From owner-freebsd-questions@freebsd.org Wed Mar 25 17:43:36 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2C71E2A7081 for ; Wed, 25 Mar 2020 17:43:36 +0000 (UTC) (envelope-from jjohnstone@tridentusa.com) Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on20617.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5a::617]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48nb7Y4KCQz41v2 for ; Wed, 25 Mar 2020 17:43:19 +0000 (UTC) (envelope-from jjohnstone@tridentusa.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gY3JoOwZaSMBDl+X1JV9gK1ng/lUSdf9Ub9ZpeTUztQL/p1QNd0kSiOp7jmv/B7p2v66t4saYlNNRxUiCn5jShz5eFRy9IH1AUDV/0VISMdKDm3vFOjWX0yhtDjw8CgjtDV4H17RdhaJp18GSTK2dNs/TnkpqtSO77SOPQdj8FYRb6AO74R4yV1FzOBYDfRsfgTIiSDjpgMGVS1Do0h3+QXfI5za0mmy917I49pzpskS/JP61zelLzc1hc3IuzqnpB5wNjmCMTwRBSBWpzWRNNNO9LE0ZEEmofUYoZ4n0bnoij8l6NbHCEZH4X91l4h0r3yqd1jly2ciifWbkyjYEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rknLfMXuHf1gvbAb86Aj60PgGmp0BRO0hA5+ccMUoAs=; b=SJ71GavmJxW0itvmf1P44AZI6lQeKfTvFvxJHr8sa/p2t+h9096ERWdz3PoQyuK8ngA3jwUcsQsqlvI1w10qqq+SBytHLoWBT5srG/IXr5onvJp1rqBj1ov9A5N+MPr7bFtDbl4oDykKMwxiAxcKopzyq/8A/RjyvqGDTL+DdXJcXLody15kvVw+ZaTSR5GLWv5XIm2RWHcBbPhltdcYZ/YhRLjIgWlmsCHghgkcv9P8TmneIUA6LcFesXcZXblgQsdaa+w3FtmIJlSluu6yCtBDDPaUfQ27U0jhWKPl6D2tC+p3HXictUgsFivMI7sSfoC0ZWV/nTC66mfEr//SEw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tridentusa.com; dmarc=pass action=none header.from=tridentusa.com; dkim=pass header.d=tridentusa.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tridentusa90.onmicrosoft.com; s=selector1-tridentusa90-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rknLfMXuHf1gvbAb86Aj60PgGmp0BRO0hA5+ccMUoAs=; b=ZIK0dEddh7l4Rv6wnT5WfPfVZH313u1dACEPUVZ3EMMGAzfPWDzr601R4U2VGiMC5Lttvc6JvourFyZZxOsUadurwBavPiscseN33kaJZ+FnpDa/W+4zbH9oVswKd6XoWnMQ0KkXSz6XXEb/wqx0HgxZUqf139UPo7NT3buKcys= Received: from MN2PR20MB3118.namprd20.prod.outlook.com (2603:10b6:208:1b8::27) by MN2PR20MB2846.namprd20.prod.outlook.com (2603:10b6:208:f5::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.19; Wed, 25 Mar 2020 17:43:09 +0000 Received: from MN2PR20MB3118.namprd20.prod.outlook.com ([fe80::29ed:73e:66dd:a5d9]) by MN2PR20MB3118.namprd20.prod.outlook.com ([fe80::29ed:73e:66dd:a5d9%6]) with mapi id 15.20.2835.023; Wed, 25 Mar 2020 17:43:08 +0000 Subject: Re: sshd not allowing a subgroup to authenticate according to it's authentication method To: freebsd-questions@freebsd.org References: <208460FC-FD0D-48F8-987A-A3B589B3A8B0@huiekin.org> From: John Johnstone Message-ID: <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com> Date: Wed, 25 Mar 2020 13:42:54 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-ClientProxiedBy: BL0PR0102CA0012.prod.exchangelabs.com (2603:10b6:207:18::25) To MN2PR20MB3118.namprd20.prod.outlook.com (2603:10b6:208:1b8::27) MIME-Version: 1.0 Sender: John Johnstone X-MS-Exchange-MessageSentRepresentingType: 2 Received: from Johns-MBP.fios-router.home (71.255.81.56) by BL0PR0102CA0012.prod.exchangelabs.com (2603:10b6:207:18::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.18 via Frontend Transport; Wed, 25 Mar 2020 17:43:07 +0000 X-Originating-IP: [71.255.81.56] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a2adef96-9d53-4e55-a2d3-08d7d0e3fa97 X-MS-TrafficTypeDiagnostic: MN2PR20MB2846: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-Forefront-PRVS: 0353563E2B X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(136003)(346002)(396003)(39840400004)(366004)(376002)(316002)(956004)(2616005)(6486002)(508600001)(31696002)(8676002)(8936002)(26005)(81166006)(81156014)(186003)(16526019)(6666004)(6512007)(66946007)(2906002)(31686004)(52116002)(53546011)(36756003)(6506007)(5660300002)(7846003)(66476007)(6916009)(66556008); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR20MB2846; H:MN2PR20MB3118.namprd20.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; Received-SPF: None (protection.outlook.com: tridentusa.