secure sftp login not working in RedHat Linux


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users secure sftp login not working in RedHat Linux
# 1  
Old 10-01-2012
secure sftp login not working in RedHat Linux

I'm using RedHat Linux 6.1 and wanted to create an user account with only access to single directory. Have followed all the steps from below link and still user is not able to login:

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH) (link removed)

While the other users, which are not part of sftpusers group, are able to successfully login from remote machines

The error I see is as below:

Code:
debug1: Next authentication method: publickey
debug1: Offering public key: /home/touchpnt/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/touchpnt/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
abdul@cemapp's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

I have made sure that parent directory belongs to root(both user and group) and sub directory belongs to user under test(and group is set as sftpusers)

Have referred to many threads on this issue, but none of them is really useful in fixing this. Also my setting in /etc/ssh/sshd_config is "UsePAM no"
# 2  
Old 10-04-2012
With SSH flavored issues, I always start by getting localhost to work -- no cross-flavor issues, no firewalls. Do you want password authentication, or just public key? Have you bounced the system or daemon since the config was changed?
# 3  
Old 10-05-2012
This is customer's server and hence disabling firewalls etc. is not possible as they adhere to their security policy. I just need password authentication. Didn't bounce the system after applying the Chroot logic with Match Group implementation. Only restarted the sshd service and tested from another server in same LAN
# 4  
Old 10-05-2012
Are you using rssh as suggested in the comments? Why not post the directory permissions from real root down, and any mounts or soft links, and the suggested config file entry changes, just for review.
# 5  
Old 10-05-2012
Ok. I'm adding more details for your review here:

Firstly, entries in sshd_config are:

Code:
cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM no
#UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 60
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path
# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftpusers
        ChrootDirectory /assure0/test/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

And, permissions on that directory are as below:

Code:
drwxr-xr-x   6 root root   4096 Oct  4 01:12 assure0

drwxr-xr-x 26 root     root      4096 Oct  3 21:28 test

drwxr-xr-x 2 abdul        sftpusers 4096 Oct  1 00:00 abdul

---------- Post updated at 10:11 PM ---------- Previous update was at 10:06 PM ----------

Also, there are no mounts or soft links in any of these directories

I'm able to successfully login to the sftp accounts which don't belong to sftpusers group

So, this issue is for specific users in sftpusers group, whom I want to restrict the access to one particular directory
# 6  
Old 10-05-2012
Checkout this link. It's a bit more informative than the one you followed. Also, I set this up a couple of months back and had no issues.

SFTP Chroot Jail on RHEL6 and CentOS6 - This is not supported dot com
# 7  
Old 10-05-2012
Thanks. Have tried this link also and still face the same problem
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Only root could login Redhat and could not su other user

Anyone has met the error following:- 1. Only root could login Redhat 2. Trying su another user by root, the error will be su: warning: cannot change directory to /home/user: permission denied su: /bin/bash: permission denied 3. I have checked the permission of the folder given and even... (2 Replies)
Discussion started by: jc0616
2 Replies

2. Red Hat

SFTP User creation in Redhat Linux/UNIX

SFTP user creation step… Create a group # groupadd sftp_users If the users doesn’t exist on system , use below command : # useradd -G sftp_users -s /sbin/nologin username # passwd username For already existing users , use below usermod command : # usermod –G... (1 Reply)
Discussion started by: taherahmed
1 Replies

3. Red Hat

Chroot sftp users, remote sftp login shows wrong timestamp on files

Hello, I have a weird issue, I have RHEL 5.7 running with openssh5.2 where sftpgroup OS group is chroot. I see the difference difference in timestamp on files, when I login via ssh and SFTP, I see four hour difference, is something missing in my configuration. #pwd... (8 Replies)
Discussion started by: bobby320
8 Replies

4. Red Hat

Login failed in Redhat Enterprise 6.2

When i finished installation the Redhat Enterprise Linux 6.2, and login to the system, I can't login although username: root and Password correct. I install on the Hp Blade Server. I don't know why. How to fix this error? who can help me? :confused: Thanks! (3 Replies)
Discussion started by: dinhdangnd
3 Replies

5. Shell Programming and Scripting

Transfer files from linux server to windows using secure ftp (sftp)

HI, I have to transfer files from linux server to windows using secure ftp (sftp) .Kindly help me out. (3 Replies)
Discussion started by: manushi88
3 Replies

6. UNIX for Advanced & Expert Users

Sftp working on Linux but error on HP UX

Hi the below two line in my sh work fine in Linux but when I run it in HP UX it throws error saying "No such file or directory (-)." can anyone pleas let me know what is wrong. Any help is appreciated. INPUTFILE="$(echo ls -1t | sftp -b- $SFTPSERVER:$SFTPDIR |grep ^LK| head -1)" echo... (1 Reply)
Discussion started by: murtymvvs
1 Replies

7. Red Hat

pny adp648tm-50 memory not working with redhat linux

I had two high speed 1gb mem installed on my primary mem slots. When i tried to add two PNY adp648tm-50 mem, 1gb each on the two empty mem slots, it didn't work. However both the old and the pny mem by themselves work and the system boot up, but fails if I put all the memories in there. Any... (0 Replies)
Discussion started by: return_user
0 Replies

8. Solaris

password less login from openssh to SSH Secure Shell 3.0.1 Sun solaris 7

Hi, I would like to login from a Sun server running ssh: Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f to ssh: SSH Secure Shell 3.0.1 on sparc-sun-solaris2.6 How can I achieve this? Thanks a million in advance (1 Reply)
Discussion started by: newbewie
1 Replies

9. Shell Programming and Scripting

f-secure sftp in shell script

Hi, I am trying to use sftp in a ksh - Shell script, but not even a simple script like this returns not output: sftp username@remotehost <<END ls END If I do something like this: sftp username@remotehost <<END | tee logfile ls END I get this error message: Warning: tcgetattr... (1 Reply)
Discussion started by: friand
1 Replies

10. UNIX for Dummies Questions & Answers

changing login prompt on redhat

Hi... Can anyone help! I am in dire need to change the "login:" prompt to "username:" any ideas? Thanks in advance :) (6 Replies)
Discussion started by: juilan
6 Replies
Login or Register to Ask a Question