LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-10-2018, 12:05 PM   #1
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Rep: Reputation: 16
Stuck trying to get new SFTP user account to work with username & password


on my Ubuntu 18.04 I've had my SSH server setup and secured for a while now, I use encrypted keys and passphrase, no root login or username and password, I’ve also limited users who can even use ssh.

I’m trying to setup SFTP in a way someone ( New User ) could login with filezilla and I could restrict that user to only access their web document root. So far I have added another username, put their permissions on their web document root ( user & group ) , went to etc/ssh/sshd_config file and I am trying to configure a chroot environment for my new user, here is what I’m now running into, in my sshd_config file I have the following:

Code:
# my setup I use for ssh & some security for my administrator accounts, I stripped the real names.

Subsystem sftp /usr/lib/openssh/sftp-server
IgnoreRhosts yes
IgnoreUserKnownHosts no
StrictModes yes
PubkeyAuthentication yes
RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
AllowGroups administrators
AllowUsers user1 user2 user3

# my attempt at overriding settings on a per-user basis, I would like this
# user to be able to login only to their web document root and manage their
# website through sftp and that is it. So I added the
# following to the bottom of the sshd_config

Code:
# SFTP setup for domain below
# Subsystem sftp internal-sftp
Match User newuser
ChrootDirectory /var/www/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
PasswordAuthentication yes
everything after “# sftp setup for domain-name” does nothing as far as I can tell ( I just can’t login via sftp with new user account ), however when I dare uncomment “# Subsystem sftp internal-sftp” the ssh server will not restart until I recomment just that line. What I don’t understand is that with my admin accounts and my terminal I can SSH even sftp user@server and get right in and access everything. I’m new to ssh and SFTP so I’m hoping someone may know what I could try next or what book would give me the answers ? One more thing that I’m noticing, my new domainuser so far is setup normally, by that I mean Home Directory = /home/domainuser & shell = /bin/bash so far there is no option to set shell to: sftp-server. Depending on the tutorial online some say change the users settings, some say change the sshd_config file, I’d just like to know what would actually work on my Ubuntu 18.04 machine ?

Last edited by bsurfin; 10-10-2018 at 02:49 PM.
 
Old 10-10-2018, 12:13 PM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,524
Blog Entries: 3

Rep: Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568
The permissions need to be kind of special for the chroot target: it must be owned by root and not writable by anyone else. So one way around that is to make use of the subdirectories which may be owned or writable by anyone. Using the -d option will set the user into a subdirectory while actually being chrooted to the directory above. Say you have /var/www/html/ writable by the group linuxstack but /var/www/ itself is owned by root and only writable by root:

Code:
Match User linuxstack
        ChrootDirectory /var/www/
        ForceCommand internal-sftp -d /html/
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        PasswordAuthentication yes
See "man sftp-server" about the -d option. See "man sshd_config" about the ChrootDirectory details.

Also, it helps to use [code] [/code] tags around snippets from configuration files.
 
Old 10-10-2018, 01:42 PM   #3
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
I do have /var/www/ owned and writeable by only root:root and /var/www/domain-folder/ is newuser:newuser , I added the -d /domain-folder/ restarted, still getting Permission denied, please try again. newuser@domain's password: I enter the password over and over, both SSH & SFTP works on my admin accounts with keys, just not this newuser account I'm trying to jail.
 
Old 10-10-2018, 01:51 PM   #4
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,524
Blog Entries: 3

Rep: Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568
I'd look at the server logs then.

Code:
sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/'
There might be some clue there. If those are to cluttered, you can run an additional instance of sshd on a separate port and watch what happens there for a single session.

Code:
sudo /usr/sbin/sshd -p 2468 -dd
Then on the client you'll be able to connect once.

Code:
sftp -P 2468 newuser@domain.example.com
Then check what happened with sshd.
 
