Public key authorization on sftp chroot directory - linux

I want to add public key authorization to my sftp chroot directory but I allways get:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/test/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Couldn't read packet: Connection reset by peer
Chroot works because authorization with password is possible.
I have other account on this host without chroot and it works with this key.
I tried many times, but still it doesn't work.
On server in auth.log there is only:
Connection closed by xxx [preauth]
This is my directory:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 .ssh
/sftp/backup/incoming/.ssh:
total 12
drwx------ 2 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 ..
-rw------- 1 backup sftpusers 391 May 3 21:06 authorized_keys
My user:
backup:x:1002:1003::/incoming:/usr/sbin/nologin
My ssh config:
Match Group sftpusers
ChrootDirectory /sftp/%u
AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Please help.

I attempted this solution (putting AuthorizedKeysFile into the Match block) and sshd -T complains:
/etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block
(RHEL 6.6, openssh 5.3p1-104)
SOLUTION: The authorized_keys file (and the user's .ssh directory) must exist in the home directory location defined by /etc/passwd, outside of the chroot directory.
For example (using the OP usernames/uids):
/etc/passwd:
backup:x:1002:1003::/home/backup:/sbin/nologin
Create directory /home/backup, owned by root
Create directory /home/backup/.ssh, change ownership to backup, chmod 700 /home/backup/.ssh
Copy the authorized_keys file to /home/backup/.ssh, chmod 400 authorized_keys
ls -laR /home
/home:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Sep 22 2014 ..
drwxr-xr-x 3 root root 4096 Jul 9 12:25 backup
/home/backup:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .ssh
/home/backup/.ssh:
total 12
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
-r-------- 3 backup sftpusers 391 Jul 9 12:29 authorized_keys
/etc/ssh/sshd_config becomes:
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
The chroot directory structure is then:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
drwxr-xr-x 3 root root 4096 May 3 16:55 home
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
/sftp/backup/home:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 backup
/sftp/backup/home/backup:
total 12
drwx------ 3 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
Note: /sftp/backup/home/backup is empty, it's only there to provide a path that will look like the non-chroot /home/backup -- the .ssh directory is /home/backup/.ssh not /sftp/backup/home/backup/.ssh

Problem resolved.
I have changed it:
AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys
to:
AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys

Stephen Buchanan's answer (which works around RHEL6's inability to set AuthorizedKeys in a Match block) splits keys into /home and contents into /sftp, but it is possible to keep everything together under /home instead.
You do this by creating the user's chroot under their home directory. For example, in sshd_config, set the chroot to /home/<user>/sftp:
Match Group sftphome
ChrootDirectory /home/%u/sftp
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
As before, ensure /home/<user> is owned by root and place .ssh keys in /home/<user>/.ssh such that the user has read permissions. Now create /home/<user>/sftp/home/<user>, with all directories owned by root except for the last <user>, which should be owned by the user. Finally, ensure the user's home directory is /home/<user> in /etc/passwd.
Now when the user logs in, the ssh key is looked up in /home/<user>/.ssh as per /etc/passwd, a chroot is done into /home/<user>/sftp, and then a cd is done into /home/<user> inside the chroot. In other words, the user's remote working directory will appear as /home/<user>.
You can optionally bind mount directories under /home/<user>/sftp/home/<user>, or anywhere under /home/<user>/sftp (which is / from the user's point of view).
It's possible to omit the sftp/ directory, create /home/<user>/home/<user> and chroot into /home/<user>, but this can be confusing as the .ssh directory and any other files will show up for the user in their /. The sftp/ directory keeps things clean.
Note: In practice, if a user's home directory is missing, sftp will normally just cd into /. You could abuse this property by not creating /home/<user> inside the chroot, so the user starts in / instead of /home/<user>. This is a bit fragile, but could come in handy.

You need to add AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys in your /etc/ssh/sshd_config file. It is better if you added it in the match block.

Related

Directory given in a variable gets never reached

There are two variables in my .gitlab-ci.yml file, both of them are used in the same script line:
variables:
TEST_SERVER: 10.11.12.13
BUILD_DIR: "/var/www/distrib"
[...]
script:
- ssh skipper#$TEST_SERVER 'ls -la $BUILD_DIR'
The server IP gets picked up correctly, but the directory gets never reached (and it exists, of course). The directory contents listed below are obviously user's home dir contents:
$ ssh skipper#$TEST_SERVER 'ls -la $BUILD_DIR'
Warning: Permanently added '10.11.12.13' (ECDSA) to the list of known hosts.
total 48
drwxr-xr-x 5 skipper skipper 4096 Mar 12 12:03 .
drwxr-xr-x 16 root root 4096 Mar 11 09:29 ..
-rw------- 1 skipper skipper 2056 Mar 18 09:43 .bash_history
-rw-r--r-- 1 skipper skipper 220 Mar 11 09:29 .bash_logout
-rw-r--r-- 1 skipper skipper 3771 Mar 11 09:29 .bashrc
drwx------ 2 skipper skipper 4096 Mar 11 11:38 .cache
drwx------ 3 skipper skipper 4096 Mar 11 11:38 .gnupg
-rw-r--r-- 1 skipper skipper 807 Mar 11 09:29 .profile
drwx------ 2 skipper root 4096 Mar 11 11:30 .ssh
-rw------- 1 skipper skipper 9800 Mar 12 12:03 .viminfo
I tried defining the directory variable with or without quotation marks, then calling it with double dollar sign ($$BUILD_DIR), but none of these attempts worked.
Any ideas what is wrong here?
I think the single quotes might be messing with the script section somewhat, as everything inside the single quotes is preserved literally.
Using double quotes round the ls should resolve the issue.
ssh skipper#$TEST_SERVER "ls -la $BUILD_DIR"

Tomcat installed folder access is denied on linux

Please find below set of cmds & outputs
[ec2-user#ip-172-31-38-218 opt]$ ls -al
total 9416
drwxr-xr-x 3 root root 4096 Nov 7 13:52 .
dr-xr-xr-x 25 root root 4096 Nov 7 13:16 ..
-rw-r--r-- 1 root root 9625824 Sep 4 22:52 apache-tomcat-8.5.34.tar.gz
drwxr-xr-x 5 root root 4096 Aug 11 01:26 aws
[ec2-user#ip-172-31-38-218 opt]$ sudo groupadd tomcatgrp
[ec2-user#ip-172-31-38-218 opt]$ sudo useradd -s /bin/false -g tomcatgrp -d /opt/tomcatfolder tomcatuser
[ec2-user#ip-172-31-38-218 opt]$ ls -al
total 9420
drwxr-xr-x 4 root root 4096 Nov 7 13:53 .
dr-xr-xr-x 25 root root 4096 Nov 7 13:16 ..
-rw-r--r-- 1 root root 9625824 Sep 4 22:52 apache-tomcat-8.5.34.tar.gz
drwxr-xr-x 5 root root 4096 Aug 11 01:26 aws
drwx------ 2 tomcatuser tomcatgrp 4096 Nov 7 13:53 tomcatfolder
Now, when I run the cmd I am getting Permission denied as follows
[ec2-user#ip-172-31-38-218 opt]$ cd /opt/tomcatfolder/
-bash: cd: /opt/tomcatfolder/: Permission denied
Can you please help in resolving this above issue..?
I followed instructions of installing Tomcat from this link how-to-install-apache-tomcat-8-on-centos-7
It seems you are the ec2-user, but the directory is owned by tomcatuser and the permissions on the directory do now allow other users or groups to read it.
Try sudo chmod 755 /opt/tomcatfolder/ and then cd into it.
That will add read and execute permissions to the directory.

Touch command. permission denied

I was able to connect to my school server via SSH. I had an assignment in which I was supposed to use the touch command to create a new file. Yet it keeps returning permission denied. Others were able to do the same thing. Though why do I keep getting this error?
Below is what was the input from the terminal.
Last login: Tue Aug 23 09:16:18 on ttys000
Dominiks-Air:~ fsociety95$ ssh djaneka1#navajo.dtcc.edu
djaneka1#navajo.dtcc.edu's password:
Last login: Tue Aug 23 09:16:35 2016 from pool-72-94-210-193.phlapa.fios.verizon.net
Navajo is Linux shell server provided to staff, faculty, and students. The
operating system is RedHat Enterprise Linux 5.
Alpine, a Pine replacement, has been provided as a mail client. Run "pine"
at the command prompt.
This server also provides web space to users. Web pages can be stored in
the ~/www directory. This is also accessible by mapping a drive in Windows
to \navajo\homepage. The URL for your homepage is
http://user.dtcc.edu/~username/.
Your home directory is also accessible in Windows by mapping to
\navajo\.
If something appears broken or missing, please email path#dtcc.edu.
Could not chdir to home directory /u/d/j/djaneka1: No such file or directory
-bash-3.2$ touch today
touch: cannot touch `today': Permission denied
-bash-3.2$ pwd
/
-bash-3.2$ touch today
touch: cannot touch `today': Permission denied
-bash-3.2$
Edit: here is the result of ls -al
-bash-3.2$ ls -al
total 204
drwxr-xr-x 25 root root 4096 Aug 22 16:50 .
drwxr-xr-x 25 root root 4096 Aug 22 16:50 ..
-rw-r--r-- 1 root root 0 Aug 3 14:01 .autofsck
-rw-r--r-- 1 root root 0 Jan 30 2009 .autorelabel
-rw------- 1 root root 2050 Aug 3 14:00 .bash_history
drwxr-xr-x 2 root root 4096 May 4 04:14 bin
drwxr-xr-x 4 root root 3072 Aug 3 13:57 boot
drwxr-xr-x 11 root root 4060 Aug 3 14:02 dev
drwxr-xr-x 87 root root 12288 Aug 23 10:05 etc
drwxr-xr-x 3 root root 4096 Oct 1 2009 home
drwxr-xr-x 13 root root 12288 Jun 1 04:09 lib
drwx------ 2 root root 16384 Mar 24 2008 lost+found
drwxr-xr-x 3 root root 4096 Oct 1 2009 media
drwxr-xr-x 2 root root 0 Aug 3 14:02 misc
drwxr-xr-x 4 root root 4096 May 26 2012 mnt
drwxr-xr-x 2 root root 0 Aug 3 14:02 net
drwxr-xr-x 9 root root 4096 Jan 5 2009 nsr
drwxrwxr-x 3 root root 4096 Oct 12 2015 opt
dr-xr-xr-x 219 root root 0 Aug 3 14:01 proc
drwxr-x--- 12 root root 4096 Apr 22 10:06 root
drwxr-xr-x 2 root root 12288 Aug 4 04:02 sbin
drwxr-xr-x 2 root root 4096 Oct 1 2009 selinux
drwxr-xr-x 2 root root 4096 Oct 1 2009 srv
drwxr-xr-x 11 root root 0 Aug 3 14:01 sys
drwxrwxrwt 38 root root 4096 Aug 23 10:07 tmp
drwxr-xr-x 34 root root 4096 Jun 21 08:29 u
drwxr-xr-x 14 root root 4096 Apr 16 2010 usr
drwxr-xr-x 24 root root 4096 Apr 16 2010 var
-rw------- 1 root root 2865 Dec 16 2008 .viminfo
-bash-3.2$
EDIT:
Here is what I see after trying touch today in /home
So to try and create a new document in the root directory you need to be recognised as root. That means using the sudo command.
However for that you would need a password that you may not have. If you do perfect. But in any case I would not recommend adding files to the root directory.
Instead try the following:
cd home
touch today
This should work just fine and answer your question.
Still if you need/want to create today in your root directory try the following
sudo touch today
You will then be prompted for the root password that you can type (if you have it obviously)
In any case I suggest reading this which may be very helpful for you.
I wonder if this was ever truly answered.
If I was looking at it, I would try to see what the system thinks is the home directory of djaneka1, since it may have been setup partway and not completed, leaving stuff owned by root that should have been owned by djaneka1.
If you use the pwd command, and get back the "/" (root) directory there is something wrong with your setup.
The message: Could not chdir to home directory /u/d/j/djaneka1: No such file or directory
tells you it can't find your home directory.
-bash-3.2$ pwd
/
the command "pwd" revealing "/" is just an artifact of the system not being able to find your home directory.
To find what the system thinks is one's home directory,
one can search the file named '/etc/passwd' for one's login name.
I expect this is a possible result if you do that:
$ fgrep 'djaneka1' /etc/passwd
djaneka1:x:1505:1506::/u/d/j/djaneka1:/bin/bash
since it complained that it couldn't find that directory.
This needs to be fixed by someone who has more rights to the system, like root.
there is nothing djaneka1 can do a

Remove folder with special character on it

I accidentally created some folders with special characters. I already read the other posts in stackoverflow, but don't work. When I type the ls -la command I see
root#mycomputer:/myfolder# ls -la
drwxr-xr-x 3 root root 4096 feb 6 17:53 ,
drwxr-xr-x 70 root root 4096 feb 11 10:27 .
drwxr-xr-x 6 root root 4096 feb 11 09:16 ..
drwxr-xr-x 7 root root 4096 feb 9 22:45 (
drwxr-xr-x 3 root root 4096 feb 2 22:01 [
drwxr-xr-x 3 root root 4096 feb 6 08:11 $
drwxr-xr-x 3 root root 4096 feb 2 23:15 \
drwxr-xr-x 4 root root 4096 feb 8 10:34 &
drwxr-xr-x 5 root root 4096 feb 8 09:43 #
drwxr-xr-x 3 root root 4096 feb 6 14:41 +
drwxr-xr-x 6 root root 4096 feb 6 09:15 ?
drwxr-xr-x 4 root root 4096 feb 6 04:07 ?
drwxr-xr-x 5 root root 4096 feb 6 01:13 ?
drwxr-xr-x 3 root root 4096 feb 6 02:25 ?
drwxr-xr-x 5 root root 4096 feb 3 12:25 ?
drwxr-xr-x 4 root root 4096 feb 5 23:18 ?
I can't do anything with the ones pointed as question marks
I tried to type the command mv and then press tab and this is what I get
root#mycomputer:/myfolder# mv
,/ ▒/ 7/ h/
(/ ▒/ 8/ i/
[/ ▒/ 9/ j/
$/ ▒/
\/ ▒/
So apparently I can't rename them in order to delete them.
Any ideas?
What finally worked for me was one of the answers I found in this question:
rm all files except some
rm !(textfile.txt|backup.tar.gz|script.php|database.sql|info.txt)
If you don't need the other directories, you can just
rmdir ?
Or, use character class (supported e.g. in bash):
rmdir [^789hij] # removes all one-character directories except for 7, 9, etc.
You can also try mc or some other file manager.

Can't CD to directory inside of root

I am currently creating an application that requires separate users running duplicate programs. They cannot run under root because of security reasons, so they are initiated by a Java app that I am working on, and I am starting them with runuser -l. However, I cannot cd into a directory, even though it is owned by the user, and the user has 770 permissions in the folder.
Here's what I'm running:
runuser -l lp1 -c 'java \-jar /root/Desktop/workspace/LitePanel/servers/server1/server.jar \-Xms1024M nogui'
And the output of this is:
runuser: warning: cannot change directory to /root/Desktop/workspace/LitePanel/bin/servers/server1/: Permission denied
Here's an ls -all:
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 .
drwxr-xr-x. 7 root root 4096 Jan 30 14:02 ..
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 server1
Inside the directory:
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 .
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 ..
-rwxrwx---. 1 lp1 lp1 9170551 Jan 31 03:07 server.jar
And here's /etc/passwd:
lp1:x:501:501::/root/Desktop/workspace/LitePanel/bin/servers/server1/:/bin/false
Anyone know why this is happening? It looks like the user has the necessary permissions to do this.
You have said that the directory itself has permissions 770 and is owned by the user, but what about its parents? I believe the cd command will need at least read access (and possibly execute) on the parent directories.

Resources