1 (edited by vincent d 2013-04-15 13:25:46)

Topic: Impossible de se connecter à un serveur ssh utilisant MySecureShell

Bonjour,

J'ai un serveur SSH avec MySecureShell et Fail2ban sur ArchLinux (le système est à jour).

Quand j'essaie de me connecter à un utilisateur dont le shell est MySecureShell, j'obtiens « permission denied » (dans un terminal) ou « Erreur : Échec de l'authentification. Erreur : Erreur critique. Erreur : Impossible d'établir une connexion au serveur. » (dans filezilla). Dès que je remplace /bin/MySecureShell par /bin/bash dans /etc/passwd je peux me connecter. Rien ne change quand je désactive fail2ban ; le problème semble donc bien venir de MySecureShell.

Voici mon /etc/ssh/sshd_config:

#    $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox        # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem    sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    ForceCommand cvs server

et mon /etc/ssh/sftp_config:

## MySecureShell Configuration File ##
#Default rules for everybody
<Default>
    GlobalDownload        0    #total speed download for all clients
                    # o -> bytes   k -> kilo bytes   m -> mega bytes
    GlobalUpload        0    #total speed download for all clients (0 for unlimited)
    Download         0    #limit speed download for each connection
    Upload             0    #unlimit speed upload for each connection
    StayAtHome        true    #limit client to his home
    VirtualChroot        true    #fake a chroot to the home account
    LimitConnection        10    #max connection for the server sftp
    LimitConnectionByUser    10    #max connection for the account
    LimitConnectionByIP    10    #max connection by ip for the account
    Home            /home/$USER    #overrite home of the user but if you want you can use
                        #    environment variable (ie: Home /home/$USER)
    IdleTimeOut        5m    #(in second) deconnect client is idle too long time
    ResolveIP        true    #resolve ip to dns
#    IgnoreHidden        true    #treat all hidden files as if they don't exist
#    DirFakeUser        true    #Hide real file/directory owner (just change displayed permissions)
#    DirFakeGroup        true    #Hide real file/directory group (just change displayed permissions)
#    DirFakeMode        0400    #Hide real file/directory rights (just change displayed permissions)
                    #Add execution right for directory if read right is set
    HideNoAccess        true    #Hide file/directory which user has no access
#    MaxOpenFilesForUser    20    #limit user to open x files on same time
#    MaxWriteFilesForUser    10    #limit user to x upload on same time
#    MaxReadFilesForUser    10    #limit user to x download on same time
    DefaultRights        0666 0777    #Set default rights for new file and new directory
#    MinimumRights        0400 0700    #Set minimum rights for files and dirs

    ShowLinksAsLinks    false    #show links as their destinations
#    ConnectionMaxLife    1d    #limits connection lifetime to 1 day

#    Charset            "ISO-8859-15"    #set charset of computer
</Default>

#Rules only for group ftp
#<Group ftp>
#    Download    25 k/s
#    LogFile        /var/log/sftp-server_ftp.log    #Change logfile
#    ExpireDate    "2007-02-28 18:31:01"
#</Group>

#<Group sftp_administrator>
#    IsAdmin        true        #can admin the server
#    VirtualChroot    false        #you must disable chroot to have a full support of admin
#    StayAtHome    true
#    IdleTimeOut    0
#</Group>

#<Group old_client>
#    SftpProtocol        3    #force protocol SFTP
#    DisableAccount        true    #disable account
#</Group>

#Rules only for group ftpnolimit
#<Group ftpnolimit>
#    Download        0    #0 = unlimited
#    IdleTimeOut        0    #no timeout
#    DirFakeUser        false    #show real user on file/directory
#    DirFakeGroup        false    #show real group on file/directory
#    DirFakeMode        0    #show real rights on file/directory
#    MaxReadFilesForUser    0    #0 = unlimited but still have the restriction MaxOpenFilesForUser
#</Group>