Old 10-10-2018, 02:47 PM   #5
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
using:
Code:
sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/'
for security I have changed usernames and domain names on this.
Code:
Oct 10 11:52:24 My-Server sshd[5594]: Invalid user newuser@domain-name.com from 192.168.1.1 port 49624
Oct 10 11:52:24 My-Server sshd[5594]: error: Received disconnect from 192.168.1.1 port 49624:14: No supported authentication methods available [preauth]
Oct 10 11:52:24 My-Server sshd[5594]: Disconnected from invalid user newuser@domain-name.com
 192.168.1.1 port 49624 [preauth]
I'm rather uneducated at the moment about SFTP so I'm not sure what this means, is it trying to use a different port other than the default 22 ?

I'm also not sure if I need to change the user's credentials:
Home Directory = /home/domainuser
shell = /bin/bash

or I do I rely on the sshd_config file for that, I've read so many tutorials, I'm not sure if it is an either this way or that way type of thing.

I did this on server:
Code:
sudo /usr/sbin/sshd -p 2468 -dd
then did this on client:
Code:
sftp -P 2468 newuser@domain.example.com
I got this output:
Code:
ssh: connect to host newuser@domainname.com port 2468: connection 
refused Couldn't read packet: Connection reset by peer
 
Old 10-10-2018, 02:55 PM   #6
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,524
Blog Entries: 3

Rep: Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568Reputation: 1568
Quote:
Originally Posted by bsurfin View Post
... is it trying to use a different port other than the default 22 ?
Yes, it uses the normal configuration file for sshd but overrides the port. That way you can test out the full configuration without disturbing the existing service.

However, the error message from the SSH daemon seems to be unambiguous: "Invalid user newuser@domain-name.com from ..." It looks like the user account does not exist on the server. You should test that it is there using id or something:

Code:
id newuser
If the account does not exist, then all else is moot.
 
Old 10-10-2018, 04:04 PM   #7
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
I did
Code:
mysuername@My-Server:~$ id newuser

output
Code:
uid=1003(newuser) gid=1004(newuser) groups=1004(newuser)
 
Old 10-10-2018, 05:01 PM   #8
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,032

Rep: Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629
Quote:
Originally Posted by bsurfin View Post
using:
Code:
sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/'
for security I have changed usernames and domain names on this.
Code:
Oct 10 11:52:24 My-Server sshd[5594]: Invalid user newuser@domain-name.com from 192.168.1.1 port 49624
Oct 10 11:52:24 My-Server sshd[5594]: error: Received disconnect from 192.168.1.1 port 49624:14: No supported authentication methods available [preauth]
Oct 10 11:52:24 My-Server sshd[5594]: Disconnected from invalid user newuser@domain-name.com
 192.168.1.1 port 49624 [preauth]
I'm rather uneducated at the moment about SFTP so I'm not sure what this means, is it trying to use a different port other than the default 22 ?
No.
The port 49624 is the port being used on the client computer...it's not the one that sshd on the server is using.

For example, I have two terminals open on this desktop connecting to my server. They are using the local ports of 49682 and 49684
Code:
tcp        0      0 192.168.0.55:49682      123.45.67.89:22      ESTABLISHED 3326/ssh            
tcp        0      0 192.168.0.55:49684      123.45.67.89:22      ESTABLISHED 3487/ssh
As Turbocapitalist said, the remote user is not valid. How did you create the user? What is the login shell set to?

Last edited by scasey; 10-10-2018 at 05:09 PM.
 
Old 10-10-2018, 05:34 PM   #9
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
I used the "Desktop" GUI as I always do to add the user on my server.
I mentioned above, here is another thing I'm not sure is right, the following are the settings for the newuser:

Home Directory = /home/newuser(aka domainuser)
shell = /bin/bash

And I'm using another computer with filezilla to try and access the domain with username and password.
even on my ubuntu laptop which I can access the admin accounts with ssh or sftp works great. I just thought I could have an account that I could make the username and Password work through sftp and jail it for security.
 
Old 10-11-2018, 07:10 AM   #10
dc.901
Member
 
Registered: Aug 2018
Location: Atlanta, GA - USA
Distribution: CentOS 6-7; SuSE 8-12
Posts: 80

Rep: Reputation: 7
You have two different things, SFTP and domain authentication...
Let's create an account (local) and try SFTP... Then look at domain authentication.

