[05:14] <kb8un> Hi, I am new to IRC. I asked the question below to #openssh but I think the question relates more to the how gid/uid and permission works in linux system so I will repeat the question below, if I may.
[05:14] <kb8un> I have just set up sftp on ubuntu server 20.04 and followed the instruction below:
[05:14] <kb8un> https://linuxhint.com/setup-sftp-server-ubuntu/
[05:14] <kb8un> I've added user account 'user1' under group 'sftp' but when I log into the sFTP using 'user1' account, I can also see the user account folder of the admin - 'sftp_admin'.  I'm trying set it up so any new user that I add can only see their account.
[05:14] <kb8un> ```bash
[05:14] <kb8un> sftp_admin@sFTP-vm001:~$ id sftp_admin
[05:14] <kb8un> uid=1000(sftp_admin) gid=1000(sftp_admin) groups=1000(sftp_admin),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd)
[05:14] <kb8un> sftp_admin@sFTP-vm001:~$ id user1
[05:14] <kb8un> uid=1001(user1) gid=1001(sftp) groups=1001(sftp)
[05:14] <kb8un> sftp_admin@sFTP-vm001:~$ ls -l /home
[05:14] <kb8un> total 8
[05:14] <kb8un> drwx------ 3 eurus      sftp       4096 Feb  1 22:02 user1
[05:14] <kb8un> drwxr-x--- 4 sftp_admin sftp_admin 4096 Feb  1 23:55 sftp_admin
[05:14] <kb8un> ```
[05:14] <kb8un> This is the "tail" of the file `/etc/ssh/sshd_config` file:
[05:14] <kb8un> ```config
[05:15] <kb8un> # override default of no subsystems
[05:15] <kb8un> Subsystem sftp/usr/lib/openssh/sftp-server
[05:15] <kb8un> # Example of overriding settings on a per-user basis
[05:15] <kb8un> #Match User anoncvs
[05:15] <kb8un> #X11Forwarding no
[05:15] <kb8un> #AllowTcpForwarding no
[05:15] <kb8un> #PermitTTY no
[05:15] <kb8un> #ForceCommand cvs server
[05:15] <kb8un> Match group sftp
[05:15] <kb8un> ChrootDirectory /home
[05:15] <kb8un> X11Forwarding no
[05:15] <kb8un> AllowTcpForwarding no
[05:15] <kb8un> ForceCommand internal-sftp
[05:15] <kb8un> ```
[05:15] <kb8un> if there is a document url that I need to go through, please leave me a link.  I appreciate your help in advance.
[06:13] <cpaelzer> good morning
[07:08] <k8yun> morning
[14:42] <kanashiro> one step away from ruby-defaults migration
[17:55] <k8yun> My sftp setup is having some issues.  What permission do I need to give 'client1' so that `client1' can only see their account when they login to the sftp?  "ls /home -la" output can be seen here: http://pastie.org/p/789lnnbOCPN9KAeCpB4JP7
[18:05] <sdeziel> k8yun: to completely hide stuff, you'd need to use OpenSSH's `ChrootDirectory` directive
[18:18] <k8yun> sdeziel: I have `ChrootDirectory "/home/$USER"` iin the `/etc/ssh/sshd_config` file but when trying to connect I get: 
[18:18] <k8yun> Authentication log (see session log for details):
[18:18] <k8yun> Using username "client1".
[18:18] <k8yun> Authentication failed.
[18:18] <patdk-lap> you have to be double deep to do chroot in ssh to hide
[18:19] <patdk-lap> it's kindof annoying
[18:19] <sdeziel> k8yun: IIRC, the ChrootDirectory needs to be writable by root alone so you'd need to have something like `ChrootDirectory /srv/sftp-chroot/%u` and then inside `/srv/sftp-chroot/%u` you can create a subdirectory writable by `%u`
[18:22] <sdeziel> k8yun: I typically use this coupled with `ForceCommand internal-sftp -d uploads` which changes the connecting client to `/srv/sftp-chroot/%u/uploads` upon connection so they can directly do their thing without needing to `cd` anywhere
[18:24] <k8yun> I thiiink I am following... that command `ForceCommand internal-sftp -d uploads` -- is this going inside of the config file?
