1

I'm building a UVPS for myself, just to use as a simple playground. The user I need to have sftp access authenticates but get's booted. I believe it's due to my hardening, but it could be something I just am oblivious to or don't know. Can anyone help using the following info?

I've installed Ubuntu 10.04 and hardened it up pretty well (for my non sys admin knowledge-base), but I am having trouble connecting via SFTP via a limited user setup to be the only SFTP user (will also likely be used for rsync/git/hg access but one thing at a time). I want this user restricted to it's home - so I've put that in the sshd_config.

The configuration consists exclusively of a Sudo user we'll call sudouser and a sftp user we'll call sftpuser.

Obfuscated sshd_config file:

Port 22

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
UseDNS no

AllowUsers sudouser sftpuser

Match User sftpuser
    ChrootDirectory %h
    ForceCommand /usr/lib/openssh/sftp-server
    AllowTcpForwarding no

I have generated a rsa key pair for sftpuser placed it's public in ~sftpuser/.ssh/ with sftpuser having 700 on it's .ssh directory and 600 on it's public key.

When attempting to connect via sftp in Netbeans, I get the following message:

Host '123.45.678.910' is known and mathces the RSA host key
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_SERVICE_ACCEPT received
Authentications that can continue: publickey,keyboard-interactive,password
Next authentication method: publickey
Authentication succeeded (publickey).
Caught an exception, leaving main loop due to Connection reset
Disconnecting from 123.45.678.910 port 22
QUIT
Goodbye

It also connects with cyberduck, but immediately disconnects.

Some other details for anyone who might be interested in helping.

iptable rules:

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Misc Hardening

dpkg-statoverride --update --add root sudoers 4750 /bin/su
sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
sudo sysctl -w net.ipv4.conf.default.accept_source_route=0

============================================================

EDIT01: Response to poisonbit and Gilles (since there's overlap)

In the logs I do see it's an ownership issue. My understanding (or lack there of) is that when I adduser as root, the permissions and files created from /etc/skeleton should be right… for this - but now I'm confused.

This was all done as root.

/usr/sbin/groupadd sudoers
/usr/sbin/adduser sudouser
mkdir ~sudouser/.ssh
mv /tmp/uploadpackage/sudouser.pub ~sudouser/.ssh/authorized_keys
chown -R sudouser:sudouser ~sudouser/.ssh
chmod 700 ~sudouser/.ssh
chmod 600 ~sudouser/.ssh/authorized_keys
/usr/sbin/usermod -a -G sudoers sudouser

:modified visudo:

/usr/sbin/adduser sftpuser
mkdir ~sftpuser/.ssh
mv /tmp/uploadpackage/sftpuser.pub ~sftpuser/.ssh/authorized_keys
chown -R sftpuser:sftpuser ~sftpuser/.ssh
chmod 700 ~sftpuser/.ssh
chmod 600 ~sftpuser/.ssh/authorized_keys

Examining the permissions, here's what I see:

sudouser@uvps:~$ sudo ls -l /

<snip>
drwxr-xr-x  4 root root   4096 Apr 10 16:39 home
<snip>

sudouser@uvps:~$ ls -l /home

drwxr-xr-x  4 sftpuser sftpuser 4096 Apr 10 17:03 sftpuser
drwxr-xr-x  4 sudouser sudouser 4096 Apr 10 16:58 sudouser

Should these be owned by root?

Are there files/folders that are not created by adduser that are needed to make a basic user?

I do apologize, I'm capable as a basic user of linux... but while most things are logical once you "get it" I feel like I'm always reading explanations of minutia/quirks in the manpages or google results when doing simple things.

============================================================

EDIT02: Relevant /var/log/auth.log entries.

Apr 11 00:18:22 uvps sshd[8694]: Accepted publickey for sftpuser from 109.87.654.321 port 55555 ssh2
Apr 11 00:18:22 uvps sshd[8694]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
Apr 11 00:18:22 uvps sshd[8694]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0)
Apr 11 00:18:22 uvps sshd[8706]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
Apr 11 00:18:22 uvps sshd[8706]: fatal: bad ownership or modes for chroot directory "/home/sftpuser"
Apr 11 00:18:22 uvps sshd[8694]: pam_unix(sshd:session): session closed for user sftpuser
Apr 11 00:18:22 uvps sshd[8694]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory

The pam messages seem related to a bug Ubuntu Bug #155794 and likely aren't contributing - the fatal entry on the other hand :p 

============================================================

EDIT03: Update.

