BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Using sftp without a shell account

Subject: [Discuss] Using sftp without a shell account
From: bill at horne.net (Bill Horne)
Date: Sun, 28 Dec 2014 21:50:26 -0500
In-reply-to: <BN3PR0401MB1204FFE689D430DB38BE3E58DC510@BN3PR0401MB1204.namprd04.prod.outlook.com>
References: <54A0B535.10507@horne.net> <BN3PR0401MB1204FFE689D430DB38BE3E58DC510@BN3PR0401MB1204.namprd04.prod.outlook.com>

On 12/28/2014 9:05 PM, Edward Ned Harvey (blu) wrote:
>> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
>> bounces+blu=nedharvey.com at blu.org] On Behalf Of Bill Horne
>>
>> I'm setting up an LDAP-based server, which will be used for file
>> transfers among other things. I'd like to allow LDAP users to access the
>> machine via sftp, but I can't figure out how to do that without giving
>> each user a local shell account, and I'm looking for advice.
>>
>> The LDAP users can access ftp without trouble, but not sftp.
>>
>> It's a Mac Mini, running OS X "Yosemite", with Server v4.1.
> There are lots of things written about sftp without shell.  I presume you've googled it already...

Yes, and without success. There's lots of info on how to do sftp without 
a shell, but WITH a user who has a shell ACCOUNT. I want to allow users 
from LDAP, i.e., users whom are only in LDAP, not the local machine's 
passwd file. Currently, LDAP users can use the ftp daemon (and 
read/write files), but not sftp.

> So what's going wrong in your case?

Here's the (redacted) session printout from a login attempt: the only 
thing I could find about "Roaming not allowed" was  a mention of some 
experimental option Apple never released, so I don't know if that's a 
real problem or not.

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to billhorne.invalid.net [10.117.250.109] port 22.
debug1: Connection established.
debug1: identity file /Users/billhorne/.ssh/id_rsa type -1
debug1: identity file /Users/billhorne/.ssh/id_rsa-cert type -1
debug1: identity file /Users/billhorne/.ssh/id_dsa type -1
debug1: identity file /Users/billhorne/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "billhorne.invalid.net" 
from file "/Users/billhorne/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/billhorne/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: 
ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
ssh-rsa-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ssh-dss-cert-v01 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5-etm at openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm at openssh.com none
debug2: mac_setup: found hmac-md5-etm at openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm at openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 127/256
debug2: bits set: 514/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 04:67:ab:35:f7:42:ca:7a:82:3a:bf:54:d2:4a:7a:00
debug3: load_hostkeys: loading entries for host "billhorne.invalid.net" 
from file "/Users/billhorne/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/billhorne/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.117.250.109" from 
file "/Users/billhorne/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/billhorne/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'billhorne.invalid.net' is known and matches the RSA host key.
debug1: Found key in /Users/billhorne/.ssh/known_hosts:7
debug2: bits set: 503/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/billhorne/.ssh/id_rsa (0x0),
debug2: key: /Users/billhorne/.ssh/id_dsa (0x0),
Connection closed by 10.117.250.109
Connection closed

-- 
E. William Horne
339-364-8487

References:
- [Discuss] Using sftp without a shell account
  - From: bill at horne.net (Bill Horne)
- [Discuss] Using sftp without a shell account
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))

Prev by Date: [Discuss] Do you have experience with "Drobo" Raid boxes?
Next by Date: [Discuss] Do you have experience with "Drobo" Raid boxes?
Previous by thread: [Discuss] Using sftp without a shell account
Next by thread: [Discuss] Using sftp without a shell account
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.