp
subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer
|
Sshd in debug mode while connecting with sftp:
Code: |
debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 3333 on ::.
Server listening on :: port 3333.
debug1: Bind to port 3333 on 0.0.0.0.
Server listening on 0.0.0.0 port 3333.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 7 out 7 newsock 7 pipe -1 sock 10
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 41695
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user me service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user me matched group list users at line 118
debug1: PAM: initializing for "me"
debug1: PAM: setting PAM_RHOST to "connectinghostname"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user me service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: userauth-request for user me service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=me devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 41695 ssh2
debug1: monitor_child_preauth: me has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 2804
debug1: PAM: establishing credentials
Changed root directory to "/home/me"
debug1: permanently_set_uid: 1001/100
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
Connection closed by xxx.xxx.xxx.xxx
debug1: channel 0: free: server-session, nchannels 1
debug1: session_close: session 0 pid 0
debug1: do_cleanup
Transferred: sent 1928, received 1760 bytes
Closing connection to xxx.xxx.xxx.xxx port 41695
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session
|
As i see problem is:
Code: | subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found |
File /usr/lib/misc/sftp-server is actually there:
Code: | ls -la /usr/lib/misc/sftp-server
-rwxr-xr-x 1 root root 42568 2009-01-31 08:37 /usr/lib/misc/sftp-server
|
Is sshd trying to use sftp-server after jail?
EDIT:
Sshd in debugger mode while connecting with filezilla:
Code: | debug1: sshd version OpenSSH_5.1p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 3333 on ::.
Server listening on :: port 3333.
debug1: Bind to port 3333 on 0.0.0.0.
Server listening on 0.0.0.0 port 3333.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 7 out 7 newsock 7 pipe -1 sock 10
debug1: inetd sockets after dupping: 3, 3
Connection from xxx.xxx.xxx.xxx port 47529
debug1: Client protocol version 2.0; client software version PuTTY_Local:_Feb__3_2009_11:16:49
debug1: no match: PuTTY_Local:_Feb__3_2009_11:16:49
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-ctr hmac-sha1 none
debug1: kex: server->client aes256-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user me service ssh-connection method none
debug1: attempt 0 failures 0
debug1: user me matched group list users at line 118
debug1: PAM: initializing for "me"
debug1: PAM: setting PAM_RHOST to "connectinghostname"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user me service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1001/100 (e=0/0)
debug1: trying public key file //.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: userauth-request for user me service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=me devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for me from xxx.xxx.xxx.xxx port 47529 ssh2
debug1: monitor_child_preauth: me has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 13782
debug1: PAM: establishing credentials
Changed root directory to "/home/me"
debug1: permanently_set_uid: 1001/100
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 2147483647 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request simple@putty.projects.tartarus.org reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req simple@putty.projects.tartarus.org
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
subsystem: cannot stat /usr/lib/misc/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
debug1: server_input_channel_req: channel 0 request exec reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug1: Forced command (config) 'internal-sftp'
Connection closed by xxx.xxx.xxx.xxx
debug1: channel 0: free: server-session, nchannels 1
debug1: session_close: session 0 pid 13783
debug1: do_cleanup
Transferred: sent 3656, received 3200 bytes
Closing connection to xxx.xxx.xxx.xxx port 47529
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session |
EDIT2:
After experimenting with sftp options it turned out that sftp needs an subsystem argument.
Argument should start with slash and it does not matter what it is.
Eg:
Code: |
sftp -oPort=3333 -s /whatever me@myhost
Connecting to myhost...
Password:
sftp> pwd
Remote working directory: /
sftp> bye
|
In debugger mode, sshd still complains about non existent sftp-server but everything is working.
Weird.
|
|
Back to top |
|
|
causality Apprentice
Joined: 03 Jun 2006 Posts: 236
|
Posted: Thu Dec 10, 2009 7:18 pm Post subject: |
|
|
Try changing
Code: | Subsystem sftp /usr/lib/misc/sftp-server |
to
Code: | Subsystem sftp internal-sftp |
In a chrooted environment, /usr/ is unlikely to exist. That's alright though because you don't actually need to execute /usr/lib/misc/sftp-server to handle an SFTP connection. The SSH daemon has this functionality built-in. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|