Date: Thu, 26 Mar 2020 14:31:00 -0400 From: David Mehler <dave.mehler@gmail.com> To: John Johnstone <jjohnstone-freebsdquestions@tridentusa.com> Cc: freebsd-questions@freebsd.org Subject: Re: sshd not allowing a subgroup to authenticate according to it's authentication method Message-ID: <CAPORhP6LLTpCT%2BBY1BAZYKd4UGz7noFGs9JM8xZcCEb5yF8skw@mail.gmail.com> In-Reply-To: <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com> References: <CAPORhP4TQFMVcL1TGUb=Ex%2BDkp%2BP7AP8k8=aNDmhxAz00U=60A@mail.gmail.com> <208460FC-FD0D-48F8-987A-A3B589B3A8B0@huiekin.org> <CAPORhP5pb-oEd0bjbY1uYKvTNr4i1FCpj6yvnTJvjVXy4o8vWA@mail.gmail.com> <08e9df84-343c-1cf1-a0eb-ccd63e25deeb@tridentusa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Apparently is with my AuthenticationMethods option, for some reason having that defined will not let any MatchGroup definitions take effect. Any ideas? Thanks. Dave. On 3/25/20, John Johnstone <jjohnstone-freebsdquestions@tridentusa.com> wrote: > On 3/25/20 1:01 AM, David Mehler wrote: >> Hello, >> >> Thanks, actually it's not anyone in the sshusers group, that's working >> fine, and I am not in sftpusers. Other users are in that group and >> they're being prompted for public keys and rejected because they're >> trying to use passwords. >> Thanks. >> Dave. >> >> >> On 3/25/20, Jim Trigg <jtrigg@huiekin.org> wrote: >>> At a guess, you're also a member of sshusers. Try putting the sftpusers >>> stanza before the sshusers stanza. >>> >>> Thanks, >>> Jim Trigg > > I have a configuration for user accounts that are restricted to sftp > only that is working. Here is a diff of my sshd_config to the original > 12.0 one. > >> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig >> 123,131d121 >> < >> < Match Group chrootgrp >> < ChrootDirectory %h >> < ForceCommand internal-sftp -d data -l INFO >> < AllowAgentForwarding no >> < AllowTcpForwarding no >> < PermitTTY no >> < PermitTunnel no >> < X11Forwarding no > > The only difference I see to what you have, is that mine doesn't have > > PasswordAuthentication yes > > A script is used to create new users that does: > > pw useradd $username $uidflag -c "$ugecos" -G $groupname -s > /usr/sbin/nologin -e +$acctexp -w random > > where groupname is chrootgrp. > > Then it creates the home directory: > > mkdir -p /home/$username/data > chown root:wheel /home/$username > chown $username:$username /home/$username/data > > For syslog logging: > > mkdir -p /home/$username/dev > chown root:wheel /home/$username/dev > > With syslogd_flags in /etc/rc.conf getting: > > -l /home/$username/dev/log > > added to it. Which only works for a small number of users because of > the 19 additional syslogd sockets limit. > > - > John J. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP6LLTpCT%2BBY1BAZYKd4UGz7noFGs9JM8xZcCEb5yF8skw>