Solved SFTP by PasswordAuthentication (failing) SSH by PubkeyAuthentication (still fine)

gessel

gessel

I'm trying to add a LAN-based IoT feature where a device can push data to a server, but the device doesn't support public key, though it does support SFTP user/pass authentication. I cannot seem to get the pass authentication working and while I can't modify the verbosity of the negotiation on the device, I can test from the command line and see that the SFTP negotiation keeps trying key authentication and for the life of me, I can't figure out why.

I relied on Thread logging-in-chroot-directory-for-sftp.52408 and a few other similar discussions to no avail. I'm sure it's something really dumb I'm just overlooking, probably something so basic that even step-by-step guides skip right over it. I'm hoping someone will say "you did remember to...?" and no, I will not have.

Like most configs (I think) I have a nologin user chrooted to an upload directory like so:
device:passhash:1004:9419::0:0:Camera SFTP Account:/sftp/chroot/home/device:/usr/sbin/nologin

The chroot directory path is long but the path from /is permissioned as follows.

Code: 
drwxr-xr-x   3 root wheel    3B Sep 19 18:44 sftp/
|_
  drwxr-xr-x   3 root wheel    3B Sep 19 18:44 chroot/
  |_
     drwxr-xr-x  3 root wheel    3B Sep 19 18:44 home/
     |_
        drwxr-xr-x  3 root wheel   10B Sep 19 18:57 device/
        |_
           drwxr-xr-x  2 device ftp            2B Sep 19 18:55 up/
(now that I write out the empty sub-directories, I feel silly for the structure, but that's for a later cleanup)

I am using openssh from ports, OpenSSH_9.8-hpn14v15 FreeBSD-openssh-portable-9.8.p1_1,1 pat OpenSSH*
I've tried a few variations in /usr/local/etc/ssh/sshd_config some of which are commented out for reading pleasure, none yielded a successful connect.

Code: 
# override default of no subsystems
#Subsystem     sftp    /usr/libexec/sftp-server
#Subsystem     sftp     internal-sftp -l WARN -f AUTH
Subsystem     sftp     internal-sftp

# Match User device
Match Group ftp
    PubkeyAuthentication no
    PasswordAuthentication yes
    ChrootDirectory /sftp/chroot/home/%u/up
    AllowTCPForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    PermitTTY no
    X11Forwarding no
    ForceCommand internal-sftp
#    ForceCommand internal-sftp -u 002 -f AUTH -l VERBOSE
#    ForceCommand internal-sftp -f AUTH -l WARN
Match all

Results from command line:
Code: 
$ sftp -v -o PubkeyAuthentication=no device@de.st.ip.adr <<< 'put myCal.ics /'
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/local-user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: hostname canonicalisation enabled, will re-parse configuration
debug1: re-parsing configuration
debug1: Reading configuration data /home/local-user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to de.st.ip.adr [de.st.ip.adr] port 22.
debug1: Connection established.
debug1: identity file /home/local-user/.ssh/id_rsa type -1
debug1: identity file /home/local-user/.ssh/id_rsa-cert type -1
debug1: identity file /home/local-user/.ssh/id_ecdsa type 2
debug1: identity file /home/local-user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/local-user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/local-user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/local-user/.ssh/id_ed25519 type -1
debug1: identity file /home/local-user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/local-user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/local-user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/local-user/.ssh/id_xmss type -1
debug1: identity file /home/local-user/.ssh/id_xmss-cert type -1
debug1: identity file /home/local-user/.ssh/id_dsa type 1
debug1: identity file /home/local-user/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.8-hpn14v15 FreeBSD-openssh-portable-9.8.p1_1,1
debug1: compat_banner: match: OpenSSH_9.8-hpn14v15 FreeBSD-openssh-portable-9.8.p1_1,1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to de.st.ip.adr:22 as 'device'
debug1: load_hostkeys: fopen /home/local-user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:6AwbgmoPjxb4o/TY7ZKAQrWj2Swl8B5qsbFm5vra7xs
debug1: load_hostkeys: fopen /home/local-user/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'de.st.ip.adr' is known and matches the ED25519 host key.
debug1: Found key in /home/local-user/.ssh/known_hosts:96
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 3 keys
debug1: Skipping ssh-dss key /home/local-user/.ssh/id_dsa - corresponding algo not in PubkeyAcceptedAlgorithms
debug1: Will attempt key: /home/local-user/.ssh/id_ecdsa ECDSA SHA256:MKyLq9vefo/XiFeBAZU/c6wDYwUMdxgF2BxQWZGXHto agent
debug1: Will attempt key: local-user@$iku-20190921 ED25519 SHA256:AFTySo6fLLKzd4ah/m078XylDw0FIn1xnthvTpbhAyM agent
debug1: Will attempt key: /home/local-user/.ssh/id_rsa 
debug1: Will attempt key: /home/local-user/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/local-user/.ssh/id_ed25519 
debug1: Will attempt key: /home/local-user/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/local-user/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug1: kex_input_ext_info: ping@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
device@de.st.ip.adr: Permission denied (publickey).
Connection closed.  
Connection closed

Results with filezilla (less verbose, but same)
Code: 
Status:    Waiting to retry...
Status:    Connecting to de.st.ip.adr...
Response:    fzSftp started, protocol_version=11
Command:    open "device@de.st.ip.adr" 22
Status:    Using username "device". 
Error:    FATAL ERROR: Remote side sent disconnect message
Error:    type 2 (protocol error):
Error:    "Too many authentication failures"
Error:    Could not connect to server
why u no use PasswordAuthentication?
 
Thank you, covacat !

Code: 
Match Group ftp
    PubkeyAuthentication no
    PasswordAuthentication yes
    KbdInteractiveAuthentication yes
    ChrootDirectory /sftp/chroot/home/%u/up
    AllowTCPForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    PermitTTY no
    X11Forwarding no
    ForceCommand internal-sftp
#    ForceCommand internal-sftp -u 002 -f AUTH -l VERBOSE
#    ForceCommand internal-sftp -f AUTH -l WARN
Match all
[\code]

I did, but deleted the config, so  restored   [ICODE]KbdInteractiveAuthentication[/ICODE] yes and restarted the service, no change, alas.
 
Are you able to check if the client can ssh into the server with a password - to verify that this issue is related to sftp config and rule out:
- Client defined config that overrides password auth
- Genereal sshd config that is not shown outside of the sftp block that you pasted ?

- Is the "devices" user enabled and have a password set ?
 
As for devices, I created the user with the usual adduser -v and verified with vpiw which emitted the user config as expected. Seems right to me, it is a no_login user so I didn't expect to be able to log in.

device:passwordhash:0:0:Camera SFTP Account:/sftp/chroot/home/device:/usr/sbin/nologin

I used the Banner directive to validate Match Group, below is a 3-way pseudo-diff of the verbose output from the client for unsuccessful ssh and sftp connections for devices and a successful sftp for gessel.

$ ssh -v device@ip.ad.re.ss$ sftp -v device@ip.ad.re.ss $ sftp -v gessel@ip.ad.re.ss
debug1: Authenticating to ip.ad.re.ss:22 as 'device'debug1: Authenticating to ip.ad.re.ss:22 as 'device'debug1: Authenticating to ip.ad.re.ss:22 as 'gessel'
chrootin' tootin' timeschrootin' tootin' times!Unauthorized access prohibited by law.
Received disconnect from ip.ad.re.ss port 22:2: Too many authentication failures Disconnected from ip.ad.re.ss port 22 Received disconnect from ip.ad.re.ss port 22:2: Too many authentication failures Disconnected from ip.ad.re.ss port 22 Connection closed. Connection closed debug1: Server accepts key: gessel@$iku-20190921 ED25519 SHA256:AFTySo6fLLKzd4ah/m078XylDw0FIn1xnthvTpbhAyM agent Authenticated to ip.ad.re.ss ([ip.ad.re.ss]:22) using "publickey". debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: filesystem debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: client_input_hostkeys: searching /home/gessel/.ssh/known_hosts for 23.114.97.246 / (none) debug1: client_input_hostkeys: searching /home/gessel/.ssh/known_hosts2 for 23.114.97.246 / (none) debug1: client_input_hostkeys: hostkeys file /home/gessel/.ssh/known_hosts2 does not exist debug1: client_input_hostkeys: host key found matching a different name/address, skipping UserKnownHostsFile update debug1: Remote: /home/gessel/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/gessel/.ssh/authorized_keys:2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Sending environment. debug1: channel 0: setting env LANG = "en_US.utf8" debug1: channel 0: setting env LC_TIME = "root.UTF-8" debug1: channel 0: setting env LC_ALL = "en_US.UTF-8" debug1: Sending subsystem: sftp debug1: Using server download size 261120 debug1: Using server upload size 261120 debug1: Server handle limit 5657350; using 64 Connected to ip.ad.re.ss. sftp>