Changing the owner of ~sftpuser recursively caused authentication to fail. By returning ownership of ~sftpuser/.ssh (-R) to sftpuser the sftp client could connect. The new log entries were:

Apr 11 01:02:36 uvps sshd[8745]: Accepted publickey for sftpuser from 109.87.654.321 port 55555 ssh2
Apr 11 01:02:36 uvps sshd[8745]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
Apr 11 01:02:36 uvps sshd[8745]: pam_unix(sshd:session): session opened for user sftpuser by (uid=0)
Apr 11 01:02:36 uvps sshd[8756]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory
Apr 11 01:02:36 uvps sshd[8756]: subsystem request for sftp
Apr 11 01:02:36 uvps sshd[8745]: pam_unix(sshd:session): session closed for user sftpuser
Apr 11 01:02:36 uvps sshd[8745]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory

So perhaps the PAM bug (or the default config as provided by ubuntu) is in need of some love. I'm reading about PAM, and it's so much more than I was hoping to get into just to get a simple sandboxed sftp operator in place. Hmmm.

============================================================

EDIT04: Reasonable confirmation.

Disabling PAM in the sshd_config file made it work. So at this point anyone who follows this as reference in the future should be able to get this going w/o PAM. As to PAM, I need to evaluate why I may/not need it and if/when I wrap my head around it and determine if it being on offers any substantial benefit for my uses, I'll update this.

Many thanks to the people that contributed... you led me to the problem and made it clear I really need to get better at logging, and analyzing the logs. Frankly using ubuntudesktop/osx/windows has never really caused me need to spend a great deal of time in the logs. Configuring even a simple server however... Who can I credit the answer with? Everyone helped.

============================================================

EDIT05: Quirk?.

Re-enabled PAM to do the deeper logging that was recommended and reloaded SSH... and everything continued to work as it did with PAM disabled. o.O

Cor
  • 15
  • 1
  • 5
  • What is in the server logs? Are you sure you've created all the necessary files in the chroot? – Gilles 'SO- stop being evil' Apr 10 '11 at 18:53
  • Edited a response (in the main question) to both you and poisonbit and reviewing the logs points to an ownership issue. I appreciate the response. – Cor Apr 11 '11 at 00:01
  • If you don't post the logs, we can't help you read them. The permissions look right for functionality, but `/home/sftpuser`, `/home/sftpuser/.ssh` and `/home/sftpuser/.ssh/*` should be owned by root, otherwise the SFTP user will be able to write to them and may be able to gain shell access (I'm not sure about that). – Gilles 'SO- stop being evil' Apr 11 '11 at 00:09
  • I agree with Gilles. For what it's worth, `adduser`'s default permissions are fine for normal login users, but do not work well with `sftp`. – justarobert Apr 11 '11 at 00:38
  • Added relevant logs in main question – Cor Apr 11 '11 at 00:40
  • Hi @Cor I've find same problem, trying to fix UMASK option on internal-sftp sshd server directive. infact this one, dosen't support umask. I've asked similar question here: http://serverfault.com/questions/257396/sftp-chrooted-dosent-work-with-some-sftp-client-cyberduck check it out I've read all your question with attached solution, I will try on my env as soon as possible. For me Cyberduck (and I thin yours netbeans) logon issue could be this openssh behaviour http://www.openssh.org/faq.html#2.9 Let me now it could helpful for you. – emaaaa Apr 13 '11 at 15:36
  • Ah interesting will investigate this more. – Cor Apr 14 '11 at 00:52

2 Answers2

1

Authentication succeeded (publickey). So it should be something after that... lets check:

ChrootDirectory
         Specifies the pathname of a directory to chroot(2) to after
         authentication.  All components of the pathname must be root-
         owned directories that are not writable by any other user or
         group.  After the chroot, sshd(8) changes the working directory
         to the user's home directory.

...

Is the home of the sftpuser user (and parent paths) owned by root and 700 (drwx------) ?

