sshd not allowing a subgroup to authenticate according to it's authentication method
dave.mehler at gmail.com
Thu Mar 26 18:31:17 UTC 2020
Apparently is with my AuthenticationMethods option, for some reason
having that defined will not let any MatchGroup definitions take
effect. Any ideas?
On 3/25/20, John Johnstone <jjohnstone-freebsdquestions at tridentusa.com> wrote:
> On 3/25/20 1:01 AM, David Mehler wrote:
>> Thanks, actually it's not anyone in the sshusers group, that's working
>> fine, and I am not in sftpusers. Other users are in that group and
>> they're being prompted for public keys and rejected because they're
>> trying to use passwords.
>> On 3/25/20, Jim Trigg <jtrigg at huiekin.org> wrote:
>>> At a guess, you're also a member of sshusers. Try putting the sftpusers
>>> stanza before the sshusers stanza.
>>> Jim Trigg
> I have a configuration for user accounts that are restricted to sftp
> only that is working. Here is a diff of my sshd_config to the original
> 12.0 one.
>> diff /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
>> < Match Group chrootgrp
>> < ChrootDirectory %h
>> < ForceCommand internal-sftp -d data -l INFO
>> < AllowAgentForwarding no
>> < AllowTcpForwarding no
>> < PermitTTY no
>> < PermitTunnel no
>> < X11Forwarding no
> The only difference I see to what you have, is that mine doesn't have
> PasswordAuthentication yes
> A script is used to create new users that does:
> pw useradd $username $uidflag -c "$ugecos" -G $groupname -s
> /usr/sbin/nologin -e +$acctexp -w random
> where groupname is chrootgrp.
> Then it creates the home directory:
> mkdir -p /home/$username/data
> chown root:wheel /home/$username
> chown $username:$username /home/$username/data
> For syslog logging:
> mkdir -p /home/$username/dev
> chown root:wheel /home/$username/dev
> With syslogd_flags in /etc/rc.conf getting:
> -l /home/$username/dev/log
> added to it. Which only works for a small number of users because of
> the 19 additional syslogd sockets limit.
> John J.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions