Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 11th May 2012, 04:10
Platoxia Platoxia is offline
Junior Member
 
Join Date: May 2012
Posts: 9
Thanks: 3
Thanked 1 Time in 1 Post
Default sftp not working for userUser created by ISPConfig

As stated in the title...

However, it does work for system users. Here are the logs:

auth.log
Code:
May 10 20:41:50 server sshd[20877]: Set /proc/self/oom_score_adj to 0
May 10 20:41:50 server sshd[20877]: Connection from xx.xxx.xxx.xx port xxxxx
May 10 20:41:50 server sshd[20877]: Invalid user userUser from xx.xxx.xxx.xx
May 10 20:41:50 server sshd[20877]: input_userauth_request: invalid user userUser [preauth]
May 10 20:41:50 server sshd[20877]: Received disconnect from xx.xxx.xxx.xx: 14: No supported authentication methods available [preauth]
May 10 20:43:24 server sshd[20891]: Set /proc/self/oom_score_adj to 0
May 10 20:43:24 server sshd[20891]: Connection from xx.xxx.xxx.xx port xxxxx
May 10 20:43:25 server sshd[20891]: Found matching RSA key: *key*
May 10 20:43:25 server sshd[20891]: Postponed publickey for systemUser from xx.xxx.xxx.xx port xxxxx ssh2 [preauth]
May 10 20:43:25 server sshd[20891]: Found matching RSA key: *key*
May 10 20:43:25 server sshd[20891]: Accepted publickey for systemUser from xx.xxx.xxx.xx port xxxx ssh2
May 10 20:43:25 server sshd[20891]: pam_unix(sshd:session): session opened for user systemUser by (uid=0)
May 10 20:43:27 server sshd[20891]: User child is on pid 21074
May 10 20:43:27 server sshd[21074]: subsystem request for sftp by user systemUser
So I guess the question is whether this as a key pair issue or some other issue with the configuration files for ssh, pureftp, or something altogether different? I actually did make some config file changes following the security section of the ISPConfig 3 book...but those were just additions to the fail2ban config and if I remember correctly, pureFTPd was already in there.

Last edited by Platoxia; 11th May 2012 at 04:16.
Reply With Quote
Sponsored Links
  #2  
Old 11th May 2012, 10:14
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,732 Times in 2,569 Posts
Default

Are you referring to SFTP (which is based on SSH so you must create a shell user) or FTPS (which is based on FTP so you need an FTP user)?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
Platoxia (11th May 2012)
  #3  
Old 11th May 2012, 14:26
Platoxia Platoxia is offline
Junior Member
 
Join Date: May 2012
Posts: 9
Thanks: 3
Thanked 1 Time in 1 Post
Default

Sorry if I wasn't clear. I am talking about sftp that logs in through ssh (trying to do key-based only setup). I tried to create a shell user with the same name through ISPConfig, i.e. "userUser" but it doesn't work out becuase it creates a seperate system user named "userUser" that is chroot/jailed in a directory with the same name. "web1" is the directory for the website where the ftp user is chroot/jailed when I log in through regular ftp and is also the owner of all website files for that website.

I'm baffled by this issue.

Too clarify some things in the auth.log. "userUser" is the ftp user created through ISPConfig which I tried to duplicate by creating a shell user in ISPConfig with the same name and password (ugly work around that didn't work) and "systemUser" is a regular user account on my server (which works just fine).

Last edited by Platoxia; 11th May 2012 at 14:41.
Reply With Quote
  #4  
Old 11th May 2012, 14:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,248 Times in 4,113 Posts
Default

Better use ftps (which is FTP secured by TLS) as this works with a FTP user. sftp is no ftp, it is a extension of the ssh protocol and handled by the ssh daemon and not the ftp daemon. Thats often mixed up due to the similar names.

If you want to use sftp, then you have to disable the jail for the ssh user as sftp wont work with a jailed user. Disabling the jail is insecure and not recommended, so better use ftps as I suggested for secure file uploads.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 11th May 2012 at 14:33.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Platoxia (11th May 2012)
  #5  
Old 11th May 2012, 14:47
Platoxia Platoxia is offline
Junior Member
 
Join Date: May 2012
Posts: 9
Thanks: 3
Thanked 1 Time in 1 Post
Default

Thanks guys, I actually did read up on sftp vs. ftps but didn't find anything about the sftp issue with a jailed environment.

I'll have to change my plans and see how ftps works out.
Reply With Quote
  #6  
Old 11th May 2012, 15:14
Platoxia Platoxia is offline
Junior Member
 
Join Date: May 2012
Posts: 9
Thanks: 3
Thanked 1 Time in 1 Post
Default

Sorry, one more question about this. Is it the case that jailing the sftp user won't work with openSSH as in this example due to not being able to "mount more than one folder/device/partition/netshare in a particular location" as explained at the end of this post?

I'm learning little by little, but I can see the problem if ISPConfig creates a site with two system users, one for the website and a seperate one for the ftp account; i.e. "web1" who is the owner of all website files and the ftp user "[CLIENTNAME]Username" who is also chrooted into that same directory.

Is this what is going on, or am I missing something?
Reply With Quote
  #7  
Old 11th May 2012, 15:21
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,461
Thanks: 813
Thanked 5,248 Times in 4,113 Posts
Default

No, thats not related. ISPConfig creates just one user for a website as a linux user is identified by its numeric uid and there is just one uid used. What you most likely refer to are the shell user aliases for the login credentials, they are all the same Linux user. Also there are no shell users creatd for ftp accounts, ftp accounts are virtual users that exist just in mysql which instruct the ftp daemon to map files to the user of the website.

The sftp server is just not part of the jail, so you cant sue sftp with a jailed user. If you wnat to use sftp with jailed accounts, then you have to reconfigure jailkit to add the sftp daemon part to the jail as well. Thats described in the jailkit docs as far as I know.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Platoxia (11th May 2012)
  #8  
Old 11th May 2012, 15:31
Platoxia Platoxia is offline
Junior Member
 
Join Date: May 2012
Posts: 9
Thanks: 3
Thanked 1 Time in 1 Post
 
Default

Thanks for the info, I'll study it some more.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
reinstall postfix after securing-short question fxs Installation/Configuration 12 30th January 2012 10:10
All files gone after changing quota to 0 spynode General 17 19th January 2012 14:41
Version 1.3 of the ISPConfig 3 Manual is finally available! falko General 44 2nd December 2011 12:04
Urgent! pop server down, website down, ispconfig working gwa7 Installation/Configuration 4 8th November 2008 18:56
ISP-Ubuntu breezy ispconfig dns email e-mail working finally yellowjelly HOWTO-Related Questions 0 19th November 2005 20:30


All times are GMT +2. The time now is 18:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.