[18:26] <sdeziel> k8yun: that goes in /etc/ssh/sshd_config
[18:27] <sdeziel> k8yun: once properly setup, client1 will only see "/uploads" and what's under it, the rest of the filesystem will be inaccessible/invisible to him/her
[18:27] <sergiodj> cpaelzer: slurm-wlm/armhf required a test retrigger against freeipmi, and it passed.  memcached/ppc64el required a build retrigger, and it passed too.
[18:28] <k8yun> sdeziel: thank you.  I will start implementing it and provide feedback in 15 min.
[18:29] <sdeziel> k8yun: you are welcome
[19:58] <k8yun> sdeziel: I ran through configuration changes but still having some prob.  Details: https://privatebin.net/?69cbbeb65ce84951#H2u5yb23mmmoWGJbQF4vMQvBWwvsvK1d8hWqcaNiCSUF
[20:00] <sdeziel> k8yun: maybe check the sshd logs?
[20:07] <k8yun> output of `tail -20 /var/log/auth.log` > https://privatebin.net/?731b1f09a3522c79#EiADGcfeUk3uoU4ZCbiGeB6NBQjcjzgqFfewpgK1uPNi
[20:08] <sdeziel> k8yun: the log says the permission is wrong, try `sudo chmod 0700 /home/client1`
[20:09] <sdeziel> k8yun: unrelated to the problem at hand but I'd advise against using password authentication if at all possible ;)
[20:10] <k8yun> what's the alternative? passphrase?
[20:10] <sarnold> keys
[20:12] <sdeziel> k8yun: this ^, to learn how to use public key authentication you can check https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication#Basics_of_Public_Key_Authentication
[20:13] <k8yun> > logged to my todo list to tackle once the original issue is resolved
[20:14] <k8yun> I had permission of "770" before but I ran chmod once again on the folder, but still having issues with connecting from client.  Maybe restart the vm?
[20:15] <sdeziel> k8yun: do you still see the `fatal: bad ownership or modes for chroot directory "/home/eurus"` error?
[20:16] <cpaelzer> thanks sergiodj, seems that were two easy unblocks 
[20:17] <sdeziel> k8yun: also, the username "eurus" doesn't match "client1" but maybe you're trying to obfuscate the username?
[20:18] <k8yun> yes
[20:18] <k8yun> :(
[20:18] <sergiodj> cpaelzer: yep, all good now.
[20:18] <k8yun> poorly executed
[20:19] <sarnold> k8yun: throw this on your reading backlog :) https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
[20:23] <sdeziel> k8yun: I've retired my last SFTP server long ago, give me some time and I'll cobble one up to test it out
[20:23] <patdk-lap> damn, I'm in violation of that .de court issue reading that website
[20:24] <k8yun> (logged)
[20:24] <patdk-lap> but not with google, so I suppose all is fine
[20:57] <sdeziel> k8yun: worked for me in a test container named sftp, see https://termbin.com/a06m
[20:58] <coke> patdk-lap: just use a German cloud 
[21:15] <k8yun> sdeziel: Does the indentation matter following "Match Group ubuntu"?
[21:17] <sdeziel> k8yun: I don't think so (just re-read the man page) but I've always used them
[21:18] <k8yun> the only other difference, other than the indentation (which I agree won't matter, but I am going to match yours soon just to be sure), is having the permissions.  You're using 655.
[21:19] <k8yun> *755 I meant
[21:20] <k8yun> also, I have "client1:sftp" for the ownership, whereas yours has "ubuntu:ubuntu".  I am going to match yours and see where the disparity is.
[21:22] <sdeziel> k8yun: sigh, the `sudo chmod 0700 /home/client1` was wrong it seems, make it `0755` and it should work
[21:23] <k8yun> let me give 'er
[21:24] <sdeziel> k8yun: it seems sshd is overly paranoid and as soon as the group has write access, it bails, even if the dir is owned by root:root
[21:27] <k8yun> sdeziel: made changes from 0700 to 0755 and now works like a charm.  It's nice to know your finding on the last stmt.  
