Re: sftp server empty password login
On Tue, 26 Mar 2024 10:28:11 +0100 Sylvain Saboua wrote: > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes you probably also want DisableForwarding there. otherwise everyone can use your machine as a proxy. this happened to me with a similar setup to allow anonymous git cloning. some spammer figured it out and used my server as a relay. don't be me ... ;)
Re: sftp server empty password login
On Tue, 26 Mar 2024 at 23:49, Sylvain Saboua wrote: [...] > /bin/true is not in the /etc/shells file on my system. > Did you suggest I should add it ? I did suggest that as a possible resolution to your problem. Since your problem is now resolved, I wouldn't change it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: sftp server empty password login
Problem solved, thank you !
Just removing the password asterisk using vipw was enough :
$ grep media /etc/passwd
media::2000:2000::/home/media:/sbin/nologin
and I am now able to log in, from the local network
(still need to open my ISP's box port and confirm that it
works remotely)
Le 2024-03-26 13:26, Darren Tucker a écrit :
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua
wrote:
[...]
# useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
/bin/true is not in the /etc/shells file on my system.
Did you suggest I should add it ?
`# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
I meant that I could still not login sftp://media@lap after setting
a password using the passwd command.
--
Sylvain Saboua
www.saboua.xyz
Re: sftp server empty password login
Sylvain Saboua writes: [...] > $ more /etc/ssh/sshd_config # relevant extracts and changes : > ... > PermitRootLogin no > ... > # override default of no subsystems > #Subsystem sftp/usr/libexec/sftp-server -d /home/media > Subsystem sftp internal-sftp # -d /home/media > > Match User media > ForceCommand internal-sftp -d /home/media > ChrootDirectory /home/media > PasswordAuthentication yes > AuthenticationMethods none > PermitEmptyPasswords yes Hi, I have a setup that looks like this (except I'm using pubkey authentication). The only other difference I see is that I have not specified the "-d" option for the internal-sftp command. It is not clear to me (by manpages) if it should be the same as ChrootDirectory or a path *under* ChrootDirectory. Maybe you could try to remove this "-d" option. -- Manuel Giraud
Re: sftp server empty password login
You could run sshd in debug mode to be sure ("/usr/sbin/sshd -ddd -p
", then connect with "sftp -oport="), but...
On Tue, 26 Mar 2024 at 22:10, Sylvain Saboua wrote:
[...]
> # useradd -g media -s /sbin/nologin -u 2000 -v media
Unless /sbin/nologin is in /etc/shells (which it probably shouldn't
be), that will probably prevent the login. I'd suggest /bin/true for
both the user and in /etc/shells.
> `# passwd media') does not work either. What am I doing wrong ?
What do you mean by "does not work"? When I've done something similar
in the past I've edited the passwd file with vipw and removed the
hashed password value leaving nothing in the password field, ie
someuser::1001:1001: [etc ...]
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
sftp server empty password login
I have been using the secure shell for remote maintenance on my local machine for some time. I wish to go one step further and implement a secure file transfer server, where user(s) could download files from a read-only /home/media directory as well as upload their own files to /home/media/pub Ideally this would be done via passwordless/empty password login. I have done some research (manpages) and configuration but still fail to connect from another machine on the same local network. obsd configuration : # useradd -g media -s /sbin/nologin -u 2000 -v media # usermod -G media sylvain $ more /etc/ssh/sshd_config # relevant extracts and changes : ... PermitRootLogin no ... # override default of no subsystems #Subsystem sftp/usr/libexec/sftp-server -d /home/media Subsystem sftp internal-sftp # -d /home/media Match User media ForceCommand internal-sftp -d /home/media ChrootDirectory /home/media PasswordAuthentication yes AuthenticationMethods none PermitEmptyPasswords yes $ ll -d /home/media /home/media/pub drwxr-xr-x 16 root wheel 512 Mar 25 17:42 /home/media/ drwxr-xr-x 3 media media 512 Mar 25 17:42 /home/media/pub/ failed connexion attempt from second local machine (just pressing Enter at password prompt): Last login: Tue Mar 26 09:46:37 on ttys001 sylvain@sylvainmac ~ % sftp media@10.0.0.11 media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: Permission denied, please try again. media@10.0.0.11's password: media@10.0.0.11: Permission denied (). Connection closed sylvain@sylvainmac ~ % Attempting to login using a password (after definition using `# passwd media') does not work either. What am I doing wrong ? Thank you -- Sylvain Saboua www.saboua.xyz
