Mailing List Archive: Non-shell accounts and scp/sftp

Non-shell accounts and scp/sftp

Dec 7, 2023, 12:36 PM

Post #1 of 14 (335 views)

Hi,

We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host.

Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?

Thanks,

-Philip

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

dtucker at dtucker

Dec 7, 2023, 4:39 PM

Post #2 of 14 (335 views)

Permalink

On Fri, 8 Dec 2023 at 07:39, Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
[...]
> Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break.
> Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?

sftp should work regardless of the user's shell since it is invoked as
a ssh subsystem which is independent of the shell channel.

scp is built around the assumption that the shell is involved. It is
possible for a restricted shell to allow scp and the arguments that it
needs (there have been tools such as scponly and rssh) although it is
very difficult to do this securely (rssh at least gave up trying
entirely).

I'd suggest not trying to support scp at all and concentrating on sftp.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

Jochen.Bern at binect

Dec 8, 2023, 12:58 AM

Post #3 of 14 (335 views)

Permalink

On 07.12.23 21:36, Philip Prindeville wrote:
> Problem is that if their default shell isn't sh, ash, dash, bash, zsh,
> etc. then things break. Is there a workaround to allow scp/sftp to
> continue to work even for non-shell accounts?

That sounds like the traditional "login is denied if the login shell is
not listed in /etc/shells" mechanism is in effect, maybe because your
sshd falls back to PAM?

I take it that the users have something like /usr/local/sbin/OurMagicCLI
set as their login shell? What happens when you add that to the list in
/etc/shells ?

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

Re: Non-shell accounts and scp/sftp [ In reply to ]

rory at campbell-lange

Dec 8, 2023, 7:53 AM

Post #4 of 14 (335 views)

Permalink

On 07/12/23, Philip Prindeville (philipp_subx@redfish-solutions.com) wrote:
> We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host.

Off topic, and assuming the .p12 bundles need to be post-processed by clients for use by ssh, might it not be worth considering an ssh certificate signing authority?

I've made the proof-of-concept noted below, which adds certificates to forwarded agents. It doesn't need shell accounts, but prsently requires ssh public keys to be added to a yaml file:

https://github.com/rorycl/sshagentca

Cheers,
Rory
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

philipp_subx at redfish-solutions

Dec 8, 2023, 8:24 AM

Post #5 of 14 (335 views)

Permalink

> On Dec 8, 2023, at 8:53?AM, Rory Campbell-Lange <rory@campbell-lange.net> wrote:
>
> On 07/12/23, Philip Prindeville (philipp_subx@redfish-solutions.com) wrote:
>> We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host.
>
> Off topic, and assuming the .p12 bundles need to be post-processed by clients for use by ssh, might it not be worth considering an ssh certificate signing authority?

Actually they're TLS client certificates for HTTPS/RESTCONF access to the appliance.

> I've made the proof-of-concept noted below, which adds certificates to forwarded agents. It doesn't need shell accounts, but prsently requires ssh public keys to be added to a yaml file:
>
> https://github.com/rorycl/sshagentca
>
> Cheers,
> Rory

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

naddy at mips

Dec 8, 2023, 1:30 PM

Post #6 of 14 (335 views)

Permalink

Darren Tucker:

> sftp should work regardless of the user's shell since it is invoked as
> a ssh subsystem which is independent of the shell channel.
>
> scp is built around the assumption that the shell is involved.

Wait, that is only true for the legacy protocol, right? Now that
scp defaults to the SFTP protocol, its limitations in this regard
should match those of sftp.

--
Christian "naddy" Weisgerber naddy@mips.inka.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

djm at mindrot

Dec 10, 2023, 9:41 PM

Post #7 of 14 (325 views)

Permalink

On Fri, 8 Dec 2023, Darren Tucker wrote:

> On Fri, 8 Dec 2023 at 07:39, Philip Prindeville
> <philipp_subx@redfish-solutions.com> wrote:
> [...]
> > Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break.
> > Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?
>
> sftp should work regardless of the user's shell since it is invoked as
> a ssh subsystem which is independent of the shell channel.

I'm pretty sure sshd executes subsystems using the user's configured
shell.

You should be able to use "Subsystem sftp internal-sftp" to skip the
shell though.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

philipp_subx at redfish-solutions

Dec 11, 2023, 5:58 PM

Post #8 of 14 (320 views)

Permalink

> On Dec 10, 2023, at 10:41?PM, Damien Miller <djm@mindrot.org> wrote:
>
> On Fri, 8 Dec 2023, Darren Tucker wrote:
>
>> On Fri, 8 Dec 2023 at 07:39, Philip Prindeville
>> <philipp_subx@redfish-solutions.com> wrote:
>> [...]
>>> Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break.
>>> Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?
>>
>> sftp should work regardless of the user's shell since it is invoked as
>> a ssh subsystem which is independent of the shell channel.
>
> I'm pretty sure sshd executes subsystems using the user's configured
> shell.
>
> You should be able to use "Subsystem sftp internal-sftp" to skip the
> shell though.
>
> -d

I configured the server for "Subsystem sftp sftp-internal" but still not working:

pprindeville@ubuntu-ng:~/work/tnsr-pkgs$ scp -s -vvvv Makefile pprindeville2@172.21.12.17:/tmp/
Executing: program /usr/bin/ssh host 172.21.12.17, user pprindeville2, command sftp
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/pprindeville/.ssh/config
debug3: kex names ok: [ecdh-sha2-nistp521]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 172.21.12.17 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/pprindeville/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/pprindeville/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 172.21.12.17 [172.21.12.17] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/pprindeville/.ssh/id_rsa type -1
debug1: identity file /home/pprindeville/.ssh/id_rsa-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519 type 3
debug1: identity file /home/pprindeville/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_xmss type -1
debug1: identity file /home/pprindeville/.ssh/id_xmss-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_dsa type -1
debug1: identity file /home/pprindeville/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.21.12.17:22 as 'pprindeville2'
debug3: record_hostkey: found key type ED25519 in file /home/pprindeville/.ssh/known_hosts:6
debug3: record_hostkey: found key type RSA in file /home/pprindeville/.ssh/known_hosts:7
debug3: record_hostkey: found key type ECDSA in file /home/pprindeville/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 3 keys from 172.21.12.17
debug1: load_hostkeys: fopen /home/pprindeville/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug3: record_hostkey: found key type ED25519 in file /home/pprindeville/.ssh/known_hosts:6
debug3: record_hostkey: found key type RSA in file /home/pprindeville/.ssh/known_hosts:7
debug3: record_hostkey: found key type ECDSA in file /home/pprindeville/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 3 keys from 172.21.12.17
debug1: load_hostkeys: fopen /home/pprindeville/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '172.21.12.17' is known and matches the ED25519 host key.
debug1: Found key in /home/pprindeville/.ssh/known_hosts:6
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/pprindeville/.ssh/id_rsa debug1: Will attempt key: /home/pprindeville/.ssh/id_ecdsa debug1: Will attempt key: /home/pprindeville/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug1: Will attempt key: /home/pprindeville/.ssh/id_ed25519_sk debug1: Will attempt key: /home/pprindeville/.ssh/id_xmss debug1: Will attempt key: /home/pprindeville/.ssh/id_dsa debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pprindeville/.ssh/id_rsa
debug3: no such identity: /home/pprindeville/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/pprindeville/.ssh/id_ecdsa
debug3: no such identity: /home/pprindeville/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/pprindeville/.ssh/id_ecdsa_sk
debug3: no such identity: /home/pprindeville/.ssh/id_ecdsa_sk: No such file or directory
debug1: Offering public key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to 172.21.12.17 ([172.21.12.17]:22) using "publickey".
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: filesystem
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: client_input_hostkeys: received RSA key SHA256:s8s0K3dMmOFULgLh0lhMrI/feqwTy/XamXzfJc1ie00
debug3: client_input_hostkeys: received ECDSA key SHA256:2yMRY96o3ijhgOeeej/GfVn6knDwga1tMD03hTupF+Q
debug3: client_input_hostkeys: received ED25519 key SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug1: client_input_hostkeys: searching /home/pprindeville/.ssh/known_hosts for 172.21.12.17 / (none)
debug3: hostkeys_foreach: reading file "/home/pprindeville/.ssh/known_hosts"
debug3: hostkeys_find: found ssh-ed25519 key at /home/pprindeville/.ssh/known_hosts:6
debug3: hostkeys_find: found ssh-rsa key at /home/pprindeville/.ssh/known_hosts:7
debug3: hostkeys_find: found ecdsa-sha2-nistp256 key at /home/pprindeville/.ssh/known_hosts:8
debug1: client_input_hostkeys: searching /home/pprindeville/.ssh/known_hosts2 for 172.21.12.17 / (none)
debug1: client_input_hostkeys: hostkeys file /home/pprindeville/.ssh/known_hosts2 does not exist
debug3: client_input_hostkeys: 3 server keys: 0 new, 3 retained, 0 incomplete match. 0 to remove
debug1: client_input_hostkeys: no new or deprecated keys from server
debug3: receive packet: type 4
debug1: Remote: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env LESS
debug3: Ignored env PWD
debug3: Ignored env LOGNAME
debug3: Ignored env XDG_SESSION_TYPE
debug3: Ignored env MOTD_SHOWN
debug3: Ignored env HOME
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSCLOSE
debug3: Ignored env XDG_SESSION_CLASS
debug3: Ignored env TERM
debug3: Ignored env LESSOPEN
debug3: Ignored env LIBVIRT_DEFAULT_URI
debug3: Ignored env USER
debug3: Ignored env VISUAL
debug3: Ignored env SHLVL
debug3: Ignored env PAGER
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env SSH_CLIENT
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env PATH
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env SSH_TTY
debug3: Ignored env _
debug3: Ignored env OLDPWD
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: chan_shutdown_write: channel 0: (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: chan_shutdown_read: channel 0: (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
scp: Connection closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1 io 0x00/0x00)

