SFTP Plugin Problem

Zitat von HannesJo

Did some more tests but whatever I do. I can only connect as long as user is not in group sftp-access, but whole root tree is displayed then.
Adding the user to sftp-access, I cannot login anymore due to "connection abort".
Turning On "Allow Groups" while user is not in sftp-access leads to "Auth failed".
Joining the group again leads to "connection abort".

Found no other settings that would change anything. Sys Log displays "service started" only. Going to SFTP LOG I get the error "Failed to open the log file (filename=/var/log/openmediavault-sftp.log).".

@ryecoaaron any further tips?

Edit:
So in the auth.log I found the error message
'fatal: bad ownership or modes for chroot directory component "/"'

and therefore I checked the permissions. I found that my / was set as root:root 775 and not root:root 755.
I backed up my system and changed the permissions with "chmod 755 /".

After that, auth.log gave me another error saying
'fatal: safely_chroot: stat("/sftp/"): No such file or directory'

So I checked /etc/ssh/omv_sftp_config and there it says 'ChrootDirectory /sftp/%u'. Ok, creating the dir /sftp/testUser/blabla/ with the right permissions and I can finally connect and I see only the directory blabla/.

But what is going on there? In the OMV GUI at SFTP in the Access List TAB I set testUser should see the sharedfolder "testSF". That setting seems to be ignored. Why is omv_sftp_config chroot'in to /sftp/%u?

Alles anzeigen

Same problem here, and your insight and help was really really appreciated.

I installed OMV in a OrangePi Plus 2e, attached a couple of drives and could not make SFTP with chroot to work.

After chmod 755-ing / everything looks to be working normally.

Thanks again.

Zitat von HannesJo

and therefore I checked the permissions. I found that my / was set as root:root 775 and not root:root 755.

I backed up my system and changed the permissions with "chmod 755 /".

chmod 755 / fixed it for me! Thanks!

Do you by any chance know why I'm seeing a dev folder when I log in? I see the other folders that I enabled and wanted to see, but I also see dev. How do I remove it from the folder that is being seen when logged in sftp?

I don't use the sftp plugin, I set up sftp by hand ages ago long before I started to use OMV so this practice was carried over.

In my setups, the /dev folder contains a log socket. It is required to be within the chroot environment or it will not work.

I suppose that if you want to run sftp without any logging enabled (not a good idea) then you could disable logging for the service in /etc/rsyslog.d by determining which is the appropriate file there and renaming it so it does not have conf as the final extension name. Then either restart the logging service or reboot the machine. As root should then be able to delete the /dev folder in the chroot.

Zitat von ryecoaaron

The installscript will fix this now. https://github.com/OpenMediaVa…ba1199b79c0b1c416200fa7a1

I did have a very close problem even if I installed OMV 5 with SFTP plugin v.5.0.4.: incorrect permissions on /sftp folder.

Only thing gone better: /sftp folder was created.

BUT: no access for sftp-group users, access to / for other users.

I did chmod 755 /sftp and then the same on the user folder, so chmod 755 /sftp/<sftp_specific_user> in my case

This fixed almost everything: sftp-group users now can access the right folder, while non sftp-group user have no access at all (in my case the "group" is composed only by <sftp_specific_user>).

Only problem left: now <sftp_specific_user> and the sftp-group users can access the folder assigned, but all the files and folders that were ALREADY INSIDE that folder can't be accessed.

Should I do  chmod 755 -R /sftp OR chmod 755 -R /sftp/<sftp_specific_user> to change the permissions to avery file/folder ?

(By the way it's a quite big folder with a lot of subfolders)

PS: This time I ask BEFORE doing "kamikaze coding"

Zitat von ryecoaaron

I'm not sure why you need to do that. The saltstack code is supposed to be doing that - https://github.com/OpenMediaVa…10_sftp_user_dirs.sls#L27

I don't know either, Rye.

I've read what you say before doing that: but in my case, appearently, something has gone wrong.

And I tell you: I struggled for more than one day in my attempts to make changes to users, etc to make it work, without any result.

Then I found an old post where you suggested to a user change permissions that way (for an older version of the plugin) and tried out that way.

And it was successful!

Without that changes there has been no way to make sfpt to work , and to make it work on the folder I assigned to the group.

After that change everything work like a charm!

That's alla what I can say.

Only drawback, and important question: the files that were ALREADY present in the folder before changing permissions to the main folder are still not accessible, so I wanted to understand if I should apply the command again, recursively with the "-r" option.

Is it safe?

Mh. Ok. Let me know, in case.

I'll try to think something about the files: as it is a copy of another disc, I could try to delete thema and copy them back now that I made the change.

I'll keep in touch.

I've got the exact same problem with SFTP.

I'm using OMV 4.1.35-1 and SFTP 3.1.6 (pool/main/o/openmediavault-sftp/openmediavault-sftp_3.1.6_all.deb)

I have 3 users, one of them ("dream") I would like to use as SFTP account credentials:

I want to share only 2 sharedfolders via SFTP, this is Privileges for that user:

SFTP tab, there are only these 2 folders set as Shares:

fstab:

/srv/dev-disk-by-label-4TB/video /sftp/dream/video none bind,rw,nofail 0 0
/srv/dev-disk-by-label-WORKX/ebook /sftp/dream/ebook none bind,rw,nofail 0 0

Yet, after testing connection, I can see whole root, with all of the folders AND moreover, I can freely download/upload every file (even from system folders):

https://i.imgur.com/Qo68pa4.png

I've been trying to set up a "sftp-users" group, restrict to "Allow access to sftp-access group only", but to no avail.

I can see my whole OMV build via SFTP...

Zitat von ryecoaaron

First, the plugin creates the "sftp-access" group. You don't need to create any groups and sftp-users would not help.

Umm, miswrite, I meant of course "sftp-access" group.

This is done.

Zitat von ryecoaaron

Second, you need "Allow access to sftp-access group only" enabled.

Third, the user "dream" needs to be part of the sftp-access group (easy to add from the Users tab not the plugin). Otherwise, you will see all of the folders because the user is not in a chroot.

Yup,I enabled that.

User "dream" is a part of the group.

Zitat von ryecoaaron

Finally, are you connecting to the sftp plugin's port (222 by default) instead of the ssh port (22 by default)? sftp works on both. If you connect to the ssh port, you will see all of the folders.

I'm connecting on 990 port.

Now it seems that this is correct.

User logged to SFTP see only "ebook" and "video" share, and also "dev", but I read it, that it has to be that way.

I hope that this setting will stick.

Thank you!

- 'user_test' is a member of sftp-access

- 'user_test' has the read/write privileges for the sharedfolder

- 'user_test' and the sharedfolder are added to the SFTP 'Access List' tab

- 'Allow access to sftp-access group only' is enabled

- ssh service is running

- sftp service is running

- 'Password authentification' is enabled for both services

- Successively launched omv-salt deploy run sftp and omv-salt deploy run fstab

What goes wrong ?

--

Openmediavault version : 5.5.3-1

openmediavault-sftp plugin version : 5.0.6

Is user 'user_test' a member of the ssh group?

Zitat von gderf

Is user 'user_test' a member of the ssh group?

Yes, also a member of sudo and user group.

What's in the auth log?

The other thing that comes up once in a while is incorrect permissions on /

Zitat von gderf

What's in the auth log?

Jul 12 16:48:50 server sshd[14471]: Accepted password for user_test from 192.1xx.xxx.xxx port xxxxx ssh2

Jul 12 16:48:50 server sshd[14471]: pam_unix(sshd:session): session opened for user user_test by (uid=0)

Jul 12 16:48:50 server systemd-logind[771]: New session 34 of user user_test.

Jul 12 16:48:50 server systemd: pam_unix(systemd-user:session): session opened for user user_test by (uid=0)

Jul 12 16:48:50 server sshd[14492]: fatal: bad ownership or modes for chroot directory component "/"

Jul 12 16:48:50 server sshd[14471]: pam_unix(sshd:session): session closed for user user_test

Jul 12 16:48:50 server systemd-logind[771]: Session 34 logged out. Waiting for processes to exit.

Jul 12 16:48:50 server systemd-logind[771]: Removed session 34.