[SOLVED] Stuck trying to get new SFTP user account to work with username & password

on my Ubuntu 18.04 I've had my SSH server setup and secured for a while now, I use encrypted keys and passphrase, no root login or username and password, I’ve also limited users who can even use ssh.

I’m trying to setup SFTP in a way someone ( New User ) could login with filezilla and I could restrict that user to only access their web document root. So far I have added another username, put their permissions on their web document root ( user & group ) , went to etc/ssh/sshd_config file and I am trying to configure a chroot environment for my new user, here is what I’m now running into, in my sshd_config file I have the following:

Code:

# my setup I use for ssh & some security for my administrator accounts, I stripped the real names.

Subsystem sftp /usr/lib/openssh/sftp-server
IgnoreRhosts yes
IgnoreUserKnownHosts no
StrictModes yes
PubkeyAuthentication yes
RSAAuthentication yes
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
AllowGroups administrators
AllowUsers user1 user2 user3

# my attempt at overriding settings on a per-user basis, I would like this
# user to be able to login only to their web document root and manage their
# website through sftp and that is it. So I added the
# following to the bottom of the sshd_config

Code:

# SFTP setup for domain below
# Subsystem sftp internal-sftp
Match User newuser
ChrootDirectory /var/www/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
PasswordAuthentication yes

everything after “# sftp setup for domain-name” does nothing as far as I can tell ( I just can’t login via sftp with new user account ), however when I dare uncomment “# Subsystem sftp internal-sftp” the ssh server will not restart until I recomment just that line. What I don’t understand is that with my admin accounts and my terminal I can SSH even sftp user@server and get right in and access everything. I’m new to ssh and SFTP so I’m hoping someone may know what I could try next or what book would give me the answers ? One more thing that I’m noticing, my new domainuser so far is setup normally, by that I mean Home Directory = /home/domainuser & shell = /bin/bash so far there is no option to set shell to: sftp-server. Depending on the tutorial online some say change the users settings, some say change the sshd_config file, I’d just like to know what would actually work on my Ubuntu 18.04 machine ?

The permissions need to be kind of special for the chroot target: it must be owned by root and not writable by anyone else. So one way around that is to make use of the subdirectories which may be owned or writable by anyone. Using the -d option will set the user into a subdirectory while actually being chrooted to the directory above. Say you have /var/www/html/ writable by the group linuxstack but /var/www/ itself is owned by root and only writable by root:

Code:

Match User linuxstack
        ChrootDirectory /var/www/
        ForceCommand internal-sftp -d /html/
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel no
        AllowAgentForwarding no
        PasswordAuthentication yes

See "man sftp-server" about the -d option. See "man sshd_config" about the ChrootDirectory details.

Also, it helps to use [code] [/code] tags around snippets from configuration files.

I do have /var/www/ owned and writeable by only root:root and /var/www/domain-folder/ is newuser:newuser , I added the -d /domain-folder/ restarted, still getting Permission denied, please try again. newuser@domain's password: I enter the password over and over, both SSH & SFTP works on my admin accounts with keys, just not this newuser account I'm trying to jail.

I'd look at the server logs then.

Code:

sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/'

There might be some clue there. If those are to cluttered, you can run an additional instance of sshd on a separate port and watch what happens there for a single session.

Code:

sudo /usr/sbin/sshd -p 2468 -dd

Then on the client you'll be able to connect once.

Code:

sftp -P 2468 newuser@domain.example.com

Then check what happened with sshd.

using:

Code:

sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/'

for security I have changed usernames and domain names on this.

Code:

Oct 10 11:52:24 My-Server sshd[5594]: Invalid user newuser@domain-name.com from 192.168.1.1 port 49624
Oct 10 11:52:24 My-Server sshd[5594]: error: Received disconnect from 192.168.1.1 port 49624:14: No supported authentication methods available [preauth]
Oct 10 11:52:24 My-Server sshd[5594]: Disconnected from invalid user newuser@domain-name.com
 192.168.1.1 port 49624 [preauth]

I'm rather uneducated at the moment about SFTP so I'm not sure what this means, is it trying to use a different port other than the default 22 ?

I'm also not sure if I need to change the user's credentials:
Home Directory = /home/domainuser
shell = /bin/bash

or I do I rely on the sshd_config file for that, I've read so many tutorials, I'm not sure if it is an either this way or that way type of thing.

I did this on server:

Code:

sudo /usr/sbin/sshd -p 2468 -dd

then did this on client:

Code:

sftp -P 2468 newuser@domain.example.com

I got this output:

Code:

ssh: connect to host newuser@domainname.com port 2468: connection 
refused Couldn't read packet: Connection reset by peer

Quote:

Originally Posted by bsurfin ... is it trying to use a different port other than the default 22 ?

Yes, it uses the normal configuration file for sshd but overrides the port. That way you can test out the full configuration without disturbing the existing service.

However, the error message from the SSH daemon seems to be unambiguous: "Invalid user newuser@domain-name.com from ..." It looks like the user account does not exist on the server. You should test that it is there using id or something:

Code:

id newuser

If the account does not exist, then all else is moot.

I did

Code:

mysuername@My-Server:~$ id newuser

output

Code:

uid=1003(newuser) gid=1004(newuser) groups=1004(newuser)

Quote:

Originally Posted by bsurfin using: Code: sudo cat /var/log/auth.log | awk '$5 ~ /^sshd/' for security I have changed usernames and domain names on this. Code: Oct 10 11:52:24 My-Server sshd[5594]: Invalid user newuser@domain-name.com from 192.168.1.1 port 49624 Oct 10 11:52:24 My-Server sshd[5594]: error: Received disconnect from 192.168.1.1 port 49624:14: No supported authentication methods available [preauth] Oct 10 11:52:24 My-Server sshd[5594]: Disconnected from invalid user newuser@domain-name.com 192.168.1.1 port 49624 [preauth] I'm rather uneducated at the moment about SFTP so I'm not sure what this means, is it trying to use a different port other than the default 22 ?

No.
The port 49624 is the port being used on the client computer...it's not the one that sshd on the server is using.

For example, I have two terminals open on this desktop connecting to my server. They are using the local ports of 49682 and 49684

Code:

tcp        0      0 192.168.0.55:49682      123.45.67.89:22      ESTABLISHED 3326/ssh            
tcp        0      0 192.168.0.55:49684      123.45.67.89:22      ESTABLISHED 3487/ssh

As Turbocapitalist said, the remote user is not valid. How did you create the user? What is the login shell set to?

I used the "Desktop" GUI as I always do to add the user on my server.
I mentioned above, here is another thing I'm not sure is right, the following are the settings for the newuser:

Home Directory = /home/newuser(aka domainuser)
shell = /bin/bash

And I'm using another computer with filezilla to try and access the domain with username and password.
even on my ubuntu laptop which I can access the admin accounts with ssh or sftp works great. I just thought I could have an account that I could make the username and Password work through sftp and jail it for security.

You have two different things, SFTP and domain authentication...
Let's create an account (local) and try SFTP... Then look at domain authentication.

Here is command you can use to create account:

Code:

sudo useradd -m -c "New Local User" newuser1

Here new user with "newuser1" will be created. "-m" will create home directory, -c is comments where I normally put users first and last name (or surname).

This will create the user "newuser1", but now need to set password. You can run this command:

Code:

sudo passwd newuser1

Now, try to SFTP with this newly created user.

Quote:

Originally Posted by bsurfin I used the "Desktop" GUI as I always do to add the user on my server. I mentioned above, here is another thing I'm not sure is right, the following are the settings for the newuser: Home Directory = /home/newuser(aka domainuser) shell = /bin/bash And I'm using another computer with filezilla to try and access the domain with username and password. even on my ubuntu laptop which I can access the admin accounts with ssh or sftp works great. I just thought I could have an account that I could make the username and Password work through sftp and jail it for security.

Show us:

Code:

grep newuser /etc/passwd

please (with the actual username, of course)

I got it figured out. I sudo ( sh -c "echo /usr/lib/openssh/sftp-server >> /etc/shells" ) to add sftp to the list of shells, set the user's shell to /usr/lib/openssh/sftp-server so it is sftp only for that user, my biggest mistake was thinking that Match User would grant a user not mentioned in AllowGroups or AllowUsers to be able to login, "WRONG" Once I added the user to the AllowUsers list Everything works.
I Also Figured out that the only way ChrootDirectory works is as long as every folder above the directory your user owns is owned by root "root:root"

Thanks everyone for the help, especially "Turbocapitalist" for the input on the ForceCommand internal-sftp -d /webdocumentrootfolder/ I played with that once everything was working, it is really nice how it automatically opens the folder for you, and you are ready for upload.

I'm pleased that you solved this.

'Twas why I asked for the user's line in /etc/passwd...to see what shell had been assigned to them.
In order for a user to be able to use sftp, they need to be able to login.

The idea of an sftp-only shell is new to me, tho...so that was an interesting aside to the thread.

Hey, Scasey

FYI I ended up playing with this over the weekend to see just exactly how everything works, Like I mentioned my biggest mistakes were: 1. Not adding the new user to AllowUsers and or Allow Groups. 2. I didn't originally have the sftp shell in my list of shells. I put user shell back to /bin/bash and in the sshd_config folder using "ForceCommand internal-sftp" to do the exact same thing, after doing this I can only log in via sftp, when I comment out that line I can also login via ssh. So I'm able to jail the user and make it so that the only way in is sftp once I have it setup. ssh and sftp I find extremely easy to work with ( after the learning curve ), I have a hard time learning new concepts sometimes and the instructions are all over the place, so it took me about 2 weeks to figure out how to add a user, jail the account and limit the new user to sftp only and a single folder, then limit what the user can do, which now I could do it all inside of about 10 minutes.