debug3: send packet: type 1
Transferred: sent 2348, received 2788 bytes, in 4.8 seconds
Bytes per second: sent 485.0, received 575.9
debug1: Exit status 255
pprindeville@ubuntu-ng:~/work/tnsr-pkgs$
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

djm at mindrot

Dec 11, 2023, 6:07 PM

Post #9 of 14 (320 views)

Permalink

On Mon, 11 Dec 2023, Philip Prindeville wrote:

>
>
> > On Dec 10, 2023, at 10:41?PM, Damien Miller <djm@mindrot.org> wrote:
> >
> > On Fri, 8 Dec 2023, Darren Tucker wrote:
> >
> >> On Fri, 8 Dec 2023 at 07:39, Philip Prindeville
> >> <philipp_subx@redfish-solutions.com> wrote:
> >> [...]
> >>> Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break.
> >>> Is there a workaround to allow scp/sftp to continue to work even for non-shell accounts?
> >>
> >> sftp should work regardless of the user's shell since it is invoked as
> >> a ssh subsystem which is independent of the shell channel.
> >
> > I'm pretty sure sshd executes subsystems using the user's configured
> > shell.
> >
> > You should be able to use "Subsystem sftp internal-sftp" to skip the
> > shell though.
> >
> > -d
>
>
> I configured the server for "Subsystem sftp sftp-internal" but still not working:
>
>
> pprindeville@ubuntu-ng:~/work/tnsr-pkgs$ scp -s -vvvv Makefile pprindeville2@172.21.12.17:/tmp/

yeah, because you're 1) using scp and not sftp and 2) using an old (OpenSSH
<9.0) version of scp that doesn't use the SFTP protocol under the hood.
protocol. That changed in OpenSSH 9.0.

> OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

b.candler at pobox

Dec 12, 2023, 12:24 AM

Post #10 of 14 (320 views)

Permalink

On 12/12/2023 02:07, Damien Miller wrote:
> yeah, because you're 1) using scp and not sftp and 2) using an old (OpenSSH
> <9.0) version of scp that doesn't use the SFTP protocol under the hood.
> protocol. That changed in OpenSSH 9.0.

However, the client log did say:

debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1

Seeing a log from the server side could be illuminating: e.g.
/usr/sbin/sshd -d -p 99 (and then sftp to port 99)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

philipp_subx at redfish-solutions

Dec 12, 2023, 9:53 AM

Post #11 of 14 (319 views)

Permalink

> On Dec 12, 2023, at 1:24?AM, Brian Candler <b.candler@pobox.com> wrote:
>
> On 12/12/2023 02:07, Damien Miller wrote:
>> yeah, because you're 1) using scp and not sftp and 2) using an old (OpenSSH
>> <9.0) version of scp that doesn't use the SFTP protocol under the hood.
>> protocol. That changed in OpenSSH 9.0.
> However, the client log did say:
> debug1: Sending subsystem: sftp
> debug2: channel 0: request subsystem confirm 1
>
> Seeing a log from the server side could be illuminating: e.g. /usr/sbin/sshd -d -p 99 (and then sftp to port 99)
>

Yeah, I was running scp with -s specifically so it would force "sftp".

Okay, so following this suggestion. Server-side:

pprindeville@tnsr1:~$ sudo /usr/sbin/sshd -d -d -d -D -4 -e -p 2222 debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3259
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3259
debug2: /etc/ssh/sshd_config line 12: new include /etc/ssh/sshd_config.d/*.conf
debug2: /etc/ssh/sshd_config line 12: including /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf
debug2: load_server_config: filename /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf
debug2: load_server_config: done config len = 204
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf len 204
debug3: /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf:6 setting AuthorizedKeysCommand /usr/libexec/akc.sh "%u"
debug3: /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf:7 setting AuthorizedKeysCommandUser root
debug2: /etc/ssh/sshd_config line 12: including /etc/ssh/sshd_config.d/30-sftp-internal.conf
debug2: load_server_config: filename /etc/ssh/sshd_config.d/30-sftp-internal.conf
debug2: load_server_config: done config len = 30
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/30-sftp-internal.conf len 30
debug3: /etc/ssh/sshd_config.d/30-sftp-internal.conf:1 setting Subsystem sftp sftp-internal
debug2: /etc/ssh/sshd_config line 12: including /etc/ssh/sshd_config.d/50-cloud-init.conf
debug2: load_server_config: filename /etc/ssh/sshd_config.d/50-cloud-init.conf
debug2: load_server_config: done config len = 28
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-cloud-init.conf len 28
debug3: /etc/ssh/sshd_config.d/50-cloud-init.conf:1 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:62 setting KbdInteractiveAuthentication no
debug3: /etc/ssh/sshd_config:85 setting UsePAM yes
debug3: /etc/ssh/sshd_config:90 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:94 setting PrintMotd no
debug3: /etc/ssh/sshd_config:112 setting AcceptEnv LANG LC_*
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.2 15 Mar 2022
debug1: private host key #0: ssh-rsa SHA256:s8s0K3dMmOFULgLh0lhMrI/feqwTy/XamXzfJc1ie00
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:2yMRY96o3ijhgOeeej/GfVn6knDwga1tMD03hTupF+Q
debug1: private host key #2: ssh-ed25519 SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug1: rexec_argv[4]='-D'
debug1: rexec_argv[5]='-4'
debug1: rexec_argv[6]='-e'
debug1: rexec_argv[7]='-p'
debug1: rexec_argv[8]='2222'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 3259
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3259
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf len 204
debug3: /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf:6 setting AuthorizedKeysCommand /usr/libexec/akc.sh "%u"
debug3: /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf:7 setting AuthorizedKeysCommandUser root
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/30-sftp-internal.conf len 30
debug3: /etc/ssh/sshd_config.d/30-sftp-internal.conf:1 setting Subsystem sftp sftp-internal
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-cloud-init.conf len 28
debug3: /etc/ssh/sshd_config.d/50-cloud-init.conf:1 setting PasswordAuthentication yes
debug3: rexec:62 setting KbdInteractiveAuthentication no
debug3: rexec:85 setting UsePAM yes
debug3: rexec:90 setting X11Forwarding yes
debug3: rexec:94 setting PrintMotd no
debug3: rexec:112 setting AcceptEnv LANG LC_*
debug1: sshd version OpenSSH_8.9, OpenSSL 3.0.2 15 Mar 2022
debug1: private host key #0: ssh-rsa SHA256:s8s0K3dMmOFULgLh0lhMrI/feqwTy/XamXzfJc1ie00
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:2yMRY96o3ijhgOeeej/GfVn6knDwga1tMD03hTupF+Q
debug1: private host key #2: ssh-ed25519 SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug1: inetd sockets after dupping: 3, 3
Connection from 172.21.12.3 port 47762 on 172.21.12.17 port 2222 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 8459
debug3: preauth child monitor started
debug3: privsep user:group 106:65534 [preauth]
debug1: permanently_set_uid: 106/65534 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c [preauth]
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: ssh_set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user pprindeville2 service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug2: parse_server_config_depth: config reprocess config len 3259
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/20-ldap-sshkeys.conf len 204
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/30-sftp-internal.conf len 30
debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-cloud-init.conf len 28
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug2: input_userauth_request: setting up authctxt for pprindeville2 [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send: entering, type 100 [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "pprindeville2"
debug1: PAM: setting PAM_RHOST to "172.21.12.3"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 89.136ms, delaying 17.267ms (requested 6.650ms) [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 4 used once, disabling now
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug3: send packet: type 51 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user pprindeville2 service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug2: userauth_pubkey: valid user pprindeville2 querying public key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDB3IcPyir0NSXz/vPJjd2xv5qPLvDq0VlctnNucm3ui [preauth]
debug1: userauth_pubkey: publickey test pkalg ssh-ed25519 pkblob ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo [preauth]
debug3: mm_key_allowed: entering [preauth]
debug3: mm_request_send: entering, type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect: entering, type 23 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed: entering
debug1: temporarily_use_uid: 10003/10003 (e=0/0)
debug1: trying public key file /home/guest/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/guest/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 10003/10003 (e=0/0)
debug1: trying public key file /home/guest/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/guest/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand command "/usr/libexec/akc.sh pprindeville2" running as root (flags 0x6)
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand pid 8460
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug3: sigaction(Killed): Invalid argument
debug3: sigaction(Stopped (signal)): Invalid argument
debug3: sigaction(Unknown signal 32): Invalid argument
debug3: sigaction(Unknown signal 33): Invalid argument
debug1: /usr/libexec/akc.sh "%u":2: matching key found: ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug1: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted key ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo found at /usr/libexec/akc.sh "%u":2
debug2: check_authkeys_file: /usr/libexec/akc.sh "%u": processed 2/2 lines
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication test: ED25519 key is allowed
debug3: mm_request_send: entering, type 23
debug3: send packet: type 60 [preauth]
debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 873.828ms, delaying 828.631ms (requested 6.650ms) [preauth]
Postponed publickey for pprindeville2 from 172.21.12.3 port 47762 ssh2 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user pprindeville2 service ssh-connection method publickey-hostbound-v00@openssh.com [preauth]
debug1: attempt 2 failures 0 [preauth]
debug2: input_userauth_request: try method publickey-hostbound-v00@openssh.com [preauth]
debug2: userauth_pubkey: valid user pprindeville2 attempting public key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDB3IcPyir0NSXz/vPJjd2xv5qPLvDq0VlctnNucm3ui [preauth]
debug3: userauth_pubkey: publickey-hostbound-v00@openssh.com have ssh-ed25519 signature for ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo [preauth]
debug3: mm_key_allowed: entering [preauth]
debug3: mm_request_send: entering, type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect: entering, type 23 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed: entering
debug1: temporarily_use_uid: 10003/10003 (e=0/0)
debug1: trying public key file /home/guest/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/guest/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 10003/10003 (e=0/0)
debug1: trying public key file /home/guest/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/guest/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand command "/usr/libexec/akc.sh pprindeville2" running as root (flags 0x6)
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug3: subprocess: AuthorizedKeysCommand pid 8463
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug3: sigaction(Killed): Invalid argument
debug3: sigaction(Stopped (signal)): Invalid argument
debug3: sigaction(Unknown signal 32): Invalid argument
debug3: sigaction(Unknown signal 33): Invalid argument
debug1: /usr/libexec/akc.sh "%u":2: matching key found: ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug1: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Accepted key ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo found at /usr/libexec/akc.sh "%u":2
debug2: check_authkeys_file: /usr/libexec/akc.sh "%u": processed 2/2 lines
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: publickey authentication: ED25519 key is allowed
debug3: mm_request_send: entering, type 23
debug3: mm_sshkey_verify: entering [preauth]
debug3: mm_request_send: entering, type 24 [preauth]
debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
debug3: mm_request_receive_expect: entering, type 25 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 24
debug3: mm_answer_keyverify: publickey ED25519 signature using ssh-ed25519 verified
debug1: auth_activate_options: setting new authentication options
debug3: mm_request_send: entering, type 25
debug3: mm_request_receive_expect: entering, type 102
debug3: mm_request_receive: entering
debug1: do_pam_account: called
debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send: entering, type 103
Accepted publickey for pprindeville2 from 172.21.12.3 port 47762 ssh2: ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug1: monitor_child_preauth: user pprindeville2 authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect: entering, type 26
debug3: mm_request_receive: entering
debug3: mm_get_keystate: GOT new keys
debug1: auth_activate_options: setting new authentication options [preauth]
debug2: userauth_pubkey: authenticated 1 pkalg ssh-ed25519 [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 779.100ms, delaying 72.130ms (requested 6.650ms) [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send: entering, type 102 [preauth]
debug3: mm_request_receive_expect: entering, type 103 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: send packet: type 52 [preauth]
debug3: mm_request_send: entering, type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: ssh_sandbox_parent_finish: finished
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug2: do_pam_session: auth information in SSH_AUTH_INFO_0
debug3: PAM: sshpam_store_conv called with 1 messages
User child is on pid 8523
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 10003/10003
debug3: monitor_apply_keystate: packet_set_state
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: ssh_packet_set_postauth: called
debug3: ssh_packet_set_state: done
debug3: notify_hostkeys: key 0: ssh-rsa SHA256:s8s0K3dMmOFULgLh0lhMrI/feqwTy/XamXzfJc1ie00
debug3: notify_hostkeys: key 1: ecdsa-sha2-nistp256 SHA256:2yMRY96o3ijhgOeeej/GfVn6knDwga1tMD03hTupF+Q
debug3: notify_hostkeys: key 2: ssh-ed25519 SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug3: notify_hostkeys: sent 3 hostkeys
debug3: send packet: type 80
debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: sending debug message: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: send packet: type 4
debug3: sending debug message: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: send packet: type 4
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch
debug3: receive packet: type 90
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug3: send packet: type 91
debug3: receive packet: type 80
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug2: Setting env 0: LANG=en_US.UTF-8
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
debug2: subsystem request for sftp by user pprindeville2
debug1: subsystem: cannot stat sftp-internal: No such file or directory
debug1: subsystem: exec() sftp-internal
Starting session: subsystem 'sftp' for pprindeville2 from 172.21.12.3 port 47762 id 0
debug3: mm_audit_run_command entering command sftp-internal
debug3: mm_request_send: entering, type 113
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 113
debug3: mm_answer_audit_command entering
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x08
debug2: fd 9 setting O_NONBLOCK
debug2: fd 8 setting O_NONBLOCK
debug2: fd 11 setting O_NONBLOCK
debug3: send packet: type 99
debug2: channel 0: read 42 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 131 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 44 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 13 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 19 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 21 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 24 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 19 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 106 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 28 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 17 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 36 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 53 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 17 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 80 from efd 11
debug3: channel 0: discard efd
debug2: channel 0: read 0 from efd 11
debug2: channel 0: closing read-efd 11
debug2: channel 0: read failed rfd 9 maxlen 32768: Broken pipe
debug2: channel 0: read failed
debug2: chan_shutdown_read: channel 0: (i0 o0 sock -1 wfd 9 efd -1 [closed])
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug3: send packet: type 96
debug2: channel 0: input drain -> closed
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 8524
debug1: session_exit_message: session 0 channel 0 pid 8524
debug2: channel 0: request exit-status confirm 0
debug3: send packet: type 98
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: chan_shutdown_write: channel 0: (i3 o0 sock -1 wfd 8 efd -1 [closed])
debug2: channel 0: send eow
debug3: send packet: type 98
debug2: channel 0: output open -> closed
debug2: channel 0: send close
debug3: send packet: type 97
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug3: channel 0: will not send data after close
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: receive packet: type 1
Received disconnect from 172.21.12.3 port 47762:11: disconnected by user
Disconnected from user pprindeville2 172.21.12.3 port 47762
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: temporarily_use_uid: 10003/10003 (e=10003/10003)
debug1: restore_uid: (unprivileged)
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
debug3: PAM: sshpam_thread_cleanup entering
debug1: temporarily_use_uid: 10003/10003 (e=0/0)
debug1: restore_uid: 0/0
debug1: audit_event: unhandled event 12
pprindeville@tnsr1:~$

And client-side:

pprindeville@ubuntu-ng:~/work/tnsr-pkgs$ scp -P 2222 -s -v -v -v -v Makefile pprindeville2@172.21.12.17:/tmp/
Executing: program /usr/bin/ssh host 172.21.12.17, user pprindeville2, command sftp
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/pprindeville/.ssh/config
debug3: kex names ok: [ecdh-sha2-nistp521]
pprindeville@ubuntu-ng:~/work/tnsr-pkgs$ scp -P 2222 -s -v -v -v -v Makefile pprindeville2@172.21.12.17:/tmp/
Executing: program /usr/bin/ssh host 172.21.12.17, user pprindeville2, command sftp
OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /home/pprindeville/.ssh/config
debug3: kex names ok: [ecdh-sha2-nistp521]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 172.21.12.17 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/pprindeville/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/pprindeville/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 172.21.12.17 [172.21.12.17] port 2222.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/pprindeville/.ssh/id_rsa type -1
debug1: identity file /home/pprindeville/.ssh/id_rsa-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pprindeville/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519 type 3
debug1: identity file /home/pprindeville/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pprindeville/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_xmss type -1
debug1: identity file /home/pprindeville/.ssh/id_xmss-cert type -1
debug1: identity file /home/pprindeville/.ssh/id_dsa type -1
debug1: identity file /home/pprindeville/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.4
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.21.12.17:2222 as 'pprindeville2'
debug3: put_host_port: [172.21.12.17]:2222
debug1: load_hostkeys: fopen /home/pprindeville/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:RPO7rfNJCWPOSoQJ/jZ9EnKGg5XNvZi8emIoJe7ci6I
debug3: put_host_port: [172.21.12.17]:2222
debug3: put_host_port: [172.21.12.17]:2222
debug1: load_hostkeys: fopen /home/pprindeville/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug3: record_hostkey: found key type ED25519 in file /home/pprindeville/.ssh/known_hosts:6
debug3: record_hostkey: found key type RSA in file /home/pprindeville/.ssh/known_hosts:7
debug3: record_hostkey: found key type ECDSA in file /home/pprindeville/.ssh/known_hosts:8
debug3: load_hostkeys_file: loaded 3 keys from 172.21.12.17
debug1: load_hostkeys: fopen /home/pprindeville/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '172.21.12.17' is known and matches the ED25519 host key.
debug1: Found key in /home/pprindeville/.ssh/known_hosts:6
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/pprindeville/.ssh/id_rsa debug1: Will attempt key: /home/pprindeville/.ssh/id_ecdsa debug1: Will attempt key: /home/pprindeville/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug1: Will attempt key: /home/pprindeville/.ssh/id_ed25519_sk debug1: Will attempt key: /home/pprindeville/.ssh/id_xmss debug1: Will attempt key: /home/pprindeville/.ssh/id_dsa debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pprindeville/.ssh/id_rsa
debug3: no such identity: /home/pprindeville/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/pprindeville/.ssh/id_ecdsa
debug3: no such identity: /home/pprindeville/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/pprindeville/.ssh/id_ecdsa_sk
debug3: no such identity: /home/pprindeville/.ssh/id_ecdsa_sk: No such file or directory
debug1: Offering public key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/pprindeville/.ssh/id_ed25519 ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with ED25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: sign_and_send_pubkey: signing using ssh-ed25519 SHA256:neQyiewnVRcoGKvbKO7Qt8/WevQ1qKaifcdUGe8wBpo
debug3: send packet: type 50
debug3: receive packet: type 52
Authenticated to 172.21.12.17 ([172.21.12.17]:2222) using "publickey".
debug2: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /usr/libexec/akc.sh "%u":2: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env LESS
debug3: Ignored env PWD
debug3: Ignored env LOGNAME
debug3: Ignored env XDG_SESSION_TYPE
debug3: Ignored env MOTD_SHOWN
debug3: Ignored env HOME
debug1: channel 0: setting env LANG = "en_US.UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env LS_COLORS
debug3: Ignored env SSH_CONNECTION
debug3: Ignored env LESSCLOSE
debug3: Ignored env XDG_SESSION_CLASS
debug3: Ignored env TERM
debug3: Ignored env LESSOPEN
debug3: Ignored env LIBVIRT_DEFAULT_URI
debug3: Ignored env USER
debug3: Ignored env VISUAL
debug3: Ignored env SHLVL
debug3: Ignored env PAGER
debug3: Ignored env XDG_SESSION_ID
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env SSH_CLIENT
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env PATH
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env SSH_TTY
debug3: Ignored env OLDPWD
debug3: Ignored env _
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: chan_shutdown_write: channel 0: (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
scp: Connection closed
debug2: channel 0: read failed rfd 4 maxlen 32768: Broken pipe
debug2: channel 0: read failed
debug2: chan_shutdown_read: channel 0: (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug3: send packet: type 96
debug2: channel 0: input drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1 io 0x00/0x00)

