| === amurray_ is now known as amurray | ||
| kb8un | Hi, I am new to IRC. I asked the question below to #openssh but I think the question relates more to the how gid/uid and permission works in linux system so I will repeat the question below, if I may. | 05:14 |
|---|---|---|
| kb8un | I have just set up sftp on ubuntu server 20.04 and followed the instruction below: | 05:14 |
| kb8un | https://linuxhint.com/setup-sftp-server-ubuntu/ | 05:14 |
| kb8un | I've added user account 'user1' under group 'sftp' but when I log into the sFTP using 'user1' account, I can also see the user account folder of the admin - 'sftp_admin'. I'm trying set it up so any new user that I add can only see their account. | 05:14 |
| kb8un | ```bash | 05:14 |
| kb8un | sftp_admin@sFTP-vm001:~$ id sftp_admin | 05:14 |
| kb8un | uid=1000(sftp_admin) gid=1000(sftp_admin) groups=1000(sftp_admin),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd) | 05:14 |
| kb8un | sftp_admin@sFTP-vm001:~$ id user1 | 05:14 |
| kb8un | uid=1001(user1) gid=1001(sftp) groups=1001(sftp) | 05:14 |
| kb8un | sftp_admin@sFTP-vm001:~$ ls -l /home | 05:14 |
| kb8un | total 8 | 05:14 |
| kb8un | drwx------ 3 eurus sftp 4096 Feb 1 22:02 user1 | 05:14 |
| kb8un | drwxr-x--- 4 sftp_admin sftp_admin 4096 Feb 1 23:55 sftp_admin | 05:14 |
| kb8un | ``` | 05:14 |
| kb8un | This is the "tail" of the file `/etc/ssh/sshd_config` file: | 05:14 |
| kb8un | ```config | 05:14 |
| kb8un | # override default of no subsystems | 05:15 |
| kb8un | Subsystem sftp/usr/lib/openssh/sftp-server | 05:15 |
| kb8un | # Example of overriding settings on a per-user basis | 05:15 |
| kb8un | #Match User anoncvs | 05:15 |
| kb8un | #X11Forwarding no | 05:15 |
| kb8un | #AllowTcpForwarding no | 05:15 |
| kb8un | #PermitTTY no | 05:15 |
| kb8un | #ForceCommand cvs server | 05:15 |
| kb8un | Match group sftp | 05:15 |
| kb8un | ChrootDirectory /home | 05:15 |
| kb8un | X11Forwarding no | 05:15 |
| kb8un | AllowTcpForwarding no | 05:15 |
| kb8un | ForceCommand internal-sftp | 05:15 |
| kb8un | ``` | 05:15 |
| kb8un | if there is a document url that I need to go through, please leave me a link. I appreciate your help in advance. | 05:15 |
| === kb8un is now known as k8yun | ||
| cpaelzer | good morning | 06:13 |
| k8yun | morning | 07:08 |
| === ravage_ is now known as Ravage | ||
| kanashiro | one step away from ruby-defaults migration | 14:42 |
| === genii-core is now known as genii | ||
| === SoniEx2 is now known as Soni | ||
| k8yun | My sftp setup is having some issues. What permission do I need to give 'client1' so that `client1' can only see their account when they login to the sftp? "ls /home -la" output can be seen here: http://pastie.org/p/789lnnbOCPN9KAeCpB4JP7 | 17:55 |
| sdeziel | k8yun: to completely hide stuff, you'd need to use OpenSSH's `ChrootDirectory` directive | 18:05 |
| k8yun | sdeziel: I have `ChrootDirectory "/home/$USER"` iin the `/etc/ssh/sshd_config` file but when trying to connect I get: | 18:18 |
| k8yun | Authentication log (see session log for details): | 18:18 |
| k8yun | Using username "client1". | 18:18 |
| k8yun | Authentication failed. | 18:18 |
| patdk-lap | you have to be double deep to do chroot in ssh to hide | 18:18 |
| patdk-lap | it's kindof annoying | 18:19 |
| sdeziel | k8yun: IIRC, the ChrootDirectory needs to be writable by root alone so you'd need to have something like `ChrootDirectory /srv/sftp-chroot/%u` and then inside `/srv/sftp-chroot/%u` you can create a subdirectory writable by `%u` | 18:19 |
| sdeziel | k8yun: I typically use this coupled with `ForceCommand internal-sftp -d uploads` which changes the connecting client to `/srv/sftp-chroot/%u/uploads` upon connection so they can directly do their thing without needing to `cd` anywhere | 18:22 |
| k8yun | I thiiink I am following... that command `ForceCommand internal-sftp -d uploads` -- is this going inside of the config file? | 18:24 |
| sdeziel | k8yun: that goes in /etc/ssh/sshd_config | 18:26 |