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uIEEWxn2X6mVXf+Cz/DZlxMuDcpjcc2RevEPgLMLZKQ5+AEU8Glp/PFSKRHN9mLGl4B66s7Xj+MqBUnyoQQ7mwip7FaJx9VvsQmNY4rLGnr3Df0H5XkgZIALv+KLM45g3vn/qxed2EcqdQS+I6Td2ND0RHXOzcA9ZbsEzfbBJ2OKU12cziboue+wJWzxsKUhQIStxyjk0LwbTcqKTgFXVV1mnHN4Qw2QyhYOelSDcfGwND0Ow/lxka3sznj9V9+TGSsKl7FipSHvHN1mJjYEitXs8AJkahoofkbfE1e/Qbz07+M9E76ScsBnHf6mKgTq/Jt83xdG5MqfGl/MAGQNKwcDq5iwSyQUeVjoOjoVCNSqK93iIHHw5UnP3Gbb+qgIfpjPhIyrAdlodlVhRJq3QGHnPLQ2G8qYuZDhdRRG6LgiQA42zYcDSbMOImyVsQN2 X-MS-Exchange-AntiSpam-MessageData: qgflfKVYa4LV3dTta5dDdIrXY/NAG/USXttQWkhiy4oeeSngKmeVAsh/YCBzuUDLDv2xodylJdKBKkZl17sPYBE4GQwzdOCu7pGQZATUzrm8BM04SV/I25fEWOR4R5c1hh1S1GTBogxgnYVB9iqWtQ== X-OriginatorOrg: tridentusa.com X-MS-Exchange-CrossTenant-Network-Message-Id: a2adef96-9d53-4e55-a2d3-08d7d0e3fa97 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Mar 2020 17:43:08.2906 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: a5d010c5-207b-4510-bdaf-c382c7a8c714 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3QSapoKDxBGEBk3EFjkBZWUgEN5wCN/GZgqUsWRfo6JEyGkD5N1NVNYaUEEw40VoUpUuNBWTzVPXkNxXnVLW7c4ZND2gjj0CHkDyjCd9yrE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR20MB2846 X-Rspamd-Queue-Id: 48nb7Y4KCQz41v2 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tridentusa90.onmicrosoft.com header.s=selector1-tridentusa90-onmicrosoft-com header.b=ZIK0dEdd; dmarc=none; spf=pass (mx1.freebsd.org: domain of jjohnstone@tridentusa.com designates 2a01:111:f400:fe5a::617 as permitted sender) smtp.mailfrom=jjohnstone@tridentusa.com X-Spamd-Result: default: False [-4.64 / 15.00]; RECEIVED_SPAMHAUS_FAIL(0.00)[7.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.1.0.8.0.2.0.6.b.0.1.3.0.6.2.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net:query timed out]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[tridentusa90.onmicrosoft.com:s=selector1-tridentusa90-onmicrosoft-com]; HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[tridentusa.com]; RCPT_COUNT_ONE(0.00)[1]; URIBL_BLOCKED(0.00)[onmicrosoft.com.multi.uribl.com]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-1.44)[ipnet: 2a01:111:f000::/36(-4.03), asn: 8075(-3.12), country: US(-0.05)]; DKIM_TRACE(0.00)[tridentusa90.onmicrosoft.com:+]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FORGED_SENDER(0.30)[jjohnstone-freebsdquestions@tridentusa.com,jjohnstone@tridentusa.com]; RECEIVED_SPAMHAUS_PBL(0.00)[56.81.255.71.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; FROM_NEQ_ENVFROM(0.00)[jjohnstone-freebsdquestions@tridentusa.com,jjohnstone@tridentusa.com]; MID_RHS_MATCH_FROM(0.00)[]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Mar 2020 17:43:36 -0000 On 3/25/20 1:01 AM, David Mehler wrote: > Hello, > > Thanks, actually it's not anyone in the sshusers group, that's working > fine, and I am not in sftpusers. Other users are in that group and > they're being prompted for public keys and rejected because they're > trying to use passwords. > Thanks. > Dave. > > > On 3/25/20, Jim Trigg wrote: >> At a guess, you're also a member of sshusers. Try putting the sftpusers >> stanza before the sshusers stanza. >> >> Thanks, >> Jim Trigg I have a configuration for user accounts that are restricted to sftp only that is working. Here is a diff of my sshd_config to the original 12.0 one. > diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig > 123,131d121 > < > < Match Group chrootgrp > < ChrootDirectory %h > < ForceCommand internal-sftp -d data -l INFO > < AllowAgentForwarding no > < AllowTcpForwarding no > < PermitTTY no > < PermitTunnel no > < X11Forwarding no The only difference I see to what you have, is that mine doesn't have PasswordAuthentication yes A script is used to create new users that does: pw useradd $username $uidflag -c "$ugecos" -G $groupname -s /usr/sbin/nologin -e +$acctexp -w random where groupname is chrootgrp. Then it creates the home directory: mkdir -p /home/$username/data chown root:wheel /home/$username chown $username:$username /home/$username/data For syslog logging: mkdir -p /home/$username/dev chown root:wheel /home/$username/dev With syslogd_flags in /etc/rc.conf getting: -l /home/$username/dev/log added to it. Which only works for a small number of users because of the 19 additional syslogd sockets limit. - John J.