Greetings All, I have a ssh server which allows sftp connections from the Internet while ssh connections from within the local net, here is the config: Code: Port 11111 Port 11113 Protocol 2 LogLevel DEBUG PasswordAuthentication no UsePAM yes PrintMotd no PrintLastLog no Subsystem sftp /usr/lib64/misc/sftp-server Match LocalPort 11113 Address *,!192.168.0.0/24 ChrootDirectory /home/%u AllowTCPForwarding no X11Forwarding no AllowUsers sftp_user ForceCommand /usr/lib/openssh/sftp-server AuthenticationMethods publickey,password publickey,keyboard-interactive RSAAuthentication yes PubkeyAuthentication yes AcceptEnv LANG LC_* now when I try to connect I from outside the net to test it I see this in the client: Code: dagg@NCC-5001-D ~/.ssh/sftp_keys $ sftp -oPort=11113 -oIdentityFile=id_rsa [1]sftp_user@111.111.111.111 Authenticated with partial success. Password: Connection closed I'm sure the passwd is correct because su - sftp_user with that same passwd works and if I enter a worng passwd I'm prompted with another "Password: " line. the server logs are: Code: May 21 22:56:30 NCC-5001-D sshd[30467]: debug1: Forked child 30708. May 21 22:56:30 NCC-5001-D sshd[30708]: Set /proc/self/oom_score_adj to 0 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: inetd sockets after dupping: 3, 3 May 21 22:56:30 NCC-5001-D sshd[30708]: Connection from 111.111.111.111 port 41017 on 192.168.0.1 port 11113 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: HPN Disabled: 0, HPN Buffer Size: 87380 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6p1-hpn14v4 May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Version;Remote: 111.111.111.111-41017;Protocol: 2.0;Client: OpenSSH_6.6p1-hpn14v4 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: match: OpenSSH_6.6p1-hpn14v4 pat OpenSSH* compat 0x04000000 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Enabling compatibility mode for protocol 2.0 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Local version string SSH-2.0-OpenSSH_6.6p1-hpn14v4 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: permanently_set_uid: 22/22 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT sent [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_KEXINIT received [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: AUTH STATE IS 0 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: client->server aes128-ctr [2]hmac-md5-etm@xxxxxxxxxxx none [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Kex;Remote: 111.111.111.111-41017;Enc: aes128-ctr;MAC: [3]hmac-md5-etm@xxxxxxxxxxx;Comp: none [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kex: server->client aes128-ctr [4]hmac-md5-etm@xxxxxxxxxxx none [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS sent [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: SSH2_MSG_NEWKEYS received [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: KEX done [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method none [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: SSH: Server;Ltype: Authname;Remote: 111.111.111.111-41017;Name: sftp_user [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 0 failures 0 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is port May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is protocol May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is loglevel May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is passwordauthentication May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is usepam May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printmotd May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is printlastlog May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is useprivilegeseparation May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is subsystem May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is match May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 192.168.0.1 matched 'LocalPort 11113' at line 176 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: connection from 111.111.111.111 matched 'Address *,!192.168.0.0/24' at line 176 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is chrootdirectory May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowtcpforwarding May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is x11forwarding May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is allowusers May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is forcecommand May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is authenticationmethods May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is rsaauthentication May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is pubkeyauthentication May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: Config token is acceptenv May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password" May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: initializing for "sftp_user" May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_RHOST to "red.unlimited.net" May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: PAM: setting PAM_TTY to "ssh" May 21 22:56:30 NCC-5001-D sshd[30708]: error: Disabled method "password" in AuthenticationMethods list "publickey,password" [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: Authentication methods list "publickey,password" contains disabled method, skipping [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: authentication methods list 0: publickey,keyboard-interactive [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 1 failures 0 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: test whether pkalg/pkblob are acceptable [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0) May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0 May 21 22:56:30 NCC-5001-D sshd[30708]: Postponed publickey for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method publickey [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 2 failures 0 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: temporarily_use_uid: 1004/100 (e=0/0) May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: trying public key file /home/sftp_user/.ssh/authorized_keys May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: fd 4 clearing O_NONBLOCK May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: matching key found: file /home/sftp_user/.ssh/authorized_keys, line 1 RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: restore_uid: 0/0 May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: ssh_rsa_verify: signature correct May 21 22:56:30 NCC-5001-D sshd[30708]: Partial publickey for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: userauth-request for user sftp_user service ssh-connection method keyboard-interactive [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: attempt 3 failures 1 [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: keyboard-interactive devs [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge: user=sftp_user devs= [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: kbdint_alloc: devices 'pam' [preauth] May 21 22:56:30 NCC-5001-D sshd[30708]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] May 21 22:56:31 NCC-5001-D sshd[30708]: Postponed keyboard-interactive for sftp_user from 111.111.111.111 port 41017 ssh2: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx [preauth] May 21 22:56:34 NCC-5001-D sshd[30713]: debug1: do_pam_account: called May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: num PAM env strings 0 May 21 22:56:34 NCC-5001-D sshd[30708]: Postponed keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2 [preauth] May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_pam_account: called May 21 22:56:34 NCC-5001-D sshd[30708]: Accepted keyboard-interactive/pam for sftp_user from 111.111.111.111 port 41017 ssh2 May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_child_preauth: sftp_user has been authenticated by privileged process May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: monitor_read_log: child log fd closed May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: establishing credentials May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session opened for user sftp_user by (uid=0) May 21 22:56:34 NCC-5001-D sshd[30708]: User child is on pid 30721 May 21 22:56:34 NCC-5001-D sshd[30721]: debug1: PAM: establishing credentials May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: do_cleanup May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: cleanup May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: closing session May 21 22:56:34 NCC-5001-D sshd[30708]: pam_unix(sshd:session): session closed for user sftp_user May 21 22:56:34 NCC-5001-D sshd[30708]: debug1: PAM: deleting credentials why I'm not able to get a ftp cli? Thanks. References 1. mailto:sftp_user@111.111.111.111 2. mailto:hmac-md5-etm@xxxxxxxxxxx 3. mailto:hmac-md5-etm@xxxxxxxxxxx 4. mailto:hmac-md5-etm@xxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev