我有一个连接到本地网络的个人服务器,最近想在其上设置一个 SFTP 服务器以进行一些媒体传输。然而,当我尝试连接到它时,它会要求我输入密码,但即使是正确的密码也会出现错误,指出“权限被拒绝,请重试”。
我有一个用于服务器管理的主 SSH 帐户,使用公钥身份验证可以正常工作。
呼叫的另一个用户sftp-default在组 中sftp。我设置了sftp-default使用密码# passwd sftp-default
这是我的 /etc/ssh/sshd_config (省略了注释部分):
Include /etc/ssh/sshd_config.d/*.conf
Port 468
HostKey /etc/ssh/ssh_host_ecdsa_key
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,password publickey,keyboard-interactive
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Match User sftp-default
PasswordAuthentication yes
AuthenticationMethods password,publickey
ChrootDirectory /mnt/raid/mediaServers/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
/mnt/raid/mediaServers/sftp 具有以下权限stat:
File: /mnt/raid/mediaServers/sftp
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 821h/2081d Inode: 3014657 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 1004/sftp-default) Gid: ( 1004/ sftp)
Access: 2023-01-02 15:41:30.271437209 +0100
Modify: 2022-09-04 17:14:16.724283747 +0200
Change: 2023-01-02 15:41:30.287436770 +0100
Birth: 2022-09-04 16:12:38.458449835 +0200
现在,当我尝试sftp -P 468 sftp-default@<local_ip>输入密码 3 次时,它会给出以下输出:
sftp-default@<local_ip>'s password:
Permission denied