The full text of sshd_config (comments removed)
Code: 
ListenAddress ip.add.rs.in
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
LoginGraceTime 5m
PermitRootLogin no
Banner /usr/local/etc/ssh/ssh_banner.txt
StrictModes yes
MaxAuthTries 2
MaxSessions 20
AuthenticationMethods publickey
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
UsePAM no
X11Forwarding no
PrintMotd yes
TCPKeepAlive yes
PermitTunnel yes
Subsystem     sftp     internal-sftp
AcceptEnv LANG
AcceptEnv LANG LC_* 
Match Group ftp
    Banner /usr/local/etc/ssh/chroot_banner.txt
    PubkeyAuthentication no
    PasswordAuthentication yes
    KbdInteractiveAuthentication yes
    ChrootDirectory /sftp/chroot/home/%u/up
    AllowTCPForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    PermitTTY no
    X11Forwarding no
    ForceCommand internal-sftp
Match all
 
I'll try turning it on at the global level for sure, but .... that would be unexpected. I am not remotely an expert, obvsiously but googling around I did find this thread that claims confidently it should work inside a Match directive while ChallengeResponseAuthentication from v1 did not.

Modifying
--- KbdInteractiveAuthentication no +++ KbdInteractiveAuthentication yes
yielded the same result.
 
Your AuthenticationMethods option is only allowing publickey, so that’s all that will work. This is also visible in the log:

gessel said:
debug1: Authentications that can continue: publickey
Click to expand...

Add to your match block:
Code: 
AuthenticationMethods password

Also not that anything added after “match all” (currently blank) will override “default” options earlier in the file, even though you may be expecting first-match-wins. There is no “closing” a match group to get back to “not-in-a-match” processing.

Also look at sshd -T -C group=ftp to see the effective configuration for group=ftp users.
 
I enabled at the non-match part of the config
UsePAM yes
And modified the match to read:
Code: 
Match Group ftp
    Banner /usr/local/etc/ssh/chroot_banner.txt
    PubkeyAuthentication no
    PasswordAuthentication yes
    AuthenticationMethods password
    KbdInteractiveAuthentication yes
    ChrootDirectory /sftp/chroot/home/%u/up 
    AllowTCPForwarding no
    AllowAgentForwarding no   
    PermitTunnel no
    PermitTTY no
    X11Forwarding no
    ForceCommand internal-sftp
#    ForceCommand internal-sftp -u 002 -f AUTH -l VERBOSE
#    ForceCommand internal-sftp -f AUTH -l WARN
Match all

Thanks for the sshd -T -C method, though group match seems to fail, user match to "device" does show in this tabular diff-like view that some match block settings are being taken but some aren't. The match block is at the very end of the file and is overriding, for example, Banner, but does not seem to be setting PasswordAuthentication:

