Daryl
Reputation: 792
How to Setup SFTP with Publickey and Password on Ubuntu
I am having difficulty setting up "SFTP Only" login with two factor authentication of "Public Key" and "Password".
I am running on Ubuntu 16 and using openssh-server.
Regular users are able to log in successfully using a Public Key and Password. However, my "SFTP Only" users are getting errors logging in.
vim /etc/ssh/sshd_config
AuthenticationMethods publickey,password
PubkeyAuthentication yes
PasswordAuthentication yes
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
Other System Commands:
addgroup --system sftponly
usermod -G sftponly username
usermod -s /bin/false username
service ssh restart
Below is a WinSCP log of one of my "SFTP Only" user login attempts.
. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.060 WinSCP Version 5.13.4 (Build 8731) (OS 10.0.17134 - Windows 10 Enterprise)
. 2019-02-01 13:45:42.060 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\
. 2019-02-01 13:45:42.060 Log level: Normal
. 2019-02-01 13:45:42.060 Local account: MY-PC\User
. 2019-02-01 13:45:42.060 Working directory: C:\Program Files (x86)\WinSCP
. 2019-02-01 13:45:42.060 Process ID: 8160
. 2019-02-01 13:45:42.060 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe"
. 2019-02-01 13:45:42.060 Time zone: Current: GMT-7, Standard: GMT-7 (Mountain Standard Time), DST: GMT-6 (Mountain Daylight Time), DST Start: 3/10/2019, DST End: 11/3/2019
. 2019-02-01 13:45:42.060 Login time: Friday, February 01, 2019 1:45:42 PM
. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.060 Session name: SFTP Testing (Site)
. 2019-02-01 13:45:42.060 Host name: x.x.x.x (Port: 22)
. 2019-02-01 13:45:42.060 User name: username (Password: No, Key file: Yes, Passphrase: No)
. 2019-02-01 13:45:42.060 Tunnel: No
. 2019-02-01 13:45:42.060 Transfer Protocol: SFTP (SCP)
. 2019-02-01 13:45:42.060 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec
. 2019-02-01 13:45:42.060 Disable Nagle: No
. 2019-02-01 13:45:42.060 Proxy: None
. 2019-02-01 13:45:42.060 Send buffer: 262144
. 2019-02-01 13:45:42.060 SSH protocol version: 2; Compression: No
. 2019-02-01 13:45:42.060 Bypass authentication: No
. 2019-02-01 13:45:42.060 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes
. 2019-02-01 13:45:42.060 GSSAPI: Forwarding: No; Libs: gssapi32,sspi,custom; Custom:
. 2019-02-01 13:45:42.060 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No
. 2019-02-01 13:45:42.060 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1
. 2019-02-01 13:45:42.060 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto
. 2019-02-01 13:45:42.060 Simple channel: Yes
. 2019-02-01 13:45:42.060 Return code variable: Autodetect; Lookup user groups: Auto
. 2019-02-01 13:45:42.060 Shell: default
. 2019-02-01 13:45:42.060 EOL: LF, UTF: Auto
. 2019-02-01 13:45:42.060 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No
. 2019-02-01 13:45:42.060 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No
. 2019-02-01 13:45:42.060 SFTP Bugs: Auto,Auto
. 2019-02-01 13:45:42.060 SFTP Server: default
. 2019-02-01 13:45:42.060 Local directory: default, Remote directory: /home/username, Update: Yes, Cache: Yes
. 2019-02-01 13:45:42.060 Cache directory changes: Yes, Permanent: Yes
. 2019-02-01 13:45:42.060 Recycle bin: Delete to: No, Overwritten to: No, Bin path:
. 2019-02-01 13:45:42.060 DST mode: Unix
. 2019-02-01 13:45:42.060 --------------------------------------------------------------------------
. 2019-02-01 13:45:42.107 Looking up host "x.x.x.x" for SSH connection
