create an account

[hirokomatsui]

Can you create a restricted account like gaulton with the user name gaowei. Only on flh1 (or flh2) will be fine. Thank you!

[hirokomatsui]

Also can you remove gaulton as well as his home directory.

[tatarsky]

Yes and Yes. One moment.

[tatarsky]

Steps just in case becomes regular item:

useradd -s /sbin/nologin -d /frazer01/home/gaowei -g 100 gaowei
chown root: ~gaowei
mkdir ~gaowei/upload
chown gaowei: ~gaowei/upload

Remember they need to cd into "upload" now due to security enhancements in chroot sshd.

Edit /etc/ssh/sshd_config

Match User gaowei
    ChrootDirectory /frazer01/home/gaowei
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Set a password:

passwd gaowei

Wait for puppet to propagate. (Forced it) Tested upload. Emailed you password.

[tatarsky]

Oh and I made it available on both flh1 and flh2....removing gaulton

[hirokomatsui]

Thanks!

[tatarsky]

No prob! Just advise if issues!

[hirokomatsui]

We have to get him to upload the data again. So I re-created the user account. I did delete the user once:

userdel gaowei

Then add the user as you described above: useradd -s /sbin/nologin -d /frazer01/home/gaowei -g 100 gaowei chown root: ~gaowei mkdir ~gaowei/upload chown gaowei: ~gaowei/upload

But I cannot log in as him:

sftp gaowei@flh1.ucsd.edu:/upload gaowei@flh1.ucsd.edu's password: Connected to flh1.ucsd.edu. File "/upload" not found.

Can you check. I set the password, H4ZPYXgNxA

[tatarsky]

Try now. My umask may be more permissive than yours.

I added:

chmod 755 ~gaowei

It was 700.

To the above and appears to work. I believe as ssh drops privs it still has to be able to reference the chroot directory. 755 permissions allow that.

[hirokomatsui]

It works. Thanks!

[hirokomatsui]

Sorry, some how I never be able to create a user. I created a new user, gaulton, as the same way above, and am getting this message:

$ sftp gaulton@flh1.ucsd.edu:/upload gaulton@flh1.ucsd.edu's password: Received message too long 1416128883

The password is k0vsykQmam in the case. Thanks!

[tatarsky]

You were close. You just needed to restart sshd.

That message is a long standing "weird" SFTP output that results from login echo'ing some characters. In this case because sshd was not restarted. the attempt at login hits /sbin/nologin instead of a shell:

This account is currently not available.

Which gets turned into that crazy error ;)

sftp re-tested after sshd restarted (service sshd restart) and works ok!

[hirokomatsui]

Got it, thanks!

[hirokomatsui]

For some reason, I've never been able to create user accounts myself. I created a user account, josh, on flh1 exactly same as before for gaulton, and cannot log in as josh.

bash-4.2$ sftp josh@flh1.ucsd.edu:/upload josh@flh1.ucsd.edu's password: packet_write_wait: Connection to 169.228.63.174 port 22: Broken pipe Couldn't read packet: Connection reset by peer

Do you have any idea? The password is viW6fGdiun

[tatarsky]

Looking

[tatarsky]

We don't allow that range....169.228.63.174 isn't in the list of subnets we support in /etc/hosts.allow. I added sshd: 169.228.63.0/25.255.255.0 : ALLOW Try again while I watch...

[tatarsky]

Wait...I've reversed the IP and the host...one sec.

[tatarsky]

Oh, are you running that command on flh1 itself? Thats its own IP ;)

[tatarsky]

Ah, the problem is due to chroot restrictions. Have we done this since we moved to USS?

Dec 15 14:36:12 fl-hn1 sshd[25738]: fatal: bad ownership or modes for chroot directory component "/frazer01/" [postauth]

drwxrwxrwx 13 nfsnobody nfsnobody 5632 Nov 30 10:31 .

That is the permissions on the root of the /frazer01 share...chroot doesn't like that.

[tatarsky]

I propose we relocate this onto the local 14TB drive on fl-hn1....

[hirokomatsui]

I guess that's it. I'm changing the home directory on the local drive.

[tatarsky]

Perfect. Don't forget it also needs to be done in /etc/ssh/sshd_config. We should move the old copies of items in /export to the side.

# Support Upload
Match User josh
    ChrootDirectory /export/chroot/josh
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

[tatarsky]

(where chroot in above is "whatever you want" and make sure its owned by root)

[hirokomatsui]

Mmm, still doesn't work:

$ sftp josh@flh1.ucsd.edu:/upload ssh: connect to host flh1.ucsd.edu port 22: Connection refused Couldn't read packet: Connection reset by peer

[tatarsky]

Dec 15 14:46:31 fl-hn1 sshd[4357]: fatal: bad ownership or modes for chroot directory "/export/home/josh" [postauth]

chroot accounts have to have root ownership for the listed dir:

[root@fl-hn1 paul]# cd /export/home/josh/
[root@fl-hn1 josh]# ls -ald .
drwxr-xr-x 3 josh users 4096 Dec 15 14:41 .
                ^^^

[root@fl-hn1 josh]# chown root .
[root@fl-hn1 josh]# ls -ald .
drwxr-xr-x 3 root users 4096 Dec 15 14:41 .

sftp josh@localhost
josh@localhost's password: 
josh@localhost's password: 
Connected to localhost.
sftp> cd upload/
sftp> ls
sftp> mput foo

[hirokomatsui]

I can do that on flh1, but other server on campus.

[tatarsky]

What source IP? We block SSH to certain ranges....

[tatarsky]

/etc/hosts.allow contains the ranges. Those apply to any SSH use...not just chroot.

[tatarsky]

And on top of that iptables....IIRC So provide where you are trying and I'll see what I can see.

[tatarsky]

Oh, and to be more fun...fail2ban feels this system is a brute forcer now

• Banned IP list: 169.228.63.210 [root@fl-hn1 paul]# host 169.228.63.210 210.63.228.169.in-addr.arpa domain name pointer igm-storage2.ucsd.edu.

I suspect thats you. One sec and I'll clear it and post the clearing method. (We might want to review this Wednesday)

[tatarsky]

To unban a suspected brute forcer (accident this time)

fail2ban-client set sshd unbanip 169.228.63.210
169.228.63.210

[root@fl-hn1 paul]# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 12358 | - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions |- Currently banned: 0 |- Total banned: 104 `- Banned IP list:

[tatarsky]

We can turn off fail2ban if you want. It mattered more when we allowed "ANY" for ssh.

[hirokomatsui]

It should be allowed: 169.228.63.252 igm-storage2.ucsd.edu

[tatarsky]

It was blocked due to the failures by fail2ban. Try again.

[tatarsky]

fail2ban is an anti-brute forcing program to monitor ssh. All the failures caused it to feel that IP was an attacker.

[hirokomatsui]

I got it finally. Thank you for your help!