# /usr/local/sbin/sshd -T -C user=device# /usr/local/sbin/sshd -T -C user=gessel
port 22 addressfamily any listenaddress int.ip.ad.rs:22 usepam yes pamservicename sshd logingracetime 300 x11displayoffset 10 maxauthtries 2 maxsessions 20 clientaliveinterval 0 clientalivecountmax 3 requiredrsasize 1024 streamlocalbindmask 0177 unusedconnectiontimeout none permitrootlogin no ignorerhosts yes ignoreuserknownhosts no hostbasedauthentication no hostbasedusesnamefrompacketonly no pubkeyauthentication yes passwordauthentication no kbdinteractiveauthentication yes printmotd yes x11forwarding no x11uselocalhost yesport 22 addressfamily any listenaddress int.ip.ad.rs:22 usepam yes pamservicename sshd logingracetime 300 x11displayoffset 10 maxauthtries 2 maxsessions 20 clientaliveinterval 0 clientalivecountmax 3 requiredrsasize 1024 streamlocalbindmask 0177 unusedconnectiontimeout none permitrootlogin no ignorerhosts yes ignoreuserknownhosts no hostbasedauthentication no hostbasedusesnamefrompacketonly no pubkeyauthentication yes passwordauthentication no kbdinteractiveauthentication yes printmotd yes x11forwarding no x11uselocalhost yes
permittty nopermittty yes
permituserrc yes strictmodes yes tcpkeepalive yes permitemptypasswords no compression yes gatewayports no usedns nopermituserrc yes strictmodes yes tcpkeepalive yes permitemptypasswords no compression yes gatewayports no usedns no
allowtcpforwarding no allowagentforwarding noallowtcpforwarding yes allowagentforwarding yes
disableforwarding no allowstreamlocalforwarding yes streamlocalbindunlink no fingerprinthash SHA256 exposeauthinfo no pidfile /var/run/sshd.pid modulifile /usr/local/etc/ssh/moduli xauthlocation /usr/local/bin/xauth ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr macs hmac-sha2-512-etm@openssh.com,hmac-sha2-512disableforwarding no allowstreamlocalforwarding yes streamlocalbindunlink no fingerprinthash SHA256 exposeauthinfo no pidfile /var/run/sshd.pid modulifile /usr/local/etc/ssh/moduli xauthlocation /usr/local/bin/xauth ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr macs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
banner /usr/local/etc/ssh/chroot_banner.txt forcecommand internal-sftp chrootdirectory /sftp/chroot/home/%u/upbanner /usr/local/etc/ssh/ssh_banner.txt forcecommand none chrootdirectory none
trustedusercakeys none revokedkeys none securitykeyprovider internal authorizedprincipalsfile none versionaddendum FreeBSD-openssh-portable-9.8.p1_1,1 authorizedkeyscommand none authorizedkeyscommanduser none authorizedprincipalscommand none authorizedprincipalscommanduser none hostkeyagent none kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group16-sha512 casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 hostbasedacceptedalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521 pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 sshdsessionpath /usr/local/libexec/sshd-session persourcepenaltyexemptlist none loglevel INFO syslogfacility AUTH authorizedkeysfile .ssh/authorized_keys hostkey /usr/local/etc/ssh/ssh_host_rsa_key hostkey /usr/local/etc/ssh/ssh_host_ecdsa_key hostkey /usr/local/etc/ssh/ssh_host_ed25519_key acceptenv LANG acceptenv LANG acceptenv LC_* authenticationmethods publickey channeltimeout none subsystem sftp internal-sftp maxstartups 10:30:100 persourcemaxstartups none persourcenetblocksize 32:128 permittunnel yes ipqos af21 cs1 rekeylimit 0 0 permitopen any permitlisten any permituserenvironment no pubkeyauthoptions none persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:20 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissivetrustedusercakeys none revokedkeys none securitykeyprovider internal authorizedprincipalsfile none versionaddendum FreeBSD-openssh-portable-9.8.p1_1,1 authorizedkeyscommand none authorizedkeyscommanduser none authorizedprincipalscommand none authorizedprincipalscommanduser none hostkeyagent none kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,diffie-hellman-group16-sha512 casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 hostbasedacceptedalgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp521 pubkeyacceptedalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 sshdsessionpath /usr/local/libexec/sshd-session persourcepenaltyexemptlist none loglevel INFO syslogfacility AUTH authorizedkeysfile .ssh/authorized_keys hostkey /usr/local/etc/ssh/ssh_host_rsa_key hostkey /usr/local/etc/ssh/ssh_host_ecdsa_key hostkey /usr/local/etc/ssh/ssh_host_ed25519_key acceptenv LANG acceptenv LANG acceptenv LC_* authenticationmethods publickey channeltimeout none subsystem sftp internal-sftp maxstartups 10:30:100 persourcemaxstartups none persourcenetblocksize 32:128 permittunnel yes ipqos af21 cs1 rekeylimit 0 0 permitopen any permitlisten any permituserenvironment no pubkeyauthoptions none persourcepenalties crash:90 authfail:5 noauth:1 grace-exceeded:20 max:600 min:15 max-sources4:65536 max-sources6:65536 overflow:permissive overflow6:permissive
 
I did something dumb, but thanks for the correct direction with the match group. I'm migrating servers and allowed root login from the LAN, a match block I omitted from pasting into the interwebs as it seemed a bit of a risk to share that it was enabled.

That the match block does not close was the hint needed to move all match blocks to the end of the file. I'm sure if I hadn't been so dumb as to omit that detail, ya'll would have seen that it was causing problems right away. My bad, sorry about that.

There's one last detail though, I can now connect with password (I'll incrementally tighten up the other fixes and check) but the chroot directory permission structure is wrong and I think I set it as advised

Code: 
drwxr-xr-x   3 root wheel    3B Sep 19 18:44 sftp/
|_
  drwxr-xr-x   3 root wheel    3B Sep 19 18:44 chroot/
  |_
     drwxr-xr-x  3 root wheel    3B Sep 19 18:44 home/
     |_
        drwxr-xr-x  3 root wheel   10B Sep 19 18:57 device/
        |_
           drwxr-xr-x  2 device ftp            2B Sep 19 18:55 up/

But I'm seeing in the connection debug1: Exit status -1
and in the logs
fatal: bad ownership or modes for chroot directory "/sftp/chroot/home/device/up"
 
Got it working, thanks to everyone. Some lessons I learned:

in sshd_config, Match blocks don't really terminate neatly, even with Match all trailing the block, so make sure all match blocks are at the end of the config file, otherwise some directives will be accepted and possibly override previous directives while others may not. The mix can be confusing (to some of us, at least me).

The permissions structure for chrooted directories is that the home directory of the chrooted, no-login user has to owned by root:wheel, 755 permissions otherwise it will fail with bad ownership or modes. You cannot upload to the chrooted directory as the chrooted user, you should create an upload directory with the necessary permissions as a subdirectory under the chrooted directory and configure appliances or navigate to push uploads to that subdirectory. This many not work for all appliances that might, for example, not directory traversal.

The basic model can be extended to multiple SFTP users, each with their own chrooted subdirectory.

A reasonable file structure that seems to work, tested via sftpfrom the command line, ftp/filezilla, and remote appliances (in my case a webcam) is:

Code: 
/
|_
   drwxr-xr-x   3 root wheel    3B Sep 19 18:44 sftp/ 
   |_
      drwxr-xr-x   3 root wheel    3B Sep 19 18:44 sftp-user/
      |_
         drwxrwxr-x   4 root        ftp            5B Sep 21 15:45 up/

sftp-user should look in vipw like
sftp-user:$(passwordhash):1004:9419::0:0:SFTP Account:/sftp/sftp-user:/usr/sbin/nologin
and in /etc/group
ftp:*:14:sftp-user

sshd_config that seems to work needs an sftp stanza for password authentication (needed for a lot of appliance that don't have public key capabilities.

Code: 
Subsystem     sftp     internal-sftp

Match Group ftp
    Banner /usr/local/etc/ssh/chroot_banner.txt
    PasswordAuthentication yes 
    AuthenticationMethods password
    KbdInteractiveAuthentication yes
    ChrootDirectory /sftp/%u
    PermitRootLogin no
    AllowTCPForwarding no
    AllowAgentForwarding no
    PermitTunnel no
    PermitTTY no
    X11Forwarding no
    ForceCommand internal-sftp   
Match all

I find using a match group specific banner helps debug match connections. You can also validate the SSH configuration with, for example, if using security/openssh, /usr/local/sbin/sshd -T -C user=device or, if using ssh from base, sshd -T -C user=device.

FreeBSD's sshd extended test mode is invoked with -T and -C specifies a connection spec (I used user), other useful connection spec keywords are "addr" and "host" which correspond to source address and resolved source host name.
 
You must log in or register to reply here.
Back
Top