. 2019-02-01 13:45:42.107 Connecting to x.x.x.x port 22
. 2019-02-01 13:45:42.138 We claim version: SSH-2.0-WinSCP_release_5.13.4
. 2019-02-01 13:45:42.170 Server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
. 2019-02-01 13:45:42.170 Using SSH protocol version 2
. 2019-02-01 13:45:42.170 Have a known host key of type ssh-ed25519
. 2019-02-01 13:45:42.185 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2019-02-01 13:45:42.670 Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
. 2019-02-01 13:45:42.670 Host key fingerprint is:
. 2019-02-01 13:45:42.670 ssh-ed25519 256 73:39:d8:0c:ed:dc:4b:ed:da:8f:a8:e8:20:ed:9e:1d 0Uaf91MV9sMQESUTp8X9a8l4nHeUKohN/XuDBAI+jG4=
. 2019-02-01 13:45:42.716 Host key matches cached key
. 2019-02-01 13:45:42.716 Initialised AES-256 SDCTR client->server encryption
. 2019-02-01 13:45:42.716 Initialised HMAC-SHA-256 client->server MAC algorithm
. 2019-02-01 13:45:42.716 Initialised AES-256 SDCTR server->client encryption
. 2019-02-01 13:45:42.716 Initialised HMAC-SHA-256 server->client MAC algorithm
. 2019-02-01 13:45:42.810 Reading key file "C:\Users\User\Documents\ssh-keys\username_private.ppk"
! 2019-02-01 13:45:42.810 Using username "username".
. 2019-02-01 13:45:42.873 Server offered these authentication methods: publickey
. 2019-02-01 13:45:42.873 Offered public key
. 2019-02-01 13:45:42.904 Offer of public key accepted
! 2019-02-01 13:45:42.904 Authenticating with public key "imported-openssh-key"
. 2019-02-01 13:45:43.029 Sent public key signature
! 2019-02-01 13:45:43.060 Further authentication required
. 2019-02-01 13:45:43.107 Further authentication required
. 2019-02-01 13:45:43.107 Server offered these authentication methods: password1ä³3}pÒÂuÃ6×rwÕ½i?¢,ºk¨¯Wú^k+
¾
. 2019-02-01 13:45:43.107 ¯’%VÞ>âºé
. 2019-02-01 13:45:43.107 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2019-02-01 13:45:45.967 Sent password
. 2019-02-01 13:45:45.999 Access granted
. 2019-02-01 13:45:45.999 Opening session as main channel
. 2019-02-01 13:45:46.514 Network error: Software caused connection abort
* 2019-02-01 13:45:46.530 (EFatal) Network error: Software caused connection abort
* 2019-02-01 13:45:46.530 Authentication log (see session log for details):
* 2019-02-01 13:45:46.530 Using username "username".
* 2019-02-01 13:45:46.530 Authenticating with public key "imported-openssh-key".
* 2019-02-01 13:45:46.530 Further authentication required
* 2019-02-01 13:45:46.530
* 2019-02-01 13:45:46.530 Authentication failed.
Users who are not a member of the "sftponly" group are able to use two factor authentication as intended.
Anyone know why users that are members of the "sftponly" group are unable to log in with two factor authentication?
Upvotes: 2
Views: 2945
Answers (1)
Tyler Pranger
Reputation: 155
The problem you are experiencing is due to file and owner permissions of the user's home folder.
chown root:root /home/username
chmod 755 /home/username
Upvotes: 6
Related Questions
- NodeJS ssh2-sftp-client | connecting to SFTP using public key and a passphrase
- Two factor (key and keyboard-interactive) authentication to SFTP server using Python Paramiko
- Public key authorization on sftp chroot directory
- Reliable example of how to use SFTP using public private key authentication with Java
- Connnect sftp using jsch and public key
- Setup SFTP to use public-key authentication
- How to use .crt file for SSH public key authentication
- sftp with public key is not working
- Automate SFTP login using both key and password
- cURL for SFTP with private key authentication