First, what I'm trying to do is to jail (chroot) the user in a specfic directory for sftp access. I found a great tutorial that made the job, you can find it here : http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/. You should read it first (it's very short) to understand the rest.
With the example in the link, I've no problem to create sftpusers group, guestuser user and lock it to the /sftp/guestuser/incoming directory. Here is how it's done :
groupadd sftpusers
useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
passwd guestuser
chown guestuser:sftpusers /sftp/guestuser/incoming
service ssh restart
What I've tried to do after is to lock another user (we call it "test") from the same group in /sftp/test. So I've created user like this :
useradd -g sftpusers -d / -s /sbin/nologin test
You see, instead /incoming as directory, I've just put "/", then I've changed rights to /sftp/test and restart ssh. But connection fails and give me this error : Write failed: Broken pipe
I thought it was due to the wrong path "/", so I decided to delete user and re-create it with an /incoming directory :
userdel test
useradd -g sftpusers -d /incoming -s /sbin/nologin test
passwd test
chown test:sftpusers /sftp/test/incoming
service ssh restart
But even after, the test user seems to be compromise for ever, because I have the same error when I try to connect through sftp : Write failed: Broken pipe Couldn't read packet: Connection reset by peer
EDIT :
Here is the log file for sshd :
Jan 24 12:46:20 ns sshd[13786]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:46:23 ns sshd[13786]: Accepted password for test from xxx.xxx.xxx.xxx port 37838 ssh2
Jan 24 12:46:23 ns sshd[13786]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jan 24 12:46:24 ns sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Jan 24 12:46:24 ns sshd[13786]: pam_unix(sshd:session): session closed for user test
Jan 24 12:48:17 ns sshd[14103]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:48:19 ns sshd[14103]: Invalid user brad from xxx.xxx.xxx.xxx
Jan 24 12:48:19 ns sshd[14103]: input_userauth_request: invalid user brad [preauth]
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Jan 24 12:48:22 ns sshd[14103]: Failed password for invalid user brad from xxx.xxx.xxx.xxx port 42756 ssh2
Jan 24 12:48:22 ns sshd[14103]: Received disconnect from xxx.xxx.xxx.xxx: 11: Bye Bye [preauth]
Check the debug log for sshd. You'll likely find it complain about the home directory for user test not being secure.
The sshd is very strict about access to the user's credentials in $HOME/.ssh and will disconnect when it cannot access the directory, or when it detects permissions that would allow any other account to access it.
sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Make sure that the owner of the directory is the only account that can modify any file in $HOME and below. Pay attention specifically to the group settings
Related
Dnsmasq fails to start every time I reboot my VPS. Below is the log about it.
Aug 22 18:14:51 debian dnsmasq[776]: dnsmasq: syntax check OK.
Aug 22 18:14:51 debian dnsmasq[798]: chown: invalid user: ‘dnsmasq:nogroup’
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Control process exited, code=exited status=2
Aug 22 18:14:51 debian systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server.
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Unit entered failed state.
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
I'd set the user and group name correctly in /etc/dnsmasq.conf file. I tried to reinstall dnsmasq and then it worked. But after I reboot the VPS, it failed to start again. Then I have to reinstall again...
So, If I want to use dnsmasq, I have to not to reboot my VPS. But I want to know what causes this and how to fix it once and for all. My VPS's system is Debian 9, kernel is 4.9.0-7-amd64.
Finally, I've found the trouble and fixed it. As the system informed, chown: invalid user: ‘dnsmasq:nogroup’ is the bad code. I thought it should be dnsmasq failed to automatically add user or group that caused the error.
One solution might be manually adding a user named "dnsmasq". I didn't try it but I thought it would work. Another handling way is to looked up user "dnsmasq" in relative files and replace user "dnsmasq" with an existing user like "nobody".
There are 3 places in the /etc/init.d/dnsmasq file that need replace.
if [ ! "$DNSMASQ_USER" ]; then
DNSMASQ_USER="*dnsmasq*"
fi
# /run may be volatile, so we need to ensure that
# /run/dnsmasq exists here as well as in postinst
if [ ! -d /run/dnsmasq ]; then
mkdir /run/dnsmasq || return 2
chown *dnsmasq*:nogroup /run/dnsmasq || return 2
fi
# /run may be volatile, so we need to ensure that
# /run/dnsmasq exists here as well as in postinst
if [ ! -d /run/dnsmasq ]; then
mkdir /run/dnsmasq || return 2
chown *dnsmasq*:nogroup /run/dnsmasq || return 2
fi
Replace 3 empasized places above.
Although I'm not sure why dnsmasq failed to access account files.
i am trying to create a ssh tunnel for executing conky in my contenair.
pc --> server --> contenair(docker)
i can create a tunnel from my pc to the server and from the server to contenair
but i don't know why i can't execute this command from my pc to create a tunnel all the way:
ssh -L 8888:localhost:22 user#62.210.227.219 ssh -t -t -L 8887:localhost:8888 -p 8888 admin#localhost
i get a terminal with nothing. :(
the ssh log from my server
Aug 9 14:57:14 sd-46208 sshd[5867]: Accepted publickey for USER from 82.64.127.210 port 54369 ssh2: RSA 39:50:42:5p:05:0a:7a:f4:66:fb:5d:24:1f:96:09:5f
Aug 9 14:57:14 sd-46208 systemd: Starting Session 1810 of user USER.
Aug 9 14:57:14 sd-46208 systemd: Started Session 1810 of user USER.
Aug 9 14:57:14 sd-46208 systemd: Failed to reset devices.list on /system.slice: Invalid argument
Aug 9 14:57:14 sd-46208 systemd-logind: New session 1810 of user USER.
Aug 9 14:57:14 sd-46208 sshd[5870]: error: Failed to disconnect from controlling tty.
i almost solved my problem
i added in ssh/sshd_config
X11Forwarding yes
X11UseLocalhost yes
X11DisplayOffset 10
AddressFamily inet
and i run
ssh User#60.220.207.219 ssh User#127.0.0.1 -p 9999 i can connect to contenair but i cant execute an application for the moment
There is this strange thing I am seeing.
when ever i try to ssh into a machine with root user, I get logged in as "airoot" but the same does not happen for any other user.
[root#ftc-unem32-22s27 onestopsolution]# ssh root#10.33.22.1
Last login: Tue Jun 3 08:19:17 2014 from 10.32.22.27
[airoot#node0fs ~]#
This happens for root user but for another user say User1234 it doesn't
[root#ftc-unem32-22s27 onestopsolution]# ssh User1234#10.33.22.1
User1234#10.33.22.1's password:
Last login: Tue Jun 3 08:19:09 2014 from 10.32.22.27
[User1234#node0fs ~]$
I installed postgresql in accordance with the instructions given at: http://xadmin.info/?p=284
# pg_ctl -D /var/lib/pgsql/data -l pglog.log start
server starting
postgres#linux-p0pl:~> psql
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on
Unix domain socket "/tmp/.s.PGSQL.5432"?
I am not getting as to why am I getting this error when the server has started...can someone please please help.
My pglog.log file shows the following output:
2013-02-06 19:43:39 GMT FATAL: lock file "postmaster.pid" already exists
2013-02-06 19:43:39 GMT HINT: Is another postmaster (PID 23971) running in data directory "/var/lib/pgsql/data"?
2013-02-06 19:44:02 GMT FATAL: lock file "postmaster.pid" already exists
2013-02-06 19:44:02 GMT HINT: Is another postmaster (PID 23971) running in data directory "/var/lib/pgsql/data"?
2013-04-24 12:43:29 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:43:29 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:44:07 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:44:07 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:57:02 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:57:02 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:57:40 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:57:40 GMT DETAIL: Permissions should be u=rwx (0700).
ps -ef | grep postgres
root 21659 21591 0 19:14 pts/0 00:00:00 grep --color=auto postgres
The permissions and ownership on /var/lib/pgsql/data should be:
# ll -d /var/lib/pgsql/data
drwx------. 15 postgres postgres 4096 Apr 24 10:27 /var/lib/pgsql/data
If they are not do as root:
# chmod -R 700 /var/lib/pgsql/data
# chown -R postgres /var/lib/pgsql/data
Check in the pglog.log file to ensure that the server did actually start without error. Given the error it seems like it did not start properly.
You probably don't have your server configured to put unix domain sockets in "/tmp". It's probably somewhere like "/var/run/pgsql" but see your postgresql.conf file to see exactly what.
Then you can specify this directory as a "host" on the command-line:
psql -h /path/we/want ...
If that's not the problem, check the port number.
Not sure why/how your psql client and postgresql server have different default paths, but then I've never heard of the site you got the instructions from, so I've no idea how useful they are.
I have a linux box:
Linux vuappserver 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
I use SMB + windbind to join to and Active Directory
But right now I try to add a local user:
useradd test
but when I try to change the password I receive this error:
root#server:/home/vu# passwd test
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
I checked the permissions of this files:
-rw-r--r-- 1 0 0 1350 Apr 5 23:17 /etc/passwd
-rw-r----- 1 0 42 941 Apr 5 23:17 /etc/shadow
Any ideas?
Thanks
by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*
e.g.:
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):
idmap config * : range = 10000-40000
So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)
If you're in a Windows domain, your authentication configuration (most probably /etc/pam.d/common-auth and /etc/pam.d/passwd) is pointing that to change a password, it must be synchronized with the domain (via Kerberos/LDAP).
You can instruct the passwd command to change a local account by specifying which accounts repository/authentication realm you would like to change:
passwd -r files account_name
Check the man page for passwd on the -r option.