Visit Our UNIX and Linux User Community


users can't sftp into my server


 
Thread Tools Search this Thread
Operating Systems Linux users can't sftp into my server
# 1  
Old 06-10-2011
users can't sftp into my server

I am running a fedora core 13 server and I am having trouble with sftp. My users can connect to the server using SSH both using public key and password authentication. For some reason they are not able to connect using sftp.

I'l not sure what's going on. I ran sshd in debug mode and here's the trace:

Code:
debug1: sshd version OpenSSH_5.4p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p1234'
Set /proc/self/oom_adj from 0 to -17
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
debug1: Bind to port 1234 on ::.
Server listening on :: port 1234.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 129.171.56.94 port 46607
debug1: Client protocol version 2.0; client software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user emil service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "emil"
debug1: PAM: setting PAM_RHOST to "129.171.56.94"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user emil service ssh-connection method gssapi-with-mic
debug1: attempt 1 failures 0
debug1: An invalid name was supplied
Hostname cannot be canonicalized

debug1: userauth-request for user emil service ssh-connection method gssapi-with-mic
debug1: attempt 2 failures 0
debug1: userauth-request for user emil service ssh-connection method password
debug1: attempt 3 failures 0
debug1: PAM: password authentication accepted for emil
debug1: do_pam_account: called
Accepted password for emil from 129.171.56.94 port 46607 ssh2
debug1: monitor_child_preauth: emil has been authenticated by privileged process
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 500/500
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
User child is on pid 13726
debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
debug1: subsystem: exec() /usr/libexec/openssh/sftp-server
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 13727
debug1: session_exit_message: session 0 channel 0 pid 13727
debug1: session_exit_message: release channel 0
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 129.171.56.94
debug1: do_cleanup
Transferred: sent 2056, received 1336 bytes
Closing connection to 129.171.56.94 port 46607
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials


Last edited by pludi; 06-10-2011 at 12:23 PM..
# 2  
Old 06-10-2011
For some reason the SFTP child process terminates immediately after being started:
Code:
subsystem request for sftp
debug1: subsystem: exec() /usr/libexec/openssh/sftp-server
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 13727

Check if the program /usr/libexec/openssh/sftp-server really exists, and is runable by regular users.
# 3  
Old 06-10-2011
The program is in there and it has the following permissions:

Code:
-rwxr-xr-x  1 root root  63888 May 31  2010 sftp-server
-rwsr-xr-x  1 root root 228540 May 31  2010 ssh-keysign
-rwxr-xr-x  1 root root  94168 May 31  2010 ssh-pkcs11-helper


I logged in as a regular user ant tried to run the program manually. I get the following error:
Couldn't open /dev/null: Permission denied

but if i run sftp-server as root then it seems to run

Last edited by pludi; 06-10-2011 at 06:59 PM..
# 4  
Old 06-10-2011
That is weird. ls -l /dev/null ?
# 5  
Old 06-10-2011
it looks like /dev/null only had rw for the user. I added rw for group and other and it seems to work now.

I'm not sure why the permissions on /dev/null were so restrictive. I've never seen it like that before.

Thanks all
This User Gave Thanks to emildiego For This Post:
# 6  
Old 06-10-2011
Me neither. 0666 is normal
# 7  
Old 06-15-2011
Can use the configuration items: DenyUsers SSHD, AllowUsers, DenyGroups, AllowGroups

For example:
You hope to ban the use of users use SFTP service to join a group like xyz
And then in/etc/SSH/sshd_config Settings
DenyGroups xyz
So, all belong to the xyz users will not logged in SSH permissions, nature also did not use the SFTP permissions.

Note in sshd_config banned SFTP off just-is not enough, because the server as long as users also can pass
SSH login can use other user of essential tools such as SCP uploads and downloads files, the effect is the same with SFTP actually.

Previous Thread | Next Thread
Test Your Knowledge in Computers #426
Difficulty: Medium
JavaScript uses prototypes where many other object-oriented languages use classes for inheritance.
True or False?

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

SSh works but sftp doesn't for all users except root

I am sorry if i post in wrong Form. i have AIX server in which ssh works for all users but sftp only works for root user . it is too much important for me to solve this . Your help will be greatly appreciated. (1 Reply)
Discussion started by: khalid khanAIB
1 Replies

2. IP Networking

SFTP connection using two different users

Hi All This is regarding an SFTP Password less connection. I am logged into my local Server1 using username1. The remote server i have to connect is "Remoteserver1" with the "useriD" provided. I have already exchanged the public key and they are added to the authorized keys in the remote... (2 Replies)
Discussion started by: sparks
2 Replies

3. Shell Programming and Scripting

Needed SFTP script from windows to UNIX server and from UNIX to windows server(reverse SFTP)

hi guys, i need a script to sftp the file from windows to unix server ....(before that i have to check whether the file exists in the windows server or not and again i have to reverse sftp the files from unix to windows server..... regards, Vasa Saikumar. (13 Replies)
Discussion started by: hemanthsaikumar
13 Replies

4. Red Hat

Chroot sftp users, remote sftp login shows wrong timestamp on files

Hello, I have a weird issue, I have RHEL 5.7 running with openssh5.2 where sftpgroup OS group is chroot. I see the difference difference in timestamp on files, when I login via ssh and SFTP, I see four hour difference, is something missing in my configuration. #pwd... (8 Replies)
Discussion started by: bobby320
8 Replies

5. Red Hat

Restricting multiple users to run only sftp server

Hello, can someone please provide steps, can I restrict a multiple users to only access only sftp on a server, to perform upload and download of files on their home directories. 1. I have updated their login shell as /sbin/nologin. anything else do I need to update. Thanks, (3 Replies)
Discussion started by: bobby320
3 Replies

6. Red Hat

sftp configuration | to lock users to their home folder.

In generally I use vsftp but I want to improve our security so I decide to use sftp instead of vsftp. We know that ssh,scp and sftp are in openssh server. How can I lock only sftp user to their home folder? And to prevent some users for sftp like root as such in vsftp daemon? (3 Replies)
Discussion started by: getrue
3 Replies

7. Red Hat

Loggin SFTP activity for chrooted (rssh) users

Hi, I need to log the activity of my SFTP (RHEL 5.4). I have this in /etc/sshd/sshd_config: Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE And this in /etc/syslog.conf: LOCAL5.* /var/log/sftp.log When I log in... (1 Reply)
Discussion started by: Tr0cken
1 Replies

8. UNIX for Dummies Questions & Answers

umask for internal-sftp users ?

Hello, Running Debian 5. SSH version 5.1p1-5. How do I set umask for sftp only users ? Users are jailed - that means they use internal-sftp: # cat /etc/ssh/sshd_config .......... Match group group1 ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding... (2 Replies)
Discussion started by: vilius
2 Replies

9. HP-UX

Limiting SFTP Users While Not Limiting Regular Users?

Hi, I have searched the web and have come back with nothing that is satisfactory for what I require. SFTP is my corporations new file transfer standard. What I require is a method to lock down SFTP users to their directory (they may go to sub directories) while not restricting regular users. ... (2 Replies)
Discussion started by: Emancipator
2 Replies

10. UNIX for Dummies Questions & Answers

SFTP plugin for Windows Users?

I've had the hardest time getting my Windows users (technically proficient users who grew up with VAX.VMS systems) to abandon FTP and TELNET for SSH and SFTP/SCP. It's getting to the point where I'm getting seriously angry at them for being "stupid". With that little bit of complaint aside after... (1 Reply)
Discussion started by: deckard
1 Replies

Featured Tech Videos