[21:28] <k8yun> Thank you sir for guiding me through it!
[21:28] <sdeziel> k8yun: my pleasure. If you look carefully, you'll see I've setup the ubuntu user to use key authentication with /home/ubuntu/.ssh owned by root so that the user in question cannot add other keys
[21:34] <k8yun> makes sense and very nicely configured.
[21:36] <k8yun> sdeziel: Now, I'll pay my dues, and go through the links you've provided earlier.  Have a good rest of your day!
[21:37] <sdeziel> k8yun: great, let us know if you have questions about SSH public key authentication
[21:39] <k8yun> yeah, I'm sure I will have questions -- :)
[21:40] <peto> hi, can someone help me? i set up web server with postfix, i can send emails, but no receive? i dont know why, i use imap ans stmp
[21:40] <patdk-lap> dunno, you have any info?
[21:45] <peto> dont know, im little bit newbie in this, in mail.log no error or warning
[21:47] <peto> but i use stmp port 587. and on my public ip is this port closed, is this problem?
[21:52] <coke> probably should go with 25 
[21:52] <coke> but running a Mailserver is painful 
[21:54] <sarnold> 25 is for server-to-server, 587 is submission, for clients to use when sending
[21:54] <patdk-lap> running a mail server is the hardest service to do
[21:54] <sarnold> and yes, it is painful. best to pay someone else to do it for you, if you can
[21:55] <patdk-lap> besides all the stuff to run and keep running, and spam/virus, there is a big deal about reputation and blacklists, on if other people will even bother to accept your email
[21:55] <patdk-lap> not sure why you expect an error or warning if you have a problem
[21:56] <sarnold> funny, I always tell people to read the logs straightaway :)
[21:56] <sarnold> it works more often than not
[21:56] <sarnold> though, uh, running mailservers might be in the "go read about it for a few days first" territory
[21:57] <patdk-lap> yes, reading the logs is need
[21:57] <patdk-lap> but it normal non-error/warning could still mean a failure or problem
[21:57] <patdk-lap> and is the case with most email issues
[21:57] <sarnold> "too broken to even log" :)
[21:57] <patdk-lap> as it *spools* mail
[21:57] <patdk-lap> that is normally a case of domain name typo :)
[21:58] <patdk-lap> so the *error* could be a normal bounce email, and that could be delayed 7days by normal config
[22:02] <ahasenack> waveform: I imported iniparser into git-ubuntu fyi, I see you have an open merge from debian (https://code.launchpad.net/ubuntu/+source/iniparser)
[22:02] <ahasenack> and tried to use git-ubuntu probably
[22:02] <peto> yes, i can pay for it, but i wanted to have my web and mail server, on my server
[22:16] <peto> and imap stmp CNAME on my domain ist set to old paid webhosting, it is needed?
[22:32] <k8yun> If I have 'client1' and 'client2' accounts, and they can only see their own account, and yet I'd like 'sftp_admin' account to have access to their accounts, what's the best way to set up the permissions?
[22:33] <sdeziel> k8yun: you can have all 3 as members of the sftp group and make the home directories (and uploads dir) of client1/2 readable by the sftp group
[22:35] <k8yun> but I don't want client1 account to see client2 account.  
[22:36] <k8yun> giving read permission to the group will expose client1 account to client2
[22:47] <k8yun> I think I need to create a separate group, say, 'client1group`, and have 'client1' and 'sftp_admin' added to the group.  Share the 'client1' folder shared with 'clientgroup'.  
[22:47] <k8yun> and repeat for client2
[23:00] <k8yun> hmmm.... `Match group sftp` in the sshd_config is what's concerning me... need to do a bit more research...
[23:19] <sdeziel> k8yun: the %u in the ChrootDirectory expands to the username meaning they will see a different root so client1 won't see /home/client2
[23:22] <k8yun> sdeziel, good point