The user is not expired.
Code: Select all
# chage -l my_new_sftp_user
Last password change : Apr 27, 2017
Password expires : never
Password inactive : never
Account expires : never
[...]
For the shell stuff: not having a shell is part of what I want. I want the user to only be able to use the sftp protocol. Thus the shell is set to /bin/false
I pretty much did what is described in here by the way:
https://askubuntu.com/questions/598870/ ... -directory
and here:
http://stackoverflow.com/questions/2309 ... -directory
As a result you can't use a plain ssh command. (which is desired)
For the sake of completeness here is the verbose output for it:
https://pastebin.com/SJJFFZcp
However from my understanding it should be possible to call
$ ssh -v my_new_sftp_user@example.com /usr/lib/openssh/sftp-server.
However it doesn't work as well. The output is absolutely identical with the exception that the line
Connection to example.com closed. is missing at the end and it just says closed by remote host.
I had a look at
/var/log/auth.log and it seems that there was a permission issue. According to
https://serverfault.com/questions/58498 ... -component every node of the path provided by
ChrootDirectory has to be owned by root and no other users or groups should be given write access to them. This was not met because I used the home directory
%h which is
/home/my_new_sftp_user and was owned by
my_new_sftp_user. Now I created a subdirectory
www, made it the home directory of
my_new_sftp_user and set
ChrootDirectory directly to
/home/my_new_sftp_user.
Unfortunately the problems don't stop here. Filezilla now displays a different error message:
Code: Select all
Command: open "my_new_sftp_user@example.com" 22
Command: Trust new Hostkey: Once
Command: Pass: ***
Status: Connected to example.com
Error: Received unexpected end-of-file from SFTP server
Error: Could not connect to server
In
/var/log/auth.log the following now shows up:
Code: Select all
Apr 28 23:21:28 servername sshd[17163]: Accepted password for my_new_sftp_user from 987.654.32.1 port 34188 ssh2
Apr 28 23:21:28 servername sshd[17163]: pam_unix(sshd:session): session opened for user my_new_sftp_user by (uid=0)
Apr 28 23:21:28 servername sshd[17165]: Received disconnect from 987.654.32.1: 11: disconnected by user
Apr 28 23:21:28 servername sshd[17163]: pam_unix(sshd:session): session closed for user my_new_sftp_user
I retried calling
$ ssh -v [...] sftp-server and to my surprise it gave me the following error message:
Code: Select all
debug1: Entering interactive session.
debug1: pledge: network
debug1: Sending command: /usr/lib/openssh/sftp-server
Could not chdir to home directory /home/my_new_sftp_user/www: No such file or directory
/bin/false: No such file or directory
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
I also tried to give this user a shell and retried again. However it prints the same message except that /bin/false is now /bin/bash.
My suspicion is that the ssh server tries to chroot to /home/my_new_sftp_user/ and then change the directory literally to /home/my_new_sftp_user/www. Which should be just www/.
As a dirty workaround I tried to change the home directory literally to "www", created a script via "mkdir bin && echo '#!/bin/bash' > bin/false && chmod +x bin/false" inside "/home/my_new_sftp_user/" and changed the shell to "bin/false"
The "Could not chdir to home directory" message is gone now. But it still complains about "bin/false" not to be existent. Even if it did work I feel like this is the wrong solution anyway.
Thanks for the help so far.
But what now?
EDIT:
I checked that the directory actually exists, of course:
Code: Select all
# su - my_new_sftp_user
$ pwd
/home/my_new_sftp_user/www