| sdeziel | k8yun: once properly setup, client1 will only see "/uploads" and what's under it, the rest of the filesystem will be inaccessible/invisible to him/her | 18:27 |
| sergiodj | cpaelzer: slurm-wlm/armhf required a test retrigger against freeipmi, and it passed. memcached/ppc64el required a build retrigger, and it passed too. | 18:27 |
| k8yun | sdeziel: thank you. I will start implementing it and provide feedback in 15 min. | 18:28 |
| sdeziel | k8yun: you are welcome | 18:29 |
| k8yun | sdeziel: I ran through configuration changes but still having some prob. Details: https://privatebin.net/?69cbbeb65ce84951#H2u5yb23mmmoWGJbQF4vMQvBWwvsvK1d8hWqcaNiCSUF | 19:58 |
| sdeziel | k8yun: maybe check the sshd logs? | 20:00 |
| k8yun | output of `tail -20 /var/log/auth.log` > https://privatebin.net/?731b1f09a3522c79#EiADGcfeUk3uoU4ZCbiGeB6NBQjcjzgqFfewpgK1uPNi | 20:07 |
| sdeziel | k8yun: the log says the permission is wrong, try `sudo chmod 0700 /home/client1` | 20:08 |
| sdeziel | k8yun: unrelated to the problem at hand but I'd advise against using password authentication if at all possible ;) | 20:09 |
| k8yun | what's the alternative? passphrase? | 20:10 |
| sarnold | keys | 20:10 |
| sdeziel | k8yun: this ^, to learn how to use public key authentication you can check https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication#Basics_of_Public_Key_Authentication | 20:12 |
| k8yun | > logged to my todo list to tackle once the original issue is resolved | 20:13 |
| k8yun | I had permission of "770" before but I ran chmod once again on the folder, but still having issues with connecting from client. Maybe restart the vm? | 20:14 |
| sdeziel | k8yun: do you still see the `fatal: bad ownership or modes for chroot directory "/home/eurus"` error? | 20:15 |
| cpaelzer | thanks sergiodj, seems that were two easy unblocks | 20:16 |
| sdeziel | k8yun: also, the username "eurus" doesn't match "client1" but maybe you're trying to obfuscate the username? | 20:17 |
| k8yun | yes | 20:18 |
| k8yun | :( | 20:18 |
| sergiodj | cpaelzer: yep, all good now. | 20:18 |
| k8yun | poorly executed | 20:18 |
| sarnold | k8yun: throw this on your reading backlog :) https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/ | 20:19 |
| sdeziel | k8yun: I've retired my last SFTP server long ago, give me some time and I'll cobble one up to test it out | 20:23 |
| patdk-lap | damn, I'm in violation of that .de court issue reading that website | 20:23 |
| k8yun | (logged) | 20:24 |
| patdk-lap | but not with google, so I suppose all is fine | 20:24 |
| sdeziel | k8yun: worked for me in a test container named sftp, see https://termbin.com/a06m | 20:57 |
| coke | patdk-lap: just use a German cloud | 20:58 |
| k8yun | sdeziel: Does the indentation matter following "Match Group ubuntu"? | 21:15 |
| sdeziel | k8yun: I don't think so (just re-read the man page) but I've always used them | 21:17 |
| k8yun | the only other difference, other than the indentation (which I agree won't matter, but I am going to match yours soon just to be sure), is having the permissions. You're using 655. | 21:18 |
| k8yun | *755 I meant | 21:19 |
| k8yun | also, I have "client1:sftp" for the ownership, whereas yours has "ubuntu:ubuntu". I am going to match yours and see where the disparity is. | 21:20 |
| sdeziel | k8yun: sigh, the `sudo chmod 0700 /home/client1` was wrong it seems, make it `0755` and it should work | 21:22 |
| k8yun | let me give 'er | 21:23 |
| sdeziel | k8yun: it seems sshd is overly paranoid and as soon as the group has write access, it bails, even if the dir is owned by root:root | 21:24 |
| k8yun | sdeziel: made changes from 0700 to 0755 and now works like a charm. It's nice to know your finding on the last stmt. | 21:27 |
| k8yun | Thank you sir for guiding me through it! | 21:28 |
| sdeziel | k8yun: my pleasure. If you look carefully, you'll see I've setup the ubuntu user to use key authentication with /home/ubuntu/.ssh owned by root so that the user in question cannot add other keys | 21:28 |
| === CodeMouse92 is now known as Guest1476 | ||
| k8yun | makes sense and very nicely configured. | 21:34 |
| === Guest1476 is now known as CodeMouse92 | ||
| k8yun | sdeziel: Now, I'll pay my dues, and go through the links you've provided earlier. Have a good rest of your day! | 21:36 |
| sdeziel | k8yun: great, let us know if you have questions about SSH public key authentication | 21:37 |
| k8yun | yeah, I'm sure I will have questions -- :) | 21:39 |
| peto | hi, can someone help me? i set up web server with postfix, i can send emails, but no receive? i dont know why, i use imap ans stmp | 21:40 |
| patdk-lap | dunno, you have any info? | 21:40 |
| peto | dont know, im little bit newbie in this, in mail.log no error or warning | 21:45 |
| peto | but i use stmp port 587. and on my public ip is this port closed, is this problem? | 21:47 |
| coke | probably should go with 25 | 21:52 |
| coke | but running a Mailserver is painful | 21:52 |
| sarnold | 25 is for server-to-server, 587 is submission, for clients to use when sending | 21:54 |
| patdk-lap | running a mail server is the hardest service to do | 21:54 |
| sarnold | and yes, it is painful. best to pay someone else to do it for you, if you can | 21:54 |
| patdk-lap | besides all the stuff to run and keep running, and spam/virus, there is a big deal about reputation and blacklists, on if other people will even bother to accept your email | 21:55 |
| patdk-lap | not sure why you expect an error or warning if you have a problem | 21:55 |
| sarnold | funny, I always tell people to read the logs straightaway :) | 21:56 |
| sarnold | it works more often than not | 21:56 |
| sarnold | though, uh, running mailservers might be in the "go read about it for a few days first" territory | 21:56 |
| patdk-lap | yes, reading the logs is need | 21:57 |
| patdk-lap | but it normal non-error/warning could still mean a failure or problem | 21:57 |
| patdk-lap | and is the case with most email issues | 21:57 |
| sarnold | "too broken to even log" :) | 21:57 |
| patdk-lap | as it *spools* mail | 21:57 |
| patdk-lap | that is normally a case of domain name typo :) | 21:57 |
| patdk-lap | so the *error* could be a normal bounce email, and that could be delayed 7days by normal config | 21:58 |
| ahasenack | waveform: I imported iniparser into git-ubuntu fyi, I see you have an open merge from debian (https://code.launchpad.net/ubuntu/+source/iniparser) | 22:02 |
| ahasenack | and tried to use git-ubuntu probably | 22:02 |
| peto | yes, i can pay for it, but i wanted to have my web and mail server, on my server | 22:02 |
| peto | and imap stmp CNAME on my domain ist set to old paid webhosting, it is needed? | 22:16 |
| k8yun | If I have 'client1' and 'client2' accounts, and they can only see their own account, and yet I'd like 'sftp_admin' account to have access to their accounts, what's the best way to set up the permissions? | 22:32 |
| sdeziel | k8yun: you can have all 3 as members of the sftp group and make the home directories (and uploads dir) of client1/2 readable by the sftp group | 22:33 |
| k8yun | but I don't want client1 account to see client2 account. | 22:35 |
| k8yun | giving read permission to the group will expose client1 account to client2 | 22:36 |
| k8yun | I think I need to create a separate group, say, 'client1group`, and have 'client1' and 'sftp_admin' added to the group. Share the 'client1' folder shared with 'clientgroup'. | 22:47 |
| k8yun | and repeat for client2 | 22:47 |
| k8yun | hmmm.... `Match group sftp` in the sshd_config is what's concerning me... need to do a bit more research... | 23:00 |
| === Rhys is now known as Guest7527 | ||
| sdeziel | k8yun: the %u in the ChrootDirectory expands to the username meaning they will see a different root so client1 won't see /home/client2 | 23:19 |
| k8yun | sdeziel, good point | 23:22 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!