Nitsan Reznik
asked on
Non root SFTP users cannot log in - Software caused connection abort
Hi Guys,
We currently use our Linux (Centos 7.2) SSH and we restrict SFTP users to their home directories using chroot jail. Currently all the home folders for the SFTP users are under /home mount point are able to log in properly to each one of their home folder (SFTPWRITE) and cannot see any other folders.
Below is our current config from /etc/ssh/sshd_config:
# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp- server
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
We are using the following commands to create and users & group :
useradd temp01 -g sftponly -s /bin/false
passwd temp01
After creating the user and link him to the group, below command we use to make jailed home dir:
mkdir /home/temp01/SFTPWRITE
chown root /home/temp01
chmod 755 /home/temp01
chown temp01 /home/temp01/SFTPWRITE
chmod 755 /home/temp01/SFTPWRITE
after that we run the following command: setsebool -P ssh_chroot_rw_homedirs on
like I mentioned above, everything works perfectly fine.
The problem has began when we had to create a new mount point /sftphome as opposed to /home due to disk space issues and we followed exactly the same procedures like above just created a new username (temp02) and changed the /home folder to /sftphome
useradd temp02 -g sftponly -s /bin/false
passwd temp02
mkdir /sftphome/temp02/SFTPWRITE
chown root /sftphome/temp02
chmod 755 /sftphome/temp02
chown temp02 /sftphome/temp02/SFTPWRITE
chmod 755 /sftphome/temp02/SFTPWRITE
Run the command: setsebool -P ssh_chroot_rw_homedirs on
However, when user temp02 attempts to access the SFTP sever eaither via Fila-zilla or winscp, he keeps getting the following error:
Software caused connection abort, Authentication Failed (Please find attached screenshot). I'm able to log in successfully using root.
I have tried changing ChrootDirectory %h to ChrootDirectory /sftphome without any luck.
It would be great if someone has any clue why non root users cannot access where the only difference we did was to create a new mount point for their home folders. Maybe I am missing something here.
Any help will be much appreciated Guys!
2016-10-27_15-57-05.jpg
We currently use our Linux (Centos 7.2) SSH and we restrict SFTP users to their home directories using chroot jail. Currently all the home folders for the SFTP users are under /home mount point are able to log in properly to each one of their home folder (SFTPWRITE) and cannot see any other folders.
Below is our current config from /etc/ssh/sshd_config:
# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
We are using the following commands to create and users & group :
useradd temp01 -g sftponly -s /bin/false
passwd temp01
After creating the user and link him to the group, below command we use to make jailed home dir:
mkdir /home/temp01/SFTPWRITE
chown root /home/temp01
chmod 755 /home/temp01
chown temp01 /home/temp01/SFTPWRITE
chmod 755 /home/temp01/SFTPWRITE
after that we run the following command: setsebool -P ssh_chroot_rw_homedirs on
like I mentioned above, everything works perfectly fine.
The problem has began when we had to create a new mount point /sftphome as opposed to /home due to disk space issues and we followed exactly the same procedures like above just created a new username (temp02) and changed the /home folder to /sftphome
useradd temp02 -g sftponly -s /bin/false
passwd temp02
mkdir /sftphome/temp02/SFTPWRITE
chown root /sftphome/temp02
chmod 755 /sftphome/temp02
chown temp02 /sftphome/temp02/SFTPWRITE
chmod 755 /sftphome/temp02/SFTPWRITE
Run the command: setsebool -P ssh_chroot_rw_homedirs on
However, when user temp02 attempts to access the SFTP sever eaither via Fila-zilla or winscp, he keeps getting the following error:
Software caused connection abort, Authentication Failed (Please find attached screenshot). I'm able to log in successfully using root.
I have tried changing ChrootDirectory %h to ChrootDirectory /sftphome without any luck.
It would be great if someone has any clue why non root users cannot access where the only difference we did was to create a new mount point for their home folders. Maybe I am missing something here.
Any help will be much appreciated Guys!
2016-10-27_15-57-05.jpg
ASKER
Hi,
Thank you for you comment.
so in my example, do I need to change something?
I will see the logs as well.
Thank you for you comment.
so in my example, do I need to change something?
I will see the logs as well.
See the log please.
ASKER
Tried searching for any logs in /var/log/secure but no logs appear there.
In the special case when only sftp is used, not ssh nor scp, it is possible to use ChrootDirectory %h or ChrootDirectory /some/path/%u. The file system containing this directory must be mounted with options nodev and either nosuid or noexec. The owner
of the directory should be the user. The ownership of the other components of the path must fulfill the usual conditions. No aditional files are required to be present in the directory.
remount new home with nosuid and it will start to work.
ASKER
Thank you for your help here!
Apologies if I'm being silly here but, in my case, what should be the commands to remount with nosuid and nodev?
Apologies if I'm being silly here but, in my case, what should be the commands to remount with nosuid and nodev?
man mount
man fstab
in fstab there is a field says
defaults
make it:
defaults,nosuid,nodev
(that is for the home2, dont try this at / /use or anything that system executables are in)
man fstab
in fstab there is a field says
defaults
make it:
defaults,nosuid,nodev
(that is for the home2, dont try this at / /use or anything that system executables are in)
ASKER
Thanks I remounted using nosuid and nodev but still cannot access with a SFTP user.
Below is my /etc/fstab
//10.101.77.8/SFTPData /sftphome cifs domain=10.101.77.8,usernam e=FTPAdmin ,password= *********, nodev,nosu id 0 0
is that correct?
Below is my /etc/fstab
//10.101.77.8/SFTPData /sftphome cifs domain=10.101.77.8,usernam
is that correct?
ASKER
Any other idea? Maybe because I'm mounting the new home to a NAS box?
I think cifs mount does not support multiple users or chmod....
Can you make it NFS?
My /var/log/secure is well filled with messages.
You really need to get logs to track login issues. Guessing will not help.
Maybe this?
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Log_More_Information
Can you make it NFS?
My /var/log/secure is well filled with messages.
You really need to get logs to track login issues. Guessing will not help.
Maybe this?
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Log_More_Information
ASKER
I have been progressing with this and after typing the following command: usermod temp02 -d /sftphome/temp02 , I can finally access and can only see my SFTPWRITE folder however, I am getting the following error: open for write: permission denied (See attached screenshot).
when trying to upload any file to the SFTPWRITE folder.
I have checked and I cannot make the NAS as NFS as it only supports SMB and SMB2.
2016-10-28_08-53-15.jpg
when trying to upload any file to the SFTPWRITE folder.
I have checked and I cannot make the NAS as NFS as it only supports SMB and SMB2.
2016-10-28_08-53-15.jpg
CIFS is a single-user filesystem in UNIX's understanding.
All files on mount are root:root 0755
You need something with proper multi-user permissions.
All files on mount are root:root 0755
You need something with proper multi-user permissions.
ASKER
Hi,
I did it but, still cannot write as the user logged-on.
I did it but, still cannot write as the user logged-on.
ASKER
I ended up installing a new SFTP on a new server with physical drives. Thank you for your time to answer my questions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if users home is /home/x
You need to make symlink in /home called home, so that in /home chroot login can find home directory
/var/log/secure has record of ssh denials.