Date: Wed, 25 Mar 2020 13:42:54 -0400 From: John Johnstone <jjohnstone-freebsdquestions@tridentusa.com> To: freebsd-questions@freebsd.org Subject: Re: sshd not allowing a subgroup to authenticate according to it's authentication method Message-ID: <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com> In-Reply-To: <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com> References: <CAPORhP4TQFMVcL1TGUb=Ex%2BDkp%2BP7AP8k8=aNDmhxAz00U=60A@mail.gmail.com> <208460FC-FD0D-48F8-987A-A3B589B3A8B0@huiekin.org> <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/25/20 1:01 AM, David Mehler wrote: > Hello, > > Thanks, actually it's not anyone in the sshusers group, that's working > fine, and I am not in sftpusers. Other users are in that group and > they're being prompted for public keys and rejected because they're > trying to use passwords. > Thanks. > Dave. > > > On 3/25/20, Jim Trigg <jtrigg@huiekin.org> wrote: >> At a guess, you're also a member of sshusers. Try putting the sftpusers >> stanza before the sshusers stanza. >> >> Thanks, >> Jim Trigg I have a configuration for user accounts that are restricted to sftp only that is working. Here is a diff of my sshd_config to the original 12.0 one. > diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig > 123,131d121 > < > < Match Group chrootgrp > < ChrootDirectory %h > < ForceCommand internal-sftp -d data -l INFO > < AllowAgentForwarding no > < AllowTcpForwarding no > < PermitTTY no > < PermitTunnel no > < X11Forwarding no The only difference I see to what you have, is that mine doesn't have PasswordAuthentication yes A script is used to create new users that does: pw useradd $username $uidflag -c "$ugecos" -G $groupname -s /usr/sbin/nologin -e +$acctexp -w random where groupname is chrootgrp. Then it creates the home directory: mkdir -p /home/$username/data chown root:wheel /home/$username chown $username:$username /home/$username/data For syslog logging: mkdir -p /home/$username/dev chown root:wheel /home/$username/dev With syslogd_flags in /etc/rc.conf getting: -l /home/$username/dev/log added to it. Which only works for a small number of users because of the 19 additional syslogd sockets limit. - John J.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08e9df84-343c-1cf1-a0eb-ccd63e25deeb>