-1

I have setup my server to allow sftp using a password however I'm getting Authentication failed. even though I'm using the correct password. Here is my sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp internal-sftp -f AUTH -l DEBUG3

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Begin SFTP-Server block
Match Group www-data
    ChrootDirectory %h
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
    PasswordAuthentication yes
# End SFTP-Server block

As you can notice at the last line under Match Group I have set PasswordAuthentication yes I've also made sure that my user is part of www-data however I still couldn't login using a password. I can SSH without password but I deliberately removed my keys on the server to test if I can sftp with just the password OR the keys need to be in the authorized_keys to be able to login besides the password? I've also made sure that I restarted the SSH service to apply the changes. What am I doing wrong?

EDIT

And here's the log on my FileZilla:

Status:         Connecting to clone-stage-wplogic-net...
Response:   fzSftp started, protocol_version=4
Command:    open "dummyuser@clone-stage-wplogic-net" 22
Command:    Trust new Hostkey: Once
Error:          Disconnected: No supported authentication methods available (server sent: publickey)
Error:          Could not connect to server
Status:         Waiting to retry...
Status:         Connecting to clone-stage-wplogic-net...

Here is the content of my /var/log/auth.log file:

Jun 28 02:47:47 clone-stage-wplogic-net sshd[18017]: error: Received disconnect from xxx.xxx.xx.xxx: 14: No supported authentication methods available [preauth]
Jun 28 02:47:55 clone-stage-wplogic-net sshd[18019]: error: Received disconnect from xxx.xxx.xx.xxx: 14: No supported authentication methods available [preauth]
JohnnyQ
  • 117
  • 2
  • 8
  • SFTP needs the sftp binary on the target host to work. Does the user you log in with have access to that binary? – Johan Jun 27 '16 at 17:23
  • 1
    @Johan if you use `internal-sftp`, you don't need the binary in `chroot`. – Jakuje Jun 27 '16 at 21:11
  • @Johan how do I know if the user has access to that binary? – JohnnyQ Jun 28 '16 at 02:27
  • @Jakuje when you use `internal-sftp` does that mean it's using the default binary for sftp on the server? – JohnnyQ Jun 28 '16 at 02:28
  • @Jakuje You are correct sir :) Thanks, didn't know that. – Johan Jun 28 '16 at 08:56
  • @JohnnyQ What di the logs say? Probably in /var/log/messages – Johan Jun 28 '16 at 08:56
  • @Johan I've updated my post. Please see the logs at the edit part. – JohnnyQ Jun 28 '16 at 09:06
  • Set up more verbose logging on the server `LogLevel DEBUG3` and post all relevant logs to your session. – Jakuje Jun 28 '16 at 10:06
  • @JohnnyQ Hmm.. Does the output for: $ ssh -o PreferredAuthentications=none -o NoHostAuthenticationForLocalhost=yes localhost and $ ssh -o PreferredAuthentications=none -o NoHostAuthenticationForLocalhost=yes dummyuser@localhost differ? – Johan Jun 28 '16 at 13:37
  • @Johan I get a `Permission denied (publickey)` looks like the sftp server is requiring me to have an ssh key? – JohnnyQ Jul 01 '16 at 11:42
  • @Jakuje actually that's the log level I have with my sftp settings: `Subsystem sftp internal-sftp -f AUTH -l DEBUG3` – JohnnyQ Jul 01 '16 at 11:45
  • I said in the `sshd_config`, not in the Subsystem. What are the new messages you see in the log? – Jakuje Jul 01 '16 at 11:48
  • @Jakuje ah yes that config was from my `sshd_config` file. The same info I pasted above is what I see on the `/var/log/auth.log`. I also made sure that I restarted the SSH service. – JohnnyQ Jul 01 '16 at 13:15

1 Answers1

4

This is the relevant line from the log file:

Jun 28 02:03:04 clone-stage-wplogic-net sshd[16608]: Invalid user oracle from xxx.xxx.xx.xxx

So, the user oracle is not allowed to connect. The next question is of course why this user is considered invalid, and the answer probably lies here:

Match Group www-data

So, add the user oracle to the group www-data.

Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • Thanks but I think that's a bot who's trying to connect and not related to any of the users I'm trying to login with. Let me update the logs again. sorry for that. – JohnnyQ Jun 28 '16 at 09:31
  • 1
    @JohnnyQ It would be very helpful if you would include logs that are actually relevant to your question instead of some random unrelated log files, yes. – Jenny D Jun 28 '16 at 09:32