Seit dem Upgrade von 14.04 auf 16.04 ist ein SFTP-Zugriff mit chroot-Umgebung nicht mehr möglich. Der Anmeldende bekommt "broken pipe", in der Syslog sieht man, dass ein "click"-Prozess auf das Homeverzeichnis des Users nicht schreiben kann (was er ja auch nicht können dürfen soll). Hat er Schreibzugriff, kommen andere Fehlermeldungen, das Endergebnis aber ist dasselbe.
Die Shell für den User ist /bin/false, ein Ändern bewirkt aber ebenfalls nichts.
Konkret: Der Fehler tritt im Zusammenhant mit der "ChrootDirectory"-Option in der sshd_config auf, wobei es völlig egal ist, welches chroot-Verzeichnis angegeben ist. Nimmt man sie raus, kann man sich verbinden, dann hat dieser User aber Lesezugriff auf fast alles, was unterbunden werden soll.
FTP mit VSFTP funtktioniert übrigens problemlos mit demselben User.
Nun zu den Fehlermeldungen:
sftp:
>sftp ftpcctsb@127.0.0.1 ftpcctsb@127.0.0.1's password: packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe Couldn't read packet: Connection reset by peer
syslog:
Oct 24 07:51:56 fileserver systemd[1]: Created slice User Slice of ftpcctsb.
Oct 24 07:51:56 fileserver systemd[1]: Starting User Manager for UID 1002...
Oct 24 07:51:56 fileserver systemd[1]: Started Session 1615 of user ftpcctsb.
Oct 24 07:51:56 fileserver systemd[24715]: Reached target Sockets.
Oct 24 07:51:56 fileserver systemd[24715]: Reached target Timers.
Oct 24 07:51:56 fileserver systemd[24715]: Reached target Paths.
Oct 24 07:51:56 fileserver systemd[24715]: Reached target Basic System.
Oct 24 07:51:56 fileserver systemd[24715]: Starting Run Click user-level hooks...
Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib
Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file
Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file
Oct 24 07:51:56 fileserver click[24723]: (process:24725): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24725): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib
Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file
Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file
Oct 24 07:51:56 fileserver click[24723]: (process:24727): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24727): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib
Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file
Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file
Oct 24 07:51:56 fileserver click[24723]: (process:24729): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24729): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-WARNING **: Cannot create directory: /home/ftpcctsb/.config/libaccounts-glib
Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-WARNING **: Error opening accounts DB: unable to open database file
Oct 24 07:51:56 fileserver click[24723]: Manager could not be created. Could not open accounts DB file
Oct 24 07:51:56 fileserver click[24723]: (process:24731): accounts-glib-CRITICAL **: ag_manager_list_services: assertion 'AG_IS_MANAGER (manager)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-WARNING **: invalid (NULL) pointer instance
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion 'G_TYPE_CHECK_INSTANCE (instance)' failed
Oct 24 07:51:56 fileserver click[24723]: (process:24731): GLib-GObject-CRITICAL **: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Oct 24 07:51:57 fileserver click[24723]: /usr/lib/ubuntu-push-client/click-hook:15: PyGIWarning: Click was imported without specifying a version first. Use gi.require_version('Click', '0.4') before import to ensure that the right version gets loaded.
Oct 24 07:51:57 fileserver click[24723]: from gi.repository import Click
Oct 24 07:51:57 fileserver click[24723]: ** (process:24723): WARNING **: hooks.vala:1216: User-level hook push-helper failed: Hook command '/usr/lib/ubuntu-push-client/click-hook' failed: Child process exited with code 1
Oct 24 07:51:57 fileserver click[24723]: ** (process:24745): WARNING **: Unable to make or find cache directory '/home/ftpcctsb/.cache/url-dispatcher'
Oct 24 07:51:57 fileserver click[24723]: ** (process:24745): CRITICAL **: main: assertion 'db != NULL' failed
Oct 24 07:51:57 fileserver click[24723]: ** (process:24723): WARNING **: hooks.vala:1216: User-level hook urls failed: Hook command '/usr/lib/x86_64-linux-gnu/url-dispatcher/update-directory $HOME/.cache/url-dispatcher/click-urls/' failed: Child process exited with code 255
Oct 24 07:51:57 fileserver click[24723]: Some user-level hooks failed: push-helper, urls
Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Main process exited, code=exited, status=1/FAILURE
Oct 24 07:51:57 fileserver systemd[24715]: Failed to start Run Click user-level hooks.
Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Unit entered failed state.
Oct 24 07:51:57 fileserver systemd[24715]: click-user-hooks.service: Failed with result 'exit-code'.
Oct 24 07:51:57 fileserver systemd[24715]: Reached target Default.
Oct 24 07:51:57 fileserver systemd[24715]: Startup finished in 571ms.
Oct 24 07:51:57 fileserver systemd[1]: Started User Manager for UID 1002.
Oct 24 07:51:57 fileserver systemd[1]: Stopping User Manager for UID 1002...
Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Default.
Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Basic System.
Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Timers.
Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Sockets.
Oct 24 07:51:57 fileserver systemd[24715]: Stopped target Paths.
Oct 24 07:51:57 fileserver systemd[24715]: Reached target Shutdown.
Oct 24 07:51:57 fileserver systemd[24715]: Starting Exit the Session...
Oct 24 07:51:57 fileserver systemd[24715]: Received SIGRTMIN+24 from PID 24785 (kill).
Oct 24 07:51:57 fileserver systemd[1]: Stopped User Manager for UID 1002.
Oct 24 07:51:57 fileserver systemd[1]: Removed slice User Slice of ftpcctsb.sshd_config:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#
Match User ftpcctsb
ChrootDirectory /home/ftpcctsb
AllowTCPForwarding no
x11Forwarding no
ForceCommand internal-sftp