debug3: send packet: type 1
Transferred: sent 2368, received 2788 bytes, in 2.7 seconds
Bytes per second: sent 873.6, received 1028.5
debug1: Exit status 255
pprindeville@ubuntu-ng:~/work/tnsr-pkgs$

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

philipp_subx at redfish-solutions

Dec 12, 2023, 9:53 AM

Post #12 of 14 (319 views)

Permalink

Re: Non-shell accounts and scp/sftp [ In reply to ]

djm at mindrot

Dec 12, 2023, 1:19 PM

Post #13 of 14 (319 views)

Permalink

On Tue, 12 Dec 2023, Philip Prindeville wrote:

> debug2: subsystem request for sftp by user pprindeville2
> debug1: subsystem: cannot stat sftp-internal: No such file or directory
> debug1: subsystem: exec() sftp-internal
> Starting session: subsystem 'sftp' for pprindeville2 from 172.21.12.3 port 47762 id 0
> debug3: mm_audit_run_command entering command sftp-internal

I gave you incorrect advice, it's not "sftp-internal" but "internal-sftp"

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Non-shell accounts and scp/sftp [ In reply to ]

philipp_subx at redfish-solutions

Dec 12, 2023, 2:01 PM

Post #14 of 14 (319 views)

Permalink

> On Dec 12, 2023, at 2:19?PM, Damien Miller <djm@mindrot.org> wrote:
>
> On Tue, 12 Dec 2023, Philip Prindeville wrote:
>
>> debug2: subsystem request for sftp by user pprindeville2
>> debug1: subsystem: cannot stat sftp-internal: No such file or directory
>> debug1: subsystem: exec() sftp-internal
>> Starting session: subsystem 'sftp' for pprindeville2 from 172.21.12.3 port 47762 id 0
>> debug3: mm_audit_run_command entering command sftp-internal
>
> I gave you incorrect advice, it's not "sftp-internal" but "internal-sftp"
>

That's on me, because I had read sshd_config(5) and seen mention of it, so it should have registered....

But it works with that change in place, and the client-side doing `scp -s ...`
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Mailing List Archive

Mailing List Archive

Attached Files: