Seit dem Upgrade von 14.04 auf 16.04 ist ein SFTP-Zugriff mit chroot-Umgebung nicht mehr möglich. Der Anmeldende bekommt "broken pipe", in der Syslog sieht man, dass ein "click"-Prozess auf das Homeverzeichnis des Users nicht schreiben kann (was er ja auch nicht können dürfen soll). Hat er Schreibzugriff, kommen andere Fehlermeldungen, das Endergebnis aber ist dasselbe.
Die Shell für den User ist /bin/false, ein Ändern bewirkt aber ebenfalls nichts.
Konkret: Der Fehler tritt im Zusammenhant mit der "ChrootDirectory"-Option in der sshd_config auf, wobei es völlig egal ist, welches chroot-Verzeichnis angegeben ist. Nimmt man sie raus, kann man sich verbinden, dann hat dieser User aber Lesezugriff auf fast alles, was unterbunden werden soll.
FTP mit VSFTP funtktioniert übrigens problemlos mit demselben User.
Nun zu den Fehlermeldungen:
sftp:
>sftp ftpcctsb@127.0.0.1 ftpcctsb@127.0.0.1's password: packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe Couldn't read packet: Connection reset by peer
syslog:
Oct 24 07:51:56 fileserver systemd[1]: Created slice User Slice of ftpcctsb. Oct 24 07:51:56 fileserver systemd[1]: Starting User Manager for UID 1002... Oct 24 07:51:56 fileserver systemd[1]: Started Session 1615 of user ftpcctsb. Oct 24 07:51:56 fileserver systemd[24715]: Reached target Sockets. Oct 24 07:51:56 fileserver systemd[24715]: Reached target Timers. Oct 24 07:51:56 fileserver systemd[24715]: Reached target Paths. Oct 24 07:51:56 fileserver systemd[24715]: Reached target Basic System. Oct 24 07:51:56 fileserver systemd[24715]: Starting Run Click user-level hooks... Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed Oct 24 07:51:57 fileserver click[24723]: /usr/lib/ubuntu-push-client/click-hook:15: PyGIWarning: Click was imported without specifying a version first. Use gi.require_version('Click', '0.4') before import to ensure that the right version gets loaded. Oct 24 07:51:57 fileserver click[24723]: from gi.repository import Click Oct 24 07:51:57 fileserver click[24723]: ** (process:24723): WARNING **: hooks.vala:1216: User-level hook push-helper failed: Hook command '/usr/lib/ubuntu-push-client/click-hook' failed: Child process exited with code 1 Oct 24 07:51:57 fileserver click[24723]: ** (process:24745): WARNING **: Unable to make or find cache directory '/home/ftpcctsb/.cache/url-dispatcher' Oct 24 07:51:57 fileserver click[24723]: ** (process:24745): CRITICAL **: main: assertion 'db != NULL' failed Oct 24 07:51:57 fileserver click[24723]: ** (process:24723): WARNING **: hooks.vala:1216: User-level hook urls failed: Hook command '/usr/lib/x86_64-linux-gnu/url-dispatcher/update-directory $HOME/.cache/url-dispatcher/click-urls/' failed: Child process exited with code 255 Oct 24 07:51:57 fileserver click[24723]: Some user-level hooks failed: push-helper, urls Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Main process exited, code=exited, status=1/FAILURE Oct 24 07:51:57 fileserver systemd[24715]: Failed to start Run Click user-level hooks. Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Unit entered failed state. Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Failed with result 'exit-code'. Oct 24 07:51:57 fileserver systemd[24715]: Reached target Default. Oct 24 07:51:57 fileserver systemd[24715]: Startup finished in 571ms. Oct 24 07:51:57 fileserver systemd[1]: Started User Manager for UID 1002. Oct 24 07:51:57 fileserver systemd[1]: Stopping User Manager for UID 1002... Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Default. Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Basic System. Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Timers. Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Sockets. Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Paths. Oct 24 07:51:57 fileserver systemd[24715]: Reached target Shutdown. Oct 24 07:51:57 fileserver systemd[24715]: Starting Exit the Session... Oct 24 07:51:57 fileserver systemd[24715]: Received SIGRTMIN+24 from PID 24785 (kill). Oct 24 07:51:57 fileserver systemd[1]: Stopped User Manager for UID 1002. Oct 24 07:51:57 fileserver systemd[1]: Removed slice User Slice of ftpcctsb.
sshd_config:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # Match User ftpcctsb ChrootDirectory /home/ftpcctsb AllowTCPForwarding no x11Forwarding no ForceCommand internal-sftp