#<IpRange 192.168.0.1-192.168.0.5>
#    ByPassGlobalDownload    true    #bypass GlobalDownload restriction
#    ByPassGlobalUpload    true    #bypass GlobalUpload restriction
#    Download        0
#    DisableAccount        false    #enable account
#    IdleTimeOut        0    #disable timeout
#    LimitConnectionByIP    0    #no limit
#</IpRange>

#<Group trusted_users>
#    Shell        /bin/tcsh    #give a shell access to TRUSTED clients !!!
#</Group>

#<VirtualHost *:22> 
#    DirFakeUser    false    #show real user on file/directory
#    DirFakeGroup    false    #show real group on file/directory
#    DirFakeMode    0    #show real rights on file/directory
#    HideNoAccess    false
#    IgnoreHidden    false
#</VirtualHost>

#Include /etc/my_sftp_config_file    #include this valid configuration file

N'hésitez pas à me demander pour toute information complémentaire.

Re: Impossible de se connecter à un serveur ssh utilisant MySecureShell

Bonjour,

Que dit la commande "sftp-verif" (depuis "root") ?
Et la commande "MySecureShell --configtest" (depuis l'utilisateur qui pose problème) ?

Re: Impossible de se connecter à un serveur ssh utilisant MySecureShell

Voici le résultat de sftp-verif :

################################################################################
            MySecureShell Verification Tool
################################################################################

### Verifing file existance ###

/usr/bin/MySecureShell                                                   [ OK ]
/usr/bin/sftp-who                                                        [ OK ]
/usr/bin/sftp-kill                                                       [ OK ]
/usr/bin/sftp-state                                                      [ OK ]
/usr/bin/sftp-admin                                                      [ OK ]
/usr/bin/sftp-verif                                                      [ OK ]
/usr/bin/sftp-user                                                       [ OK ]


### Verifing rights ###

Verifing file rights of /etc/ssh/sftp_config                             [ OK ]
Verifing file rights of /usr/bin/sftp-who                                [ OK ]
Verifing file rights of /usr/bin/sftp-verif                              [ OK ]
Verifing file rights of /usr/bin/sftp-user                               [ OK ]
Verifing file rights of /usr/bin/sftp-kill                               [ OK ]
Verifing file rights of /usr/bin/sftp-state                              [ OK ]
Verifing file rights of /usr/bin/sftp-admin                              [ OK ]
Verifing file rights of /usr/bin/MySecureShell                           [ OK ]


### Verifing rotation logs ###

Rotation logs have been found                                            [ OK ]


### Verifing server status ###

Verifing server status (ONLINE)                                          [ OK ]


### Verifing server dependencies ###

Show only error(s) :


### Verifing server configuration ###

Show only error(s) :
Trying user: vincent


### All tests dones ###

et le résultat de MySecureShell --configtest, depuis l'utilisateur « ami », après avoir changé son shell de MySecureShell à bash (sinon impossible de s'y connecter) :

--- ami ---
GlobalDownload        = 0 bytes/s
GlobalUpload          = 0 bytes/s
Download              = 0 bytes/s
Upload                = 0 bytes/s
StayAtHome            = true
VirtualChroot         = true
LimitConnection       = 10
LimitConnectionByUser = 10
LimitConnectionByIP   = 10
Home                  = /home/ami
ResolveIP             = true
IdleTimeOut           = 300s
HideNoAccess          = true
ShowLinksAsLinks      = false
SftpProtocol          = {default}
LogFile               = {default}
CanChangeRights       = true
CanChangeTime         = true
DefaultRights         = 0666 0777
ApplyFileSpec         = {default}
Config is valid.

J'ai aussi essayé quelque chose d'autre : quand je suis sur le serveur depuis un utilisateur ayant accès au bash et que je change d'utilisateur en faisant su ami, j'arrive à avoir le message « shell access is disabled », ce qui me semble être le comportement normal. Le problème est donc une connexion depuis l'extérieur.

Re: Impossible de se connecter à un serveur ssh utilisant MySecureShell

Bonjour,


Je viens de comprendre votre problème. MySecureShell est installé dans "/usr/bin", donc il faut mettre le shell de l'utilisateur à "/usr/bin/MySecureShell" smile