SFTP authentication failed

Discuss general troubleshooting concerns.

Moderators: scrumpy, Dave, leihog

SFTP authentication failed

Postby deltadave on Mon Jun 29, 2009 9:21 pm

I've followed the video tutorial on using ftp (and sftp) and am still having trouble connecting.

This is the error I'm getting with filezilla:
Status: Connecting to example.com...
Response: fzSftp started
Command: keyfile "keyfile.ppk"
Command: open "username@example.com" 22
Command: Pass: **********
Error: Authentication failed.
Error: Critical error
Error: Could not connect to server

and this is from the logfiles on the machine in question:
User username from this.is.an.ip not allowed because a group is listed in DenyGroups
Jun 29 18:05:47 username sshd[6657]: Failed none for invalid user username from this.is.an.ip port 35640 ssh2
Jun 29 18:05:47 username sshd[6657]: error: Could not get shadow information for NOUSER
Jun 29 18:05:47 deltadave sshd[6657]: Failed password for invalid user username from this.is.an.ip port 35640 ssh2

Not sure what's going on as I'm not that familiar with the SELinux environment. Any help would be greatly appreciated.

Dave
deltadave
 
Posts: 8
Joined: Wed Jun 24, 2009 10:32 pm

Re: SFTP authentication failed

Postby Dave on Sun Jul 05, 2009 5:10 pm

> User username from this.is.an.ip not allowed because a group is listed in DenyGroups

Where is this line coming from? Start with that.

Best,
Dave
Dave
Site Admin
 
Posts: 107
Joined: Tue Jun 13, 2006 6:06 pm

Re: SFTP authentication failed

Postby deltadave on Mon Jul 06, 2009 5:32 pm

ok... figured out that problem - I was trying to log in as a member of group user and that group is denied in the /etc/ssh/sshd_config.

However, still not able to log in.

Status: Connecting to this.is.a.fqdn...
Response: fzSftp started
Command: keyfile "C:\stuff\ppk\thisisakey.ppk"
Command: open "user@this.is.a.fqdn" 22
Command: Pass: *********
Status: Connected to this.is.a.fqdn
Error: Fatal: unable to initialise SFTP on server: could not connect
Error: Could not connect to server

Error logs on the server are:

date sshd[22427]: Accepted password for user from this.is.a.ip port 44837 ssh2
date sshd[22458]: subsystem request for sftp

I'm wondering if my router/firewall NAT is blocking the port response from sshd... Do you know what the port response range for sshd is so I can pass those thru the firewall when requested?
deltadave
 
Posts: 8
Joined: Wed Jun 24, 2009 10:32 pm

Re: SFTP authentication failed

Postby deltadave on Sat Sep 26, 2009 1:30 pm

followup to the above message:

still not able to log in to the machine in question using sftp with the same errors. I've tried both from the WAN (with NAT) and LAN (without NAT) with the same results.

SSH works but sshd doesn't seem to be able to spawn an sftp process.

error log from the sshd machine:
sshd[9115]: Accepted password for adminuser from 192.168.0.100 port 3645 ssh2
sshd[9118]: subsystem request for sftp

errorlog from filezilla on the client machine:
Status: Connecting to 192.168.0.50...
Response: fzSftp started
Command: keyfile "C:\stuff\ppk\keyfile.ppk"
Command: open "adminuser@192.168.0.50" 22
Command: Trust new Hostkey: Once
Command: Pass: *********
Status: Connected to 192.168.0.50
Error: Fatal: unable to initialise SFTP on server: could not connect
Error: Could not connect to server

any help diagnosing this would be greatly appreciated.
deltadave
 
Posts: 8
Joined: Wed Jun 24, 2009 10:32 pm

Re: SFTP authentication failed

Postby hsinanch on Fri Oct 02, 2009 2:15 am

You may try to turn off SELinux, and see if it's work.
hsinanch
 
Posts: 8
Joined: Mon May 04, 2009 1:46 pm

Re: SFTP authentication failed

Postby tlavinder on Thu Nov 12, 2009 10:59 am

I found a way to resolve this error without turning off SELinux. I'm a newb to this, so I'm not sure this is the best way or how secure it is, but it worked for me.

Logged in as root with Putty
    ran 'newrole -r sysadm_r'
    ran 'setenforce 0'
Loaded the source files via the Web Tool:
    System -> Guardian Digital Secure Network
    Module -> Package Management
    Chose 'engarde-policy-sources' and installed
Followed the steps at: http://www.linuxsecurity.com/content/view/120837/49/, although not exactly in the order listed.
    Starting at 'Auditing An Application' section, completed the 'touch' command steps.
    changed to the '/etc/selinux/engarde/src/policy' folder and ran 'make conf'
    added 'local = base' to the '/etc/selinux/engarde/src/policy/policy/modules.conf' (note the additional policy directory)
    added 'allow user_t sshd_t:fifo_file { read write };' to the local.te file created with the 'touch' command
    Back to the 'Compiling Policy' section
    Starting with 'make policy', completed this section(although I didn't do 'make relabel').
Finally, ran 'setenforce 1' and tested successfully.

I couldn't find a way to restrict the user to their home folder like is possible with FTP. The user can see the server's full directory listing.
tlavinder
 
Posts: 1
Joined: Thu Nov 12, 2009 10:31 am


Return to General Troubleshooting

Who is online

Users browsing this forum: No registered users and 1 guest

cron