[SOLVED] ssh stops listening when trying to configure sftp

vincix · 10-07-2018, 12:21 PM

I'm running Ubuntu 14.04.5. I'm trying to configure some sftp restrictions (1:6.6p1-2ubuntu2.10). I've added this to the ssh config file:

Code:

Subsystem sftp internal-sftp
Match Group sftp
  ChrootDirectory "/var/www"
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

If I restart the ssh service (while connected through ssh), the ssh process is seemingly restarted (the current ssh connection is, of course, being kept alive), but it isn't listening to its port.
If I delete the abovementioned code (with the exception of the first line - i.e. sftp by itself works as it is), it works as expected and when I restart the ssh service, the PID is also mentioned:

Code:

ssh stop/waiting
ssh start/running, process 1597

I don't know what I'm misconfiguring. I can't see any relevant logs in auth.log of rsyslog.
On auth I can only see:

Code:

Received signal 15; terminating.
Server listening on 0.0.0.0 port 2223.

That happens when sftp chroot/matchgroup is not configured. Otherwise, it just says "Received signal 15; terminating".

Turbocapitalist · 10-07-2018, 12:43 PM

Make sure there are not any problems with the SSH server's configuration. You might have the SFTP subsystem defined twice by accident or something else wrong:

Code:

sudo /usr/sbin/sshd -T
echo $?

vincix · 10-07-2018, 12:49 PM

It was a silly mistake, but only pointed out by sshd -T command.

Quote:

Match Group sftp
ChrootDirectory "/var/www"
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

/etc/ssh/sshd_config line 95: Directive 'UsePAM' is not allowed within a Match block

I placed the directive about the "Match..." line and it works as expected. I'm just surprised that ssh didn't say anything about it. Maybe because it needed to keep the session going (as I was connected to the ssh). Thanks! Works fine now.
[later: ] I ended the match block with "Match all", as suggested by someone. I'm not 100% sure this is going to do the trick, i.e. work as expected, but ssh does restart properly.