sftp - can't figure it out!

Karl Auer kauer at biplane.com.au
Thu Aug 23 16:51:29 UTC 2018


I am baffled.

On an sftp server that I am setting up, the following is true:

I have a group "sftp_users".

I have a user "fred" whose primary group is "sftp_users". fred's shell
is /sbin/nologin.fred's home directory is /upload (the user will be
chrooted, see below).

In /etc/sshd_config I have these lines:

Subsystem sftp internal-sftp
Match Group sftp_users
   ChrootDirectory /mnt/efs/sftp/%u
   ForceCommand internal-sftp

Also, password authentication is disabled.

I have a directory /mnt/efs/sftp/fred. In that directory are two
subdirectories .ssh and upload. Both are owned by fred:sftp_users. Both
have permissions 655. I tried 700 on .ssh, made no difference.

.ssh contains a file "authorized_keys" with the public part of a newly
minted ssh key pair in it. The file has permissions 644.

On my own PC, as the user kauer, I have the private part of the key
pair in my .ssh directory, permissions 600, called "fred" (the contents
of "fred.pub" are in authorized_keys on the sftp server).

This command, executed as user kauer on my PC, fails to connect, saying
"Permission denied (publickey).":

   sftp -i /home/kauer/.ssh/fred fred at sftpserver

/var/log/secure on the sftp server just shows an entry like "Connection
closed by 1.2.3.4 port 41020 [preauth]". That IP address is mine on the
client system.

Running sftp with debug turned up on the client shows it "Offering RSA
public key: /home/kauer/.ssh/fred" which is odd as that file is not a
public key. It then runs through the other keys in my .ssh directory,
before finally saying "permission denied".

Anyway, any ideas welcome, as I am completely baffled at this point. I
think it should work :-) but it clearly doesn't.

Regards, K

PS: The directory tree I am using:

[root at wherever fred]# ls -laR /mnt
/mnt:
total 12
drwxr-xr-x  3 root root 4096 Aug 23 11:16 .
dr-xr-xr-x 25 root root 4096 Aug 23 12:01 ..
drwxr-xr-x  3 root root 6144 Aug 23 16:39 efs

/mnt/efs:
total 12
drwxr-xr-x 3 root root 6144 Aug 23 16:39 .
drwxr-xr-x 3 root root 4096 Aug 23 11:16 ..
drwxr-xr-x 3 root root 6144 Aug 23 11:28 sftp

/mnt/efs/sftp:
total 12
drwxr-xr-x 3 root root       6144 Aug 23 11:28 .
drwxr-xr-x 3 root root       6144 Aug 23 16:39 ..
drwxr-xr-x 4 root sftp_users 6144 Aug 23 16:01 fred

/mnt/efs/sftp/fred:
total 16
drwxr-xr-x 4 root   sftp_users 6144 Aug 23 16:01 .
drwxr-xr-x 3 root   root       6144 Aug 23 11:28 ..
drwx------ 2 fred   sftp_users 6144 Aug 23 15:42 .ssh
drwxr-xr-x 2 fred   sftp_users 6144 Aug 23 15:23 upload

/mnt/efs/sftp/fred/.ssh:
total 12
drwx------ 2 fred   sftp_users 6144 Aug 23 15:42 .
drwxr-xr-x 4 root   sftp_users 6144 Aug 23 16:01 ..
-rw-r--r-- 1 fred   sftp_users  388 Aug 23 15:42 authorized_keys

/mnt/efs/sftp/fred/upload:
total 8
drwxr-xr-x 2 fred   sftp_users 6144 Aug 23 15:23 .
drwxr-xr-x 4 root   sftp_users 6144 Aug 23 16:01 ..


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A





More information about the ubuntu-users mailing list