Login or Register to Ask a Question and Join Our Community


UNIX for Dummies Questions & Answers

Only root can login using SFTP

 
Thread Tools Search this Thread
Top Forums UNIX for Dummies Questions & Answers Only root can login using SFTP
# 1  
Old 08-18-2009
Only root can login using SFTP
Hello,

It seems on a machine that I am responsible for supervising only root can use ssh/sftp services. I have looked at sshd_config and do not see anything that can fix this. PermitRootLoggin is enabled but that option does not preclude other users from using ssh/sftp services. When I try and loggin as a another user besides root it just closes the connection after I enter the password. One other thing I can mention. Only root seems to have a /home/.ssh directory....

This is what I have on the machine's /etc/sshd_config file:

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
Last edited by mojoman; 08-18-2009 at 04:16 PM..
# 2  
Old 08-18-2009
Did you look at /etc/profile to see if ssh logins are blocked there? -- On some systems for example,
Code:
ptree $$

will show sshd as parent in the tree.
Last edited by jim mcnamara; 08-18-2009 at 04:30 PM..
# 3  
Old 08-18-2009
Quote:
Originally Posted by jim mcnamara
Did you look at /etc/profile to see if ssh logins are blocked there?
Not that I can see:

Code:
# /etc/profile for SuSE Linux
#
# PLEASE DO NOT CHANGE /etc/profile. There are chances that your changes
# will be lost during system upgrades. Instead use /etc/profile.local for
# your local settings, favourite global aliases, VISUAL and EDITOR
# variables, etc ...

#
# Check which shell is reading this file
#
if test -f /proc/mounts ; then
  case "`/bin/ls -l /proc/$$/exe`" in
    */bash)     is=bash ;;
    */rbash)    is=bash ;;
    */ash)      is=ash  ;;
    */ksh)      is=ksh  ;;
    */zsh)      is=zsh  ;;
    */*)        is=sh   ;;
  esac
else
  is=sh
fi

#
# Initialize terminal
#
tty=`tty 2> /dev/null`
test $? -ne 0 && tty=""
if test -O "$tty" -a -n "$PS1"; then
    test -z "${TERM}"           && { TERM=linux; export TERM; }
    test "${TERM}" = "unknown"  && { TERM=linux; export TERM; }
    # Do not change settings on local line if connected to remote
    if test -z "$SSH_TTY" ; then
        test -x /bin/stty     && /bin/stty sane cr0 pass8 dec
        test -x /usr/bin/tset && /usr/bin/tset -I -Q
    fi
    # on iSeries virtual console, detect screen size and terminal
    if test -d /proc/iSeries -a "$tty" = "/dev/tty1" ; then
        LINES=24; COLUMNS=80; export LINES COLUMNS TERM
        test -x /bin/initviocons && { eval `/bin/initviocons -e`; }
    fi
fi
unset TERMCAP

#
# Time until a complete key sequence must have arrived
#
#ESCDELAY=2000
#export ESCDELAY
#
# The user file-creation mask
#
umask 022

#
# ksh/ash soemtimes do not know
#
test -z "$UID"  &&  UID=`id -ur 2> /dev/null`
test -z "$EUID" && EUID=`id -u  2> /dev/null`
test -z "$USER" && USER=`id -un 2> /dev/null`
test -z "$MAIL" && MAIL=/var/spool/mail/$USER
test -z "$HOST" && HOST=`hostname -s 2> /dev/null`
test -z "$CPU"  &&  CPU=`uname -m 2> /dev/null`
test -z "$HOSTNAME" && HOSTNAME=`hostname 2> /dev/null`
test -z "$LOGNAME"  && LOGNAME=$USER
case "$CPU" in
    i?86) HOSTTYPE=i386   ;;
    *)    HOSTTYPE=${CPU} ;;
esac
  OSTYPE=linux
MACHTYPE=${CPU}-suse-${OSTYPE}
# Do NOT export UID, EUID, USER, MAIL, and LOGNAME
export HOST CPU HOSTNAME HOSTTYPE OSTYPE MACHTYPE

#
# Adjust some size limits (see bash(1) -> ulimit)
# Note: You may use /etc/initscript instead to set up ulimits and your PATH.
#
if test "$is" != "ash" ; then
    #ulimit -c 20000            # only core-files less than 20 MB are written
    #ulimit -d 15000            # max data size of a program is 15 MB
    #ulimit -s 15000            # max stack size of a program is 15 MB
    #ulimit -m 30000            # max resident set size is 30 MB

    ulimit -Sc 0                # don't create core files
    ulimit -Sd unlimited
    # ksh does not support this command.
    test "$is" != "ksh" && ulimit -Ss unlimited
    ulimit -Sm unlimited
fi