If owners of directories are ok, and write perms too, you can search for more info in /var/log on the ssh server, or try the sftp client from command line, adding the -v option, and send us the output.

poisonbit
  • 827
  • 5
  • 6
  • Edited a response to both you and Gilles (in the main question) and reviewing the logs points to an ownership issue. I appreciate the response. Any thoughts on where my efforts are breaking down? I'm googling how to connect to sftp from the shell right now (and will dump a -v if it turns out that the permissions are appropriate.) – Cor Apr 11 '11 at 00:03
  • Okay so I have re-read this answer and run chown -R on ~sftpuser and the authorization fails. By making ~sftpuser/.ssh owned by sftpuser again I can authorize and I get a new log saying "subsystem request for sftp"!!! but then pam ends the session again. Progress ;p – Cor Apr 11 '11 at 01:20
0

Under Subsystem and ForceCommand change 

Subsystem sftp /usr/lib/openssh/sftp-server

to 

Subsystem       sftp    internal-sftp

and change

ForceCommand /usr/lib/openssh/sftp-server

to

ForceCommand internal-sftp
rfelsburg
  • 767
  • 3
  • 7
  • Thanks. Just tried... exact same result as the latest logs (EDIT03 above). Definitely worth a try. – Cor Apr 11 '11 at 02:48
  • Before I move on, you did restart ssh after changing correct? – rfelsburg Apr 11 '11 at 02:55
  • Yes... and I even meant to mention that - long day. /etc/init.d/ssh reload – Cor Apr 11 '11 at 02:58
  • What is your log verbosity set to? If it's not set to debug please do so, and try logging in again and posting the results. – rfelsburg Apr 11 '11 at 03:01
  • Just tried disabling PAM in the sshd_config and was able to gain access. So it looks like a misconfigured PAM is the culprit (or the bug I noted above). Don't know that I actually need PAM... but at least there's some clear and apparent cause here. Thanks again for responding. Off to update the main question. – Cor Apr 11 '11 at 03:10
  • We can work through pam as well if you'd like, the relelvant pam.d should sshd...also, I highly recommend upping your verbosity level to debug while troubleshooting, as well as trying to locally login using sftp -v – rfelsburg Apr 11 '11 at 03:15
  • That's quite kind rfelsburg. Will simply setting loglevel in the sshd_config do it, or is there another loglevel you are referring to? Also I guess after reading up on PAM for a half hour, I'm wondering if I'll be using it in any worthwhile way for this endeavor. Any thoughts on that for a one person LAPPP stack (Lin/Apache/Postgres/Php/Python) playground? – Cor Apr 11 '11 at 03:26
  • yes: loglevel debug will do it. In my opinion removing a layer of security due to some feature not working is always a bad idea unless you fully understand exactly what is happening and why you are disabling it. Also trying to manually login via the cli with 'sftp -v' will shed light as well. – rfelsburg Apr 11 '11 at 03:32
  • It seems (from skimming the docs for PAM) that it adds all kinds of features securely, not really adds security to normal authentication - and my impression on running a server is that you only add what you must. Please do correct me if I'm wrong on either count. I have to relocate from work to home in a second, when I get home i will sftp from cli w/ -v flag and we'll take a look at PAM if your still up for that... Again I really do appreciate you taking the time. – Cor Apr 11 '11 at 03:37
  • Assuming I'm still up, I'd be more than happy to help. As far as using PAM, any mechanism that will allow me to make my system is more secure is good. PAM is extremely powerful, and when utilized properly is quite a help to sysadmins. – rfelsburg Apr 11 '11 at 03:45
  • Okay just to be difficult, the server decided that PAM was now okay to use. Very bizarre. I re-enabled it in the sshd_config file (along with LogLevel DEBUG3), reloaded ssh Cyberduck and Netbeans can negotiate it. So essentially, WTF?!?! Looking through the DEBUG log, lots of info makes sense... very useful. Does PAM have a "reload" like feature that Disabling/Enabling it in sshd_config could trigger? – Cor Apr 11 '11 at 05:46
  • Just a followup to this. I rebuilt the uvps (twice to confirm-confirm) incorporating the change (internal-sftp), ~sftpuser owned by root, and even properly set the locale [facepalm]... with PAM enabled on first try, no joy. with PAM disabled on next try, no joy. with PAM re-enabled, it works. I haven't found any references to this, and really don't know what to make of it - but hey, I have chrooted sftp working consistently - and I suppose this will probably help someone someday. – Cor Apr 13 '11 at 01:11
  • Missed edit window: PAM disabled on next try, no joy. Should be PAM disabled on next try, it works. – Cor Apr 13 '11 at 01:39
  • Perhaps, pam disabled, pam enabled is being cached, and so it looks like pam enabled is working? I'm not sure, but it's worth following up on. I'll see if I can duplicate on my end. – rfelsburg Apr 13 '11 at 03:13