I'm using RedHat Linux 6.1 and wanted to create an user account with only access to single directory. Have followed all the steps from below link and still user is not able to login:
How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH) (link removed)
While the other users, which are not part of sftpusers group, are able to successfully login from remote machines
The error I see is as below:
Code:
debug1: Next authentication method: publickey
debug1: Offering public key: /home/touchpnt/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/touchpnt/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
abdul@cemapp's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
I have made sure that parent directory belongs to root(both user and group) and sub directory belongs to user under test(and group is set as sftpusers)
Have referred to many threads on this issue, but none of them is really useful in fixing this. Also my setting in /etc/ssh/sshd_config is "UsePAM no"
With SSH flavored issues, I always start by getting localhost to work -- no cross-flavor issues, no firewalls. Do you want password authentication, or just public key? Have you bounced the system or daemon since the config was changed?
This is customer's server and hence disabling firewalls etc. is not possible as they adhere to their security policy. I just need password authentication. Didn't bounce the system after applying the Chroot logic with Match Group implementation. Only restarted the sshd service and tested from another server in same LAN
Are you using rssh as suggested in the comments? Why not post the directory permissions from real root down, and any mounts or soft links, and the suggested config file entry changes, just for review.
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM no
#UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 60
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner /some/path
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /assure0/test/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
And, permissions on that directory are as below:
Code:
drwxr-xr-x 6 root root 4096 Oct 4 01:12 assure0
drwxr-xr-x 26 root root 4096 Oct 3 21:28 test
drwxr-xr-x 2 abdul sftpusers 4096 Oct 1 00:00 abdul
---------- Post updated at 10:11 PM ---------- Previous update was at 10:06 PM ----------
Also, there are no mounts or soft links in any of these directories
I'm able to successfully login to the sftp accounts which don't belong to sftpusers group
So, this issue is for specific users in sftpusers group, whom I want to restrict the access to one particular directory
Anyone has met the error following:-
1. Only root could login Redhat
2. Trying su another user by root, the error will be
su: warning: cannot change directory to /home/user: permission denied
su: /bin/bash: permission denied
3. I have checked the permission of the folder given and even... (2 Replies)
SFTP user creation step…
Create a group
# groupadd sftp_users
If the users doesn’t exist on system , use below command :
# useradd -G sftp_users -s /sbin/nologin username
# passwd username
For already existing users , use below usermod command :
# usermod –G... (1 Reply)
Hello,
I have a weird issue, I have RHEL 5.7 running with openssh5.2 where sftpgroup OS group is chroot. I see the difference difference in timestamp on files, when I login via ssh and SFTP, I see four hour difference, is something missing in my configuration.
#pwd... (8 Replies)
When i finished installation the Redhat Enterprise Linux 6.2, and login to the system, I can't login although username: root and Password correct. I install on the Hp Blade Server. I don't know why.
How to fix this error? who can help me? :confused:
Thanks! (3 Replies)
Hi
the below two line in my sh work fine in Linux but when I run it in HP UX it throws error saying "No such file or directory (-)."
can anyone pleas let me know what is wrong. Any help is appreciated.
INPUTFILE="$(echo ls -1t | sftp -b- $SFTPSERVER:$SFTPDIR |grep ^LK| head -1)"
echo... (1 Reply)
I had two high speed 1gb mem installed on my primary mem slots. When i tried to add two PNY adp648tm-50 mem, 1gb each on the two empty mem slots, it didn't work.
However both the old and the pny mem by themselves work and the system boot up, but fails if I put all the memories in there.
Any... (0 Replies)
Hi,
I would like to login from a Sun server running ssh:
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
to
ssh: SSH Secure Shell 3.0.1 on sparc-sun-solaris2.6
How can I achieve this?
Thanks a million in advance (1 Reply)
Hi,
I am trying to use sftp in a ksh - Shell script, but not even a simple script like this returns not output:
sftp username@remotehost <<END
ls
END
If I do something like this:
sftp username@remotehost <<END | tee logfile
ls
END
I get this error message:
Warning: tcgetattr... (1 Reply)