Why am I root? (accessing sftp server with pubkeys)

hicnar · September 1, 2014, 4:10pm

Hi,

It is my first post here - I am Krzysztof

I have configured my linux based server (it is Synology DS1813+) to be accessible only via SSH and only with public certificates (my /etc/ssh/sshd_conf below).

Both login into shell and sftp work well, but if I access the server via sftp (for example via standard gnome file manager - Connect to Server ) I have root permissions even though I login as a regular user (the user has admin rights but it definitely is not root).

Does anybody know why am I root and not the user I login as?

Thanx in advance for any suggestions
K.

    #   $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $

    # This is the sshd server system-wide configuration file.  See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.

    Port 22
    AddressFamily inet
    ListenAddress 0.0.0.0
    #ListenAddress ::

    # The default requires explicit activation of protocol 1
    Protocol 2

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    #HostKey /etc/ssh/ssh_host_ecdsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes yes
    MaxAuthTries 3
    #MaxSessions 10

    RSAAuthentication no
    PasswordAuthentication no
    UsePAM no
     
    PubkeyAuthentication yes
    AuthorizedKeysFile   .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    KerberosAuthentication no
    GSSAPIAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    AllowGroups sshusers

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    #UsePAM no

    #AllowAgentForwarding yes
    AllowTcpForwarding no
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    UseDNS no
    #PidFile /var/run/sshd.pid
    MaxStartups 2
    #PermitTunnel no
    ChrootDirectory none
    #ChrootDirectory /var/services/homes/%u
    #DenyUsers admin

    # no default banner path
    #Banner none

    # override default of no subsystems
    #Subsystem   sftp   /usr/libexec/sftp-server
    #Subsystem       sftp    internal-sftp -f DAEMON -l VERBOSE -u 000
    Subsystem       sftp    internal-sftp -f DAEMON -u 000
    #Subsystem       sftp    /usr/syno/sbin/sftp-server -l DEBUG3

    # the following are HPN related configuration options
    # tcp receive buffer polling. disable in non autotuning kernels
    #TcpRcvBufPoll yes
     
    # allow the use of the none cipher
    #NoneEnabled no

    # disable hpn performance boosts.
    #HPNDisabled no

    # buffer size for hpn to non-hpn connections
    #HPNBufferSize 2048


    # Example of overriding settings on a per-user basis
    Match User root
    #   X11Forwarding no
       AllowTcpForwarding yes
    #   ForceCommand cvs server

RavinderSingh13 · September 2, 2014, 1:07am

Hello hicnar,

Welcome to the forum. As per your input provided I can see property PermitRootLogin no which is good enough to stop root to do ssh .
but also there are 2 points which I think you can try.

If you have made changes to your file /etc/ssh/sshd_config recently then please make sure that you need to recycle the service by /etc/init.d/sshd restart command after making changes to file.
If you have done the 1st suggestion(recycling of service after change) I can see there is a property AllowGroups sshusers in the file so I assume root will be also the part of this group too. So we can try to troubleshoot here if this is the cause.

Please do let us know if you have any queries.

NOTE: These are only suggestions please don't perform this in you live environment, you can try the same in your system and check.

Thanks,
R. Singh