View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Limiting Access with SFTP .... trouble
Log in to Ask a Question

Limiting Access with SFTP .... trouble

general

I need to give a specific user sftp access to a specific folder. I've followed the direction in this article: http://library.linode.com/security/sftp-jails

When I try to connect with the SFTP remote client the user is authenticated and the SSH session is established but immediately the server closes the connection. The connection for the "root" user works just fine.

The folder has CHMOD 777. The user is in group filetransfer and his home folder is marked as the appropriate folder in /etc/passwd ->

jason:x:1000:1000:Jason Hanna,,,:/srv/www/domainname:/bin/bash

I do not want that user to own the folder but I think the user should have access to the folder and files via "other" permission which is set.

Any idea why the server is closing the connection?

From SFTP client:

[12:22:58] Server supported authentications: publickey,password

[12:22:58] Authentication request. Method: password

[12:22:58] User authentication successful.

[12:22:58] SSH session established.

[12:22:58] Connected to 173.255.–-.---.

[12:22:58] Detected Server Software: OpenSSH

[12:22:58] Opening channel 0.

[12:22:58] Server closed connection

11 Replies

The folder needs to have the permissions 0755 and owned by root:root you can then create a sub folder in that folder that they can write to. They can't write to the top level of the jail.

Thanks obs, I did figure that out finally after reading the log file. If the parent folder is not 755 the the SFTP daemon refuses to engage. It has an opinion about the security of your configuration I guess.

After it started working though, the directory structure that was being passed to the sftp client made no sense at all. A mess. SFTP works fine for the root admin so I'm sure I have something messed up but after spending two hours looking I couldn't find what.

So I gave up on SFTP and loaded vsftpd and decided to be content with giving out a simple ftp credential to the restricted directory. That worked perfectly the first time. Twas easy and my forehead is healing already.

Because its smilar i dont want to post another thread. I am using sftp too with filezilla. I am connecting with my putty generated private key. I have chosen my private key in filezillas sftp "public key authentication" section. It is working but today i realized if i dont use this option, i still can connect with my username and password. Is there a possibility to restrict the access of sftp only with using the private key? I think i have skipped something.

edit /etc/ssh/sshd_config and where it says PasswordAuthentication set it to no then restart ssh

it is already set to no. I have no problem with ssh with public key authentication. the problem is with sftp. i am using filezilla. filezilla supports public key authentication. i have set my .ppk file with filezilla. i can connect to my server with sftp using filezilla without a problem but if i also dont set the public key authentication in filezillas sftp section. i still can connect. i want to understand is that normal? is there a possibility to restrict the connection of sftp with only public key authentication.

sftp=ssh they use the same protocol, and the way you disable password authentication on ssh/sftp is to set "PasswordAuthentication no" in your /etc/ssh/sshd_config file and restart ssh. Double check your configuration.

i can not connect to ssh without using public key but i can connect to sftp without using public key. so?

post the contents of your /etc/ssh/sshd_config

Here it is;

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port xxx
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no
UseDNS no
AllowUsers xxx

That config won't allow password based authentication so I'd assume your sftp client is caching the certificate in putty this program is called pagent. The only other thing I can think of is that you didn't restart the ssh service or it failed to restart and is still using the old config, if in doubt reboot the server.

i restarted the ssh but no luck. i removed the key from filezilla and still can connect without it. very weird i think :?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct