# sftp session disconnects right after passwd enter [solved]

## DaggyStyle

Greetings All,

I have a ssh server which allows sftp connections from the Internet while ssh connections from within the local net, here is the config:

```
Port 11111

Port 11113

Protocol 2

LogLevel DEBUG

PasswordAuthentication no

UsePAM yes

PrintMotd no

PrintLastLog no

Subsystem       sftp    /usr/lib64/misc/sftp-server

Match LocalPort 11113 Address *,!192.168.0.0/24

   ChrootDirectory /home/%u

   AllowTCPForwarding no

   X11Forwarding no

   AllowUsers sftp_user

   ForceCommand /usr/lib/openssh/sftp-server

   AuthenticationMethods publickey,password publickey,keyboard-interactive

   RSAAuthentication yes

   PubkeyAuthentication yes

AcceptEnv LANG LC_*
```

now when I try to connect I from outside the net to test it I see this in the client:

```
dagg@NCC-5001-D ~/.ssh/sftp_keys $ sftp -oPort=11113 -oIdentityFile=id_rsa sftp_user@111.111.111.111

Authenticated with partial success.

Password: 

Connection closed
```

I'm sure the passwd is correct because su - sftp_user with that same passwd works and if I enter a worng passwd I'm prompted with another "Password: " line.

the server logs are:

```
May 21 22:56:30 NCC-5001-D sshd[30467]: debug1: Forked child 30708.

May 21 22:56:30 NCC-5001-D sshd[30708]: Set /proc/self/oom_score_adj to 0

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: inetd sockets after dupping: 3, 3

May 21 22:56:30 NCC-5001-D sshd[30708]: Connection from 111.111.111.111 port 41017 on 192.168.0.1 port 11113

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: HPN Disabled: 0, HPN Buffer Size: 87380

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6p1-hpn14v4

May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Version;Remote: 111.111.111.111-41017;Protocol: 2.0;Client: OpenSSH_6.6p1-hpn14v4

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: match: OpenSSH_6.6p1-hpn14v4 pat OpenSSH* compat 0x04000000

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Enabling compatibility mode for protocol 2.0

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Local version string SSH-2.0-OpenSSH_6.6p1-hpn14v4

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: permanently_set_uid: 22/22 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT sent [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT received [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: AUTH STATE IS 0 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Kex;Remote: 111.111.111.111-41017;Enc: aes128-ctr;MAC: hmac-md5-etm@openssh.com;Comp: none [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS sent [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS received [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: KEX done [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method none [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Authname;Remote: 111.111.111.111-41017;Name: sftp_user [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 0 failures 0 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is protocol

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is loglevel

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is passwordauthentication

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is usepam

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printmotd

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printlastlog

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is useprivilegeseparation

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is subsystem

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is match

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 192.168.0.1 matched 'LocalPort 11113' at line 176

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 111.111.111.111 matched 'Address *,!192.168.0.0/24' at line 176

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is chrootdirectory

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowtcpforwarding

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is x11forwarding

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowusers

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is forcecommand

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is authenticationmethods

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is rsaauthentication

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is pubkeyauthentication

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is acceptenv

May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password"

May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: initializing for "sftp_user"

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_RHOST to "red.unlimited.net"

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_TTY to "ssh"

May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password" [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 1 failures 0 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: test whether pkalg/pkblob are acceptable [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0

May 21 22:56:30 NCC-5001-D sshd[30708]: Postponed publickey for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 2 failures 0 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0)

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: ssh_rsa_verify: signature correct

May 21 22:56:30 NCC-5001-D sshd[30708]: Partial publickey for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method keyboard-interactive [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 3 failures 1 [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: keyboard-interactive devs  [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge: user=sftp_user devs= [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kbdint_alloc: devices 'pam' [preauth]

May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]

May 21 22:56:31 NCC-5001-D sshd[30708]: Postponed keyboard-interactive for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [preauth]

May 21 22:56:34 NCC-5001-D sshd[30713]: debug1: do_pam_account: called

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: num PAM env strings 0

May 21 22:56:34 NCC-5001-D sshd[30708]: Postponed keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth]

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_pam_account: called

May 21 22:56:34 NCC-5001-D sshd[30708]: Accepted keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_child_preauth: sftp_user has been authenticated by privileged process

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_read_log: child log fd closed

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: establishing credentials

May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session opened for user sftp_user by (uid=0)

May 21 22:56:34 NCC-5001-D sshd[30708]: User child is on pid 30721

May 21 22:56:34 NCC-5001-D sshd[30721]: debug1: PAM: establishing credentials

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_cleanup

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: cleanup

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: closing session

May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session closed for user sftp_user

May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: deleting credentials
```

why I'm not able to get a ftp cli?

Thanks.

----------

## windex

Can you confirm that you're able to connect from localhost, and then from inside of your network?

----------

## DaggyStyle

 *windex wrote:*   

> Can you confirm that you're able to connect from localhost, and then from inside of your network?

 

good idea, will check

----------

## DaggyStyle

removing the internet limitation didn't worked.

----------

## DaggyStyle

ok, got some lead, this happens only of I set the ChrootDirectory directive

----------

## windex

Can you please post the ChrootDirectory component of your sshd_config.  If it's deemed sensitive, please

PM it to me instead.  What specifically are you attempting to accomplish by chrooting?  Can you please

confirm that you can chroot successfully into that folder?

----------

## DaggyStyle

it seems that chrootdir behaves well only when paired with internal sftp instead of external binary.

here is the working config:

```
Port 11111

Port 11113

Protocol 2

LogLevel DEBUG

PasswordAuthentication no

UsePAM yes

PrintMotd no

PrintLastLog no

Subsystem       sftp    internal-sftp

Match LocalPort 11113 Address *,!192.168.0.0/24

   ChrootDirectory /home/%u

   AllowTCPForwarding no

   X11Forwarding no

   AllowUsers sftp_user

   ForceCommand internal-sftp

   AuthenticationMethods publickey,password publickey,keyboard-interactive

   RSAAuthentication yes

   PubkeyAuthentication yes

AcceptEnv LANG LC_*
```

I wonder why but it works and that is what I need it to do.

----------

