Greetings All,
I have a ssh server which allows sftp connections from the Internet
while ssh connections from within the local net, here is the config:
Code:
Port 11111
Port 11113
Protocol 2
LogLevel DEBUG
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
Match LocalPort 11113 Address *,!192.168.0.0/24
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
AllowUsers sftp_user
ForceCommand /usr/lib/openssh/sftp-server
AuthenticationMethods publickey,password
publickey,keyboard-interactive
RSAAuthentication yes
PubkeyAuthentication yes
AcceptEnv LANG LC_*
now when I try to connect I from outside the net to test it I see this
in the client:
Code:
dagg at NCC-5001-D ~/.ssh/sftp_keys $ sftp -oPort=11113
-oIdentityFile=id_rsa [1]sftp_user at 111.111.111.111
Authenticated with partial success.
Password:
Connection closed
I'm sure the passwd is correct because su - sftp_user with that same
passwd works and if I enter a worng passwd I'm prompted with another
"Password: " line.
the server logs are:
Code:
May 21 22:56:30 NCC-5001-D sshd[30467]: debug1: Forked child 30708.
May 21 22:56:30 NCC-5001-D sshd[30708]: Set /proc/self/oom_score_adj to
0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: rexec start in 7 out 7
newsock 7 pipe 9 sock 10
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: inetd sockets after
dupping: 3, 3
May 21 22:56:30 NCC-5001-D sshd[30708]: Connection from 111.111.111.111
port 41017 on 192.168.0.1 port 11113
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: HPN Disabled: 0, HPN
Buffer Size: 87380
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Client protocol version
2.0; client software version OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype:
Version;Remote: 111.111.111.111-41017;Protocol: 2.0;Client:
OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: match:
OpenSSH_6.6p1-hpn14v4 pat OpenSSH* compat 0x04000000
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Enabling compatibility
mode for protocol 2.0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Local version string
SSH-2.0-OpenSSH_6.6p1-hpn14v4
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: permanently_set_uid:
22/22 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT sent
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT
received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: AUTH STATE IS 0
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is
'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: client->server
aes128-ctr [2]hmac-md5-etm at openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Kex;Remote:
111.111.111.111-41017;Enc: aes128-ctr;MAC:
[3]hmac-md5-etm at openssh.com;Comp: none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is
'aes128-ctr' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: server->client
aes128-ctr [4]hmac-md5-etm at openssh.com none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting
SSH2_MSG_KEX_ECDH_INIT [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS sent
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting
SSH2_MSG_NEWKEYS [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS
received [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: KEX done [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for
user sftp_user service ssh-connection method none [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype:
Authname;Remote: 111.111.111.111-41017;Name: sftp_user [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 0 failures 0
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
protocol
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
loglevel
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
passwordauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is usepam
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
printmotd
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
printlastlog
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
useprivilegeseparation
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
subsystem
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is match
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from
192.168.0.1 matched 'LocalPort 11113' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from
111.111.111.111 matched 'Address *,!192.168.0.0/24' at line 176
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
chrootdirectory
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
allowtcpforwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
x11forwarding
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
allowusers
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
forcecommand
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
authenticationmethods
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
rsaauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
pubkeyauthentication
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is
acceptenv
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method
"password" in AuthenticationMethods list
"publickey,password"
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list
"publickey,password" contains disabled method, skipping
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods
list 0: publickey,keyboard-interactive
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: initializing for
"sftp_user"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_RHOST
to "red.unlimited.net"
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_TTY to
"ssh"
May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method
"password" in AuthenticationMethods list
"publickey,password" [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list
"publickey,password" contains disabled method, skipping
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods
list 0: publickey,keyboard-interactive [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for
user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 1 failures 0
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: test whether
pkalg/pkblob are acceptable [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid:
1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file
/home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing
O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found:
file /home/sftp_user/.ssh/authorized_keys, line 1 RSA
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: Postponed publickey for
sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for
user sftp_user service ssh-connection method publickey [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 2 failures 0
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid:
1004/100 (e=0/0)
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file
/home/sftp_user/.ssh/authorized_keys
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing
O_NONBLOCK
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found:
file /home/sftp_user/.ssh/authorized_keys, line 1 RSA
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: ssh_rsa_verify:
signature correct
May 21 22:56:30 NCC-5001-D sshd[30708]: Partial publickey for sftp_user
from 111.111.111.111 port 41017 ssh2: RSA
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for
user sftp_user service ssh-connection method keyboard-interactive
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 3 failures 1
[preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: keyboard-interactive
devs [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge:
user=sftp_user devs= [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kbdint_alloc: devices
'pam' [preauth]
May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
May 21 22:56:31 NCC-5001-D sshd[30708]: Postponed keyboard-interactive
for sftp_user from 111.111.111.111 port 41017 ssh2: RSA
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [preauth]
May 21 22:56:34 NCC-5001-D sshd[30713]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: num PAM env
strings 0
May 21 22:56:34 NCC-5001-D sshd[30708]: Postponed
keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017
ssh2 [preauth]
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_pam_account: called
May 21 22:56:34 NCC-5001-D sshd[30708]: Accepted
keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017
ssh2
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_child_preauth:
sftp_user has been authenticated by privileged process
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_read_log: child
log fd closed
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: establishing
credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session
opened for user sftp_user by (uid=0)
May 21 22:56:34 NCC-5001-D sshd[30708]: User child is on pid 30721
May 21 22:56:34 NCC-5001-D sshd[30721]: debug1: PAM: establishing
credentials
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: cleanup
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: closing session
May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session
closed for user sftp_user
May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: deleting
credentials
why I'm not able to get a ftp cli?
Thanks.
References
1. mailto:sftp_user at 111.111.111.111
2. mailto:hmac-md5-etm at openssh.com
3. mailto:hmac-md5-etm at openssh.com
4. mailto:hmac-md5-etm at openssh.com