sshd not allowing a subgroup to authenticate according to it's authentication method
John Johnstone
jjohnstone-freebsdquestions at tridentusa.com
Wed Mar 25 17:43:36 UTC 2020
On 3/25/20 1:01 AM, David Mehler wrote:
> Hello,
>
> Thanks, actually it's not anyone in the sshusers group, that's working
> fine, and I am not in sftpusers. Other users are in that group and
> they're being prompted for public keys and rejected because they're
> trying to use passwords.
> Thanks.
> Dave.
>
>
> On 3/25/20, Jim Trigg <jtrigg at huiekin.org> wrote:
>> At a guess, you're also a member of sshusers. Try putting the sftpusers
>> stanza before the sshusers stanza.
>>
>> Thanks,
>> Jim Trigg
I have a configuration for user accounts that are restricted to sftp
only that is working. Here is a diff of my sshd_config to the original
12.0 one.
> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
> 123,131d121
> <
> < Match Group chrootgrp
> < ChrootDirectory %h
> < ForceCommand internal-sftp -d data -l INFO
> < AllowAgentForwarding no
> < AllowTcpForwarding no
> < PermitTTY no
> < PermitTunnel no
> < X11Forwarding no
The only difference I see to what you have, is that mine doesn't have
PasswordAuthentication yes
A script is used to create new users that does:
pw useradd $username $uidflag -c "$ugecos" -G $groupname -s
/usr/sbin/nologin -e +$acctexp -w random
where groupname is chrootgrp.
Then it creates the home directory:
mkdir -p /home/$username/data
chown root:wheel /home/$username
chown $username:$username /home/$username/data
For syslog logging:
mkdir -p /home/$username/dev
chown root:wheel /home/$username/dev
With syslogd_flags in /etc/rc.conf getting:
-l /home/$username/dev/log
added to it. Which only works for a small number of users because of
the 19 additional syslogd sockets limit.
-
John J.
More information about the freebsd-questions
mailing list