From owner-freebsd-questions@freebsd.org  Thu Mar 26 18:31:17 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0CF2A2A6443
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 26 Mar 2020 18:31:17 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com
 [IPv6:2607:f8b0:4864:20::d42])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48pD8H4PVKz4JRv
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2020 18:31:09 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: by mail-io1-xd42.google.com with SMTP id o127so7176144iof.0
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2020 11:31:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=ffbTWo5Ct6iyuITYt3/vn1FrL9v6XJNL4CsiMHEP2dI=;
 b=P+lXXqrO5PgzThKqu4l6QxdRLbTVnXpvGgOfzHVxbJXkRR3FPCbtt1DPlH58EitsWZ
 f/e2lsaF7Hc7sr25v3t6vcF48Kpm38Npi+SiV6X8vlSf8Pl1SAeMIbwStb5pQrX5NGKv
 yA2CPfog0+rhmwPDZ2IxGM0bJPPQADmWsxFSds9KND2qoKuEUk6bujyoV8RW7izdA12S
 Xevtwe3v2t7/p5iGJQjFPT0SbQAsq6+v0RWdcStFKB1TnANAJu+09li6c8xodnaIRmjv
 22FnyqJlTQ2TC9Z3BRA4UEVV5joP6RAGZ0d7r+axELZpEUZlQp6T1JfOnRKneXnhkU62
 M1cA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=ffbTWo5Ct6iyuITYt3/vn1FrL9v6XJNL4CsiMHEP2dI=;
 b=a/d4kVBR/2hnG6jCDVED56z7bowrPumLavV3NupIHGbpcrS8qiwybq7UZ+5mKo91qB
 ezdE7hs6OF83FLTkWRwgJF1zUDwDOeuzUOaCQdrMK2qcghmrH6oSSXDH1VQD3l0S1/nQ
 sZudPJB6L7WBk73NfnVW4Vfde2Vad8SzdYhrUxIPE9sNrkRN7lmwv9c/nVOw3eWAXQZY
 hU8d+PPZZQBY72IrT9IYLNRu4F2uddurfXJOkCI9UmKlHKhafbYS2mja6GJpYzSgBxf4
 N6Erxa+wOZJXWl2FqdZryubcbw3d2hjetTSef73zRRMGVyk2JjWICheLLXBqmOp0V46l
 LmjQ==
X-Gm-Message-State: ANhLgQ28yI2N545q75k2g9MASWRv744/C/nNGQM7+tkoMjkIHPMv3KLW
 Uig+PYtoZ9IoDoirvT4bAY74+vh3lqUvXtmVXKttvR+u
X-Google-Smtp-Source: ADFU+vsjvww7apBf+m+2saXLoOTIdaUeyUY0NcyoDaIwnOsA4+eAbzk3gGFmSinLfbq/pfxCU/IdcDRAumSGZKRTkH0=
X-Received: by 2002:a6b:7419:: with SMTP id s25mr8602881iog.45.1585247461227; 
 Thu, 26 Mar 2020 11:31:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:8487:0:0:0:0:0 with HTTP; Thu, 26 Mar 2020 11:31:00
 -0700 (PDT)
In-Reply-To: <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com>
References: <CAPORhP4TQFMVcL1TGUb=Ex+Dkp+P7AP8k8=aNDmhxAz00U=60A@mail.gmail.com>
 <208460FC-FD0D-48F8-987A-A3B589B3A8B0@huiekin.org>
 <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com>
 <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com>
From: David Mehler <dave.mehler@gmail.com>
Date: Thu, 26 Mar 2020 14:31:00 -0400
Message-ID: <CAPORhP6LLTpCT+BY1BAZYKd4UGz7noFGs9JM8xZcCEb5yF8skw@mail.gmail.com>
Subject: Re: sshd not allowing a subgroup to authenticate according to it's
 authentication method
To: John Johnstone <jjohnstone-freebsdquestions@tridentusa.com>
Cc: freebsd-questions@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 48pD8H4PVKz4JRv
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=P+lXXqrO;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates
 2607:f8b0:4864:20::d42 as permitted sender)
 smtp.mailfrom=davemehler@gmail.com
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_TWO(0.00)[2];
 IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[2.4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 IP_SCORE(0.00)[ip: (0.45), ipnet: 2607:f8b0::/32(-0.37), asn: 15169(-0.48),
 country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 18:31:17 -0000

Hello,

Apparently is with my AuthenticationMethods option, for some reason
having that defined will not let any MatchGroup definitions take
effect. Any ideas?

Thanks.
Dave.


On 3/25/20, John Johnstone <jjohnstone-freebsdquestions@tridentusa.com> wrote:
> On 3/25/20 1:01 AM, David Mehler wrote:
>> Hello,
>>
>> Thanks, actually it's not anyone in the sshusers group, that's working
>> fine, and I am not in sftpusers. Other users are in that group and
>> they're being prompted for public keys and rejected because they're
>> trying to use passwords.
>> Thanks.
>> Dave.
>>
>>
>> On 3/25/20, Jim Trigg <jtrigg@huiekin.org> wrote:
>>> At a guess, you're also a member of sshusers. Try putting the sftpusers
>>> stanza before the sshusers stanza.
>>>
>>> Thanks,
>>> Jim Trigg
>
> I have a configuration for user accounts that are restricted to sftp
> only that is working.  Here is a diff of my sshd_config to the original
> 12.0 one.
>
>> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
>> 123,131d121
>> <
>> < Match Group chrootgrp
>> <        ChrootDirectory %h
>> <        ForceCommand internal-sftp -d data -l INFO
>> <        AllowAgentForwarding no
>> <        AllowTcpForwarding no
>> <        PermitTTY no
>> <        PermitTunnel no
>> <        X11Forwarding no
>
> The only difference I see to what you have, is that mine doesn't have
>
> PasswordAuthentication yes
>
> A script is used to create new users that does:
>
> pw useradd $username $uidflag -c "$ugecos" -G $groupname -s
> /usr/sbin/nologin -e +$acctexp -w random
>
> where groupname is chrootgrp.
>
> Then it creates the home directory:
>
> mkdir -p /home/$username/data
> chown root:wheel /home/$username
> chown $username:$username /home/$username/data
>
> For syslog logging:
>
> mkdir -p /home/$username/dev
> chown root:wheel /home/$username/dev
>
> With syslogd_flags in /etc/rc.conf getting:
>
> -l /home/$username/dev/log
>
> added to it.  Which only works for a small number of users because of
> the 19 additional syslogd sockets limit.
>
> -
> John J.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>