[Gllug] Non-interactive sftp

Steve Nelson sanelson at gmail.com
Mon Oct 10 12:08:55 UTC 2005 

Hi Chums,

I'm trying to allow sftp using key-based authentication so that some
critical files can be transferred securely via cron.  I don't want to
allow the ftp user
an interactive shell.

I've set up key-based authentication, and verified this works with
ssh/scp and an interactive shell.  I then then set the ftp user's
login shell to /bin/true.
  /bin/true is in /etc/shells, all directories in the
/path/to/ftp/user are chmod'd a+x but when I try to sftp a test file,
the client debug output says: coul
dn't canonicalise - permission denied - after accepting keys and
calling the sftp subsystem; What have I missed?

S.

Debug output:

On the server:

bash-2.03# /usr/local/sbin/sshd -D -d

debug1: sshd version OpenSSH_3.7.1p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

Then on the client:

$ sftp -v -b sftp_batch tester at n1405b.bananna.co.
uk.dock:/local/home/ftp/tester/in
Connecting to n1405b.bananna.co.uk.dock...
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6m 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: /etc/ssh/ssh_config line 21: Deprecated option "RhostsAuthentication"
debug1: Connecting to n1405b.bananna.co.uk.dock [10.192.20.6] port 22.
debug1: Connection established.
debug1: identity file /local/home/nelsost1/.ssh/identity type -1
debug1: identity file /local/home/nelsost1/.ssh/id_rsa type -1
debug1: identity file /local/home/nelsost1/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'n1405b.bananna.co.uk.dock' is known and matches the RSA host key.
debug1: Found key in /local/home/nelsost1/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /local/home/nelsost1/.ssh/identity
debug1: Trying private key: /local/home/nelsost1/.ssh/id_rsa
debug1: Offering public key: /local/home/nelsost1/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending subsystem: sftp
Couldn't canonicalise: Permission denied
Need cwd
[nelsost1 at isasecdb1 nelsost1]$ debug1: client_input_channel_req: channel 0 rtype
 exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0

The server shows:

debug1: Server will not fork when running in debugging mode.
Connection from 10.108.24.109 port 35229
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2
debug1: permanently_set_uid: 200/200
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user tester service ssh-connection method none
debug1: attempt 0 failures 0
debug1: userauth_banner: sent
Failed none for tester from 10.108.24.109 port 35229 ssh2
Failed none for tester from 10.108.24.109 port 35229 ssh2
debug1: userauth-request for user tester service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 65539/1 (e=0/1)
debug1: trying public key file /local/home/ftp/tester/.ssh/authorized_keys
debug1: matching key found: file
/local/home/ftp/tester/.ssh/authorized_keys, line 2
Found matching DSA key: 6e:d4:75:d8:b1:94:32:ba:63:ee:52:f0:bc:f7:56:fe
debug1: restore_uid: 0/1
Postponed publickey for tester from 10.108.24.109 port 35229 ssh2
debug1: userauth-request for user tester service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 65539/1 (e=0/1)
debug1: trying public key file /local/home/ftp/tester/.ssh/authorized_keys
debug1: matching key found: file
/local/home/ftp/tester/.ssh/authorized_keys, line 2
Found matching DSA key: 6e:d4:75:d8:b1:94:32:ba:63:ee:52:f0:bc:f7:56:fe
debug1: restore_uid: 0/1
debug1: ssh_dss_verify: signature correct
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list