# Make path more comfortable
#
if test -z "$PROFILEREAD" ; then
    PATH=/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin
    for dir in $HOME/bin/$CPU $HOME/bin ; do
        test -d $dir && PATH=$dir:$PATH
    done
    test "$UID" = 0 && PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH
    for dir in  /var/lib/dosemu \
                /usr/games \
                /opt/bin \
                /opt/gnome/bin \
                /opt/kde3/bin \
                /opt/kde2/bin \
                /opt/kde/bin \
                /usr/openwin/bin \
                /opt/cross/bin
    do
        test -d $dir && PATH=$PATH:$dir
    done
    unset dir
    export PATH
fi

#
# Many programs using readline library for line editing
# should know about this (e.g. bash)
#
if test -z "$INPUTRC" ; then
    INPUTRC=/etc/inputrc
    test -s $HOME/.inputrc && INPUTRC=$HOME/.inputrc
    export INPUTRC
fi

#
# Most bourn shell clones knows about this
#
HISTSIZE=1000
export HISTSIZE

#
# Set some environment variables for TeX/LaTeX
#
if test -n "$TEXINPUTS" ; then
    TEXINPUTS=":$TEXINPUTS:$HOME/.TeX:/usr/share/doc/.TeX:/usr/doc/.TeX"
else
    TEXINPUTS=":$HOME/.TeX:/usr/share/doc/.TeX:/usr/doc/.TeX"
fi
export TEXINPUTS

#
# Configure the default pager on SuSE Linux
#
if test -z "$LESS" ; then
    LESS="-M -I"
    LESSKEY=/etc/lesskey.bin
    LESSOPEN="lessopen.sh %s"
    LESSCLOSE="lessclose.sh %s %s"
    LESS_ADVANCED_PREPROCESSOR="no"
    PAGER=less
    export LESSOPEN LESSCLOSE LESS LESSKEY PAGER LESS_ADVANCED_PREPROCESSOR
fi

#
# Minicom
#
MINICOM="-c on"
export MINICOM

#
# Current manpath
#
unset MANPATH
MANPATH=`test -x /usr/bin/manpath && /usr/bin/manpath -q`
export MANPATH

#
# Some applications do not handle the XAPPLRESDIR environment properly,
# when it contains more than one directory. More than one directory only
# makes sense if you have a client with /usr mounted via nfs and you want
# to configure applications machine dependent. Uncomment the lines below
# if you want this.
#
#XAPPLRESDIR="$XAPPLRESDIR:/var/X11R6/app-defaults:/usr/X11R6/lib/X11/app-defaults"
#export XAPPLRESDIR

#
# Set INFOPATH to tell xemacs where he can find the info files
#
INFODIR=/usr/local/info:/usr/share/info:/usr/info
INFOPATH=$INFODIR
export INFODIR INFOPATH

#
# These settings are recommended for old motif applications
#
XKEYSYMDB=/usr/X11R6/lib/X11/XKeysymDB
export XKEYSYMDB
XNLSPATH=/usr/X11R6/lib/X11/nls
export XNLSPATH
if test -s /etc/nntpserver ; then
    read NNTPSERVER < /etc/nntpserver
    export NNTPSERVER
fi

if test -s /etc/organization ; then
    read ORGANIZATION < /etc/organization
    export ORGANIZATION
fi

#
# Midnight Commander needs this to run in color mode
#
COLORTERM=1
export COLORTERM

#
# For RCS
#
#export VERSION_CONTROL=numbered

#
# Source profile extensions for certain packages
#
if test -d /etc/profile.d -a -z "$PROFILEREAD" ; then
    for s in /etc/profile.d/*.sh ; do
        test -r $s && . $s
    done
    unset s
fi

#
# Source the files generated by SuSEconfig
#
if test -z "$PROFILEREAD" ; then
    test -e /etc/SuSEconfig/profile && . /etc/SuSEconfig/profile
fi

if test "$is" != "ash" ; then
    #
    # Source some aliases which provide help for DOS users
    #
    #test -e /etc/profile.dos && . /etc/profile.dos

    #
    # And now let's see if there is a local profile
    # (for options defined by your sysadmin, not SuSE Linux)
    #
    test -s /etc/profile.local && . /etc/profile.local
fi
#
# Avoid overwriting user settings if called twice
#
if test -z "$PROFILEREAD" ; then
    readonly PROFILEREAD=true
    export PROFILEREAD
fi

