sftp not working for userUser created by ISPConfig

[Platoxia]

As stated in the title...

However, it does work for system users. Here are the logs:

auth.log

Code:

May 10 20:41:50 server sshd[20877]: Set /proc/self/oom_score_adj to 0
May 10 20:41:50 server sshd[20877]: Connection from xx.xxx.xxx.xx port xxxxx
May 10 20:41:50 server sshd[20877]: Invalid user userUser from xx.xxx.xxx.xx
May 10 20:41:50 server sshd[20877]: input_userauth_request: invalid user userUser [preauth]
May 10 20:41:50 server sshd[20877]: Received disconnect from xx.xxx.xxx.xx: 14: No supported authentication methods available [preauth]
May 10 20:43:24 server sshd[20891]: Set /proc/self/oom_score_adj to 0
May 10 20:43:24 server sshd[20891]: Connection from xx.xxx.xxx.xx port xxxxx
May 10 20:43:25 server sshd[20891]: Found matching RSA key: *key*
May 10 20:43:25 server sshd[20891]: Postponed publickey for systemUser from xx.xxx.xxx.xx port xxxxx ssh2 [preauth]
May 10 20:43:25 server sshd[20891]: Found matching RSA key: *key*
May 10 20:43:25 server sshd[20891]: Accepted publickey for systemUser from xx.xxx.xxx.xx port xxxx ssh2
May 10 20:43:25 server sshd[20891]: pam_unix(sshd:session): session opened for user systemUser by (uid=0)
May 10 20:43:27 server sshd[20891]: User child is on pid 21074
May 10 20:43:27 server sshd[21074]: subsystem request for sftp by user systemUser

So I guess the question is whether this as a key pair issue or some other issue with the configuration files for ssh, pureftp, or something altogether different? I actually did make some config file changes following the security section of the ISPConfig 3 book...but those were just additions to the fail2ban config and if I remember correctly, pureFTPd was already in there.

[falko]

Are you referring to SFTP (which is based on SSH so you must create a shell user) or FTPS (which is based on FTP so you need an FTP user)?

[Platoxia]

Sorry if I wasn't clear. I am talking about sftp that logs in through ssh (trying to do key-based only setup). I tried to create a shell user with the same name through ISPConfig, i.e. "userUser" but it doesn't work out becuase it creates a seperate system user named "userUser" that is chroot/jailed in a directory with the same name. "web1" is the directory for the website where the ftp user is chroot/jailed when I log in through regular ftp and is also the owner of all website files for that website.

I'm baffled by this issue.

Too clarify some things in the auth.log. "userUser" is the ftp user created through ISPConfig which I tried to duplicate by creating a shell user in ISPConfig with the same name and password (ugly work around that didn't work) and "systemUser" is a regular user account on my server (which works just fine).

[till]

Better use ftps (which is FTP secured by TLS) as this works with a FTP user. sftp is no ftp, it is a extension of the ssh protocol and handled by the ssh daemon and not the ftp daemon. Thats often mixed up due to the similar names.

If you want to use sftp, then you have to disable the jail for the ssh user as sftp wont work with a jailed user. Disabling the jail is insecure and not recommended, so better use ftps as I suggested for secure file uploads.

[Platoxia]

Thanks guys, I actually did read up on sftp vs. ftps but didn't find anything about the sftp issue with a jailed environment.

I'll have to change my plans and see how ftps works out.

[Platoxia]

Sorry, one more question about this. Is it the case that jailing the sftp user won't work with openSSH as in this example due to not being able to "mount more than one folder/device/partition/netshare in a particular location" as explained at the end of this post?

I'm learning little by little, but I can see the problem if ISPConfig creates a site with two system users, one for the website and a seperate one for the ftp account; i.e. "web1" who is the owner of all website files and the ftp user "[CLIENTNAME]Username" who is also chrooted into that same directory.

Is this what is going on, or am I missing something?

[till]

No, thats not related. ISPConfig creates just one user for a website as a linux user is identified by its numeric uid and there is just one uid used. What you most likely refer to are the shell user aliases for the login credentials, they are all the same Linux user. Also there are no shell users creatd for ftp accounts, ftp accounts are virtual users that exist just in mysql which instruct the ftp daemon to map files to the user of the website.

The sftp server is just not part of the jail, so you cant sue sftp with a jailed user. If you wnat to use sftp with jailed accounts, then you have to reconfigure jailkit to add the sftp daemon part to the jail as well. Thats described in the jailkit docs as far as I know.

[Platoxia]

Thanks for the info, I'll study it some more.