Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Mar 2020 13:42:54 -0400
From:      John Johnstone <jjohnstone-freebsdquestions@tridentusa.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: sshd not allowing a subgroup to authenticate according to it's authentication method
Message-ID:  <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com>
In-Reply-To: <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com>
References:  <CAPORhP4TQFMVcL1TGUb=Ex%2BDkp%2BP7AP8k8=aNDmhxAz00U=60A@mail.gmail.com> <208460FC-FD0D-48F8-987A-A3B589B3A8B0@huiekin.org> <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3/25/20 1:01 AM, David Mehler wrote:
> Hello,
> 
> Thanks, actually it's not anyone in the sshusers group, that's working
> fine, and I am not in sftpusers. Other users are in that group and
> they're being prompted for public keys and rejected because they're
> trying to use passwords.
> Thanks.
> Dave.
> 
> 
> On 3/25/20, Jim Trigg <jtrigg@huiekin.org> wrote:
>> At a guess, you're also a member of sshusers. Try putting the sftpusers
>> stanza before the sshusers stanza.
>>
>> Thanks,
>> Jim Trigg

I have a configuration for user accounts that are restricted to sftp 
only that is working.  Here is a diff of my sshd_config to the original 
12.0 one.

> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
> 123,131d121
> < 
> < Match Group chrootgrp
> <        ChrootDirectory %h
> <        ForceCommand internal-sftp -d data -l INFO
> <        AllowAgentForwarding no
> <        AllowTcpForwarding no
> <        PermitTTY no
> <        PermitTunnel no
> <        X11Forwarding no

The only difference I see to what you have, is that mine doesn't have

PasswordAuthentication yes

A script is used to create new users that does:

pw useradd $username $uidflag -c "$ugecos" -G $groupname -s
/usr/sbin/nologin -e +$acctexp -w random

where groupname is chrootgrp.

Then it creates the home directory:

mkdir -p /home/$username/data
chown root:wheel /home/$username
chown $username:$username /home/$username/data

For syslog logging:

mkdir -p /home/$username/dev
chown root:wheel /home/$username/dev

With syslogd_flags in /etc/rc.conf getting:

-l /home/$username/dev/log

added to it.  Which only works for a small number of users because of 
the 19 additional syslogd sockets limit.

-
John J.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?08e9df84-343c-1cf1-a0eb-ccd63e25deeb>