Solved

Open SSH server permitting sftp connection for one user but not the other

Posted on 2013-11-13
17
820 Views
Last Modified: 2013-11-17
I have a Open SSH server permitting sftp connection for one user but not the other. I don't know why this is happening. Both are regular users and both work fine logging on via ssh. Here is the config:

Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO


LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

X11Forwarding no
X11DisplayOffset 10
PrintMotd no

PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

Open in new window

0
Comment
Question by:itnifl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 4
  • +2
17 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 39644789
Can those not able to connect execute sftp-server from the system?
0
 
LVL 23

Assisted Solution

by:savone
savone earned 63 total points
ID: 39645045
Are they using keys or passwords?
0
 
LVL 2

Author Comment

by:itnifl
ID: 39645311
gheist: Both the user that can connect and the user that cannot connect seem able to execute /usr/lib/openssh/sftp-server. When logged in with both users, the command prompt halts when executing these and resumes only when I press Ctrl-C.

savone: I log in with password, but if there are keys, how would I check this? The user that cannot connect via sftp is a new user by the way, just added to the system.
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 39645329
What client they use for sftp? Maybe one uses FTP-S which is ftp over SSL? Any client logs?
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 125 total points
ID: 39646127
Are the users in the same group?
id user1
id user2

Open in new window

0
 
LVL 2

Author Comment

by:itnifl
ID: 39647154
Here is the difference in group memberships:
user1@Ubu-DR1:~$ more /etc/group | grep user1
adm:x:4:user1
cdrom:x:24:user1
sudo:x:27:user1
dip:x:30:user1
plugdev:x:46:user1
sambashare:x:112:user1
user1:x:1000:
lpadmin:x:114:user1
sftpusers:x:1003:user2,user1
LocalSSHGroup:x:1004:user1

user1@Ubu-DR1:~$ more /etc/group | grep user2
users:x:100:user2
sftpusers:x:1003:user2,user1
user2:x:1002:

Open in new window


Or this way if you like:
user1@Ubu-DR1:~$ id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),112(sambashare),114(lpadmin),1003(sftpusers),1004(LocalSSHGroup)

user1@Ubu-DR1:~$ id user2
uid=1001(user2) gid=1002(user2) groups=1002(user2),100(users),1003(sftpusers)

Open in new window


I am testing for both users using WinSCP. File protocol chosen in both cases is the same, SFTP.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 39647173
Winscp uses plink.exe - is it version 0.63? Older may be blocked by antivirus or firewall etc.
0
 
LVL 2

Author Comment

by:itnifl
ID: 39647181
WinSCP is version 5.1.3.2881. There is no Plink.exe under the WinSCP installation folder or subfolders. I found the file randomly on my system under some homework files from when I was in school, but doupt that the path to this location is in my environment variable paths. The version of that file is 0.60. If the version was the problem it should fail no matter what user I connect with, but that is not the case.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 39647237
but since both users have same setup it presents no problem...
You can run tools/pageant from login screen. it seems putty is compiled in now...
0
 
LVL 2

Author Comment

by:itnifl
ID: 39647477
Pageant.exe and puttygen.exe under WinSCP\PuTTY is version 0.62
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 62 total points
ID: 39647636
Just for kicks have you tried adding user2 to the LocalSSHGroup group?

I would try adding and then removing user2 to each group that user1 is a member of.
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 125 total points
ID: 39647916
Can you post the output with verbose output?

plink -v c:\fileA.txt host:/tmp/xxx

Open in new window

0
 
LVL 2

Author Comment

by:itnifl
ID: 39655596
C:\Windows\system32>plink -v c:\fileA.txt host:/tmp/xxx
'plink' is not recognized as an internal or external command,
operable program or batch file.

Like I told you, plink.exe is not in my paths variable on my windows client and is not under the WinSCP installation.
0
 
LVL 2

Author Closing Comment

by:itnifl
ID: 39655598
I have a terrible confession to make. The real source of the problem is that user1's real username is terribly long, and in this long username was a typo :) the typo was only in the WinSCP profile, that is why everything was working fine with SSH where the username as typed correctly.

Sorry about that guys. You are all receiving points for participating.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39655599
Is there any reason you cannot download it to confirm it is not a client issue? It is tough to know what is going on without logging.
0
 
LVL 2

Author Comment

by:itnifl
ID: 39655602
Typo again, user2's user name is terribly long - not user1.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39655603
No problem, didn't see your previous post.
0

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question