#
# System BASH specials, maybe also good for other shells
#
test -r /etc/bash.bashrc   && . /etc/bash.bashrc
if test "$is" = "bash" -a -z "$_HOMEBASHRC" ; then
    # loop detection
    readonly _HOMEBASHRC=true
    test -r $HOME/.bashrc  && . $HOME/.bashrc
fi

#
# KSH specials
#
if test "$is" = "ksh" ; then
    test -r /etc/ksh.kshrc && . /etc/ksh.kshrc
fi
if test "$is" = "ksh"  -a -z "$_HOMEKSHRC"  ; then
    # loop detection
    readonly _HOMEKSHRC=true
    test -r $HOME/.kshrc   && . $HOME/.kshrc
fi

#
# End of /etc/profile

# 4  
Old 08-18-2009
Okay - what is in profile.local?

And - after you logon as root what happens when you sudo (or su) to one of the other users? Are things okay?
# 5  
Old 08-18-2009
Quote:
Originally Posted by jim mcnamara
Okay - what is in profile.local?

And - after you logon as root what happens when you sudo (or su) to one of the other users? Are things okay?
Jim I think I found the problem. In /etc/passwd all the shells are set to /bin/false. it seems that when you run adduser on the server it sets all shells to false. Question: How do you configure what the default shell for a new user will be when you run the adduser command?
# 6  
Old 08-18-2009
Code:
 adduser --shell /bin/bash

use the --shell option
 
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Password less login for sftp

Hi, I am using public key authentication for login into a remote sftp server (password less login). so i have set up a password less login according to this link . i have copied the content of my .pub file to remote server's authorized_keys2 file. i want to find out whether my .pub file... (2 Replies)
Discussion started by: Little
2 Replies

2. Shell Programming and Scripting

Login getting locked on sftp

Hey All, I have a ascript which sftp files from Solaris to Windows. I am usgin expect and sending password though script. I have observed that sometimes script works fine (manually or in cron) but after some run, the user I am usgin to connect is getting locked on Domain level. I am... (6 Replies)
Discussion started by: Deei
6 Replies

3. Shell Programming and Scripting

Need Help on SFTP login from another server

Hi Experts, I am writing one shell script. Below is the requirement 1. need to login to the SFTP server, go to the particular folder 2. take the file count in that folder and assign it to variable 3. came out of the SFTP server and check the condition, if the file count is less than the... (1 Reply)
Discussion started by: bbc17484
1 Replies

4. Red Hat

Chroot sftp users, remote sftp login shows wrong timestamp on files

Hello, I have a weird issue, I have RHEL 5.7 running with openssh5.2 where sftpgroup OS group is chroot. I see the difference difference in timestamp on files, when I login via ssh and SFTP, I see four hour difference, is something missing in my configuration. #pwd... (8 Replies)
Discussion started by: bobby320
8 Replies

5. UNIX for Advanced & Expert Users

sftp only works for root

Hi all, I have an aix 5.3 running open ssh 1.75 i think only root can sftp into the server. I appears to authenticate OK via the verbose output. Here it is: ################################################ ################################################ ... (3 Replies)
Discussion started by: dfezz1
3 Replies

6. Shell Programming and Scripting

sftp auto login

Hi, I looked into lot of posts on this question but i could not figure out the solution. we are using the following ftp shell program to send the file to target server. #!/usr/bin/ksh ftp -n -i<<EOF 2>&1 open <target server ip> user <username> <pwd> lcd /sc/doc/prd/FCSTP put file1.txt... (3 Replies)
Discussion started by: srrao.ch
3 Replies

7. Solaris

Auto login with SFTP

Hi All, How do you get around SFTP not having the 'cat' command to set up scripts to run cron jobs for passwords? I am use to the FTP allowing that, but we are converting to SFTP and need to be able to still run the same scripts in off hrs. Is there a way to still cat the password at the prompt... (14 Replies)
Discussion started by: wsiefkas
14 Replies

8. AIX

Can't login root account due to can't find root shell

Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in. I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies

9. HP-UX

SFTP silent login

Hi, I am connecting via SFTP to a remote Server. My problem is on trying to LOGin, I am asked for a password. I need to make this process automatic such that I can login without being prompted for a password. I can achieve this if the remote server has a simple FTP server and not SFTP. How... (6 Replies)
Discussion started by: sgaucho
6 Replies

10. Answers to Frequently Asked Questions

Lost root password / Can't login as root

We have quite a few threads about this subject. I have collected some of them and arranged them by the OS which is primarily discussed in the thread. That is because the exact procedure depends on the OS involved. What's more, since you often need to interact with the boot process, the... (0 Replies)
Discussion started by: Perderabo
0 Replies
Login or Register to Ask a Question