Here is command you can use to create account:
Code:
sudo useradd -m -c "New Local User" newuser1
Here new user with "newuser1" will be created. "-m" will create home directory, -c is comments where I normally put users first and last name (or surname).

This will create the user "newuser1", but now need to set password. You can run this command:
Code:
sudo passwd newuser1
Now, try to SFTP with this newly created user.
 
Old 10-11-2018, 02:02 PM   #11
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,032

Rep: Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629
Quote:
Originally Posted by bsurfin View Post
I used the "Desktop" GUI as I always do to add the user on my server.
I mentioned above, here is another thing I'm not sure is right, the following are the settings for the newuser:

Home Directory = /home/newuser(aka domainuser)
shell = /bin/bash

And I'm using another computer with filezilla to try and access the domain with username and password.
even on my ubuntu laptop which I can access the admin accounts with ssh or sftp works great. I just thought I could have an account that I could make the username and Password work through sftp and jail it for security.
Show us:
Code:
grep newuser /etc/passwd
please (with the actual username, of course)
 
Old 10-13-2018, 05:36 PM   #12
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
I got it figured out. I sudo ( sh -c "echo /usr/lib/openssh/sftp-server >> /etc/shells" ) to add sftp to the list of shells, set the user's shell to /usr/lib/openssh/sftp-server so it is sftp only for that user, my biggest mistake was thinking that Match User would grant a user not mentioned in AllowGroups or AllowUsers to be able to login, "WRONG" Once I added the user to the AllowUsers list Everything works.
I Also Figured out that the only way ChrootDirectory works is as long as every folder above the directory your user owns is owned by root "root:root"

Thanks everyone for the help, especially "Turbocapitalist" for the input on the ForceCommand internal-sftp -d /webdocumentrootfolder/ I played with that once everything was working, it is really nice how it automatically opens the folder for you, and you are ready for upload.
 
Old 10-13-2018, 06:03 PM   #13
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,032

Rep: Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629Reputation: 629
I'm pleased that you solved this.

'Twas why I asked for the user's line in /etc/passwd...to see what shell had been assigned to them.
In order for a user to be able to use sftp, they need to be able to login.

The idea of an sftp-only shell is new to me, tho...so that was an interesting aside to the thread.
 
Old 10-15-2018, 12:46 PM   #14
bsurfin
Member
 
Registered: May 2004
Location: Kalispell Montana
Distribution: Ubuntu 18.04LTS
Posts: 127

Original Poster
Rep: Reputation: 16
Hey, Scasey

FYI I ended up playing with this over the weekend to see just exactly how everything works, Like I mentioned my biggest mistakes were: 1. Not adding the new user to AllowUsers and or Allow Groups. 2. I didn't originally have the sftp shell in my list of shells. I put user shell back to /bin/bash and in the sshd_config folder using "ForceCommand internal-sftp" to do the exact same thing, after doing this I can only log in via sftp, when I comment out that line I can also login via ssh. So I'm able to jail the user and make it so that the only way in is sftp once I have it setup. ssh and sftp I find extremely easy to work with ( after the learning curve ), I have a hard time learning new concepts sometimes and the instructions are all over the place, so it took me about 2 weeks to figure out how to add a user, jail the account and limit the new user to sftp only and a single folder, then limit what the user can do, which now I could do it all inside of about 10 minutes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
unable to change SFTP user account password after password aging while login LittleMaster Linux - Newbie 3 06-19-2018 12:21 AM
[SOLVED] stuck on guest account forgot password realflow100 Linux - General 6 06-27-2012 11:25 PM
default user account & password for SuSE? zeeshan876 Linux - Software 1 02-24-2011 04:55 PM
User account with SFTP access only nsfx Linux - General 3 01-06-2008 07:52 PM
get mail based on user certificate, not username & password phongnh Linux - Networking 2 02-04-2007 12:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration