secure sftp login not working in RedHat Linux

asyed · October 1, 2012, 6:10am

I'm using RedHat Linux 6.1 and wanted to create an user account with only access to single directory. Have followed all the steps from below link and still user is not able to login:

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH) (link removed)

While the other users, which are not part of sftpusers group, are able to successfully login from remote machines

The error I see is as below:

debug1: Next authentication method: publickey
debug1: Offering public key: /home/touchpnt/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/touchpnt/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
abdul@cemapp's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer

I have made sure that parent directory belongs to root(both user and group) and sub directory belongs to user under test(and group is set as sftpusers)

Have referred to many threads on this issue, but none of them is really useful in fixing this. Also my setting in /etc/ssh/sshd_config is "UsePAM no"

DGPickett · October 4, 2012, 4:27pm

With SSH flavored issues, I always start by getting localhost to work -- no cross-flavor issues, no firewalls. Do you want password authentication, or just public key? Have you bounced the system or daemon since the config was changed?

asyed · October 5, 2012, 1:51am

This is customer's server and hence disabling firewalls etc. is not possible as they adhere to their security policy. I just need password authentication. Didn't bounce the system after applying the Chroot logic with Match Group implementation. Only restarted the sshd service and tested from another server in same LAN

DGPickett · October 5, 2012, 11:55am

Are you using rssh as suggested in the comments? Why not post the directory permissions from real root down, and any mounts or soft links, and the suggested config file entry changes, just for review.

asyed · October 5, 2012, 12:41pm

Ok. I'm adding more details for your review here:

Firstly, entries in sshd_config are:

cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM no
#UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
ClientAliveInterval 60
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path
# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group sftpusers
        ChrootDirectory /assure0/test/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

And, permissions on that directory are as below:

drwxr-xr-x   6 root root   4096 Oct  4 01:12 assure0

drwxr-xr-x 26 root     root      4096 Oct  3 21:28 test

drwxr-xr-x 2 abdul        sftpusers 4096 Oct  1 00:00 abdul

---------- Post updated at 10:11 PM ---------- Previous update was at 10:06 PM ----------

Also, there are no mounts or soft links in any of these directories

I'm able to successfully login to the sftp accounts which don't belong to sftpusers group

So, this issue is for specific users in sftpusers group, whom I want to restrict the access to one particular directory

in2nix4life · October 5, 2012, 1:40pm

Checkout this link. It's a bit more informative than the one you followed. Also, I set this up a couple of months back and had no issues.

SFTP Chroot Jail on RHEL6 and CentOS6 - This is not supported dot com

asyed · October 5, 2012, 1:48pm

Thanks. Have tried this link also and still face the same problem

in2nix4life · October 5, 2012, 2:14pm

Is the /assure0/test/ directory the user's home directory? If so, have you tried using %h (what I used in my configurations) instead of %u? Also, have you tried omitting that directive all together and just setting the chroot path to /assure0/test/?

asyed · October 5, 2012, 2:24pm

Yeah, tried them and no change in error in both these cases.

in2nix4life · October 5, 2012, 2:46pm

Have you looked at the logs (/var/log/secure) on the server you're attempting to connect to?

asyed · October 6, 2012, 4:12am

Thanks much. This log helped me understand the issue:

fatal: bad ownership or modes for chroot directory

Have modified the permissions accordingly and it fixed the issue

Lessons learnt:

a. ChrootDirectory mentioned in /etc/ssh/sshd_config file should be owned by root and not the sftp only user in question

b. From ChrootDirectory, we need to create a directory for sftp user with permissions set as chown test:test <dir name>. In my case, it was test:sftpusers; so, it was failing earlier

c. The permissions on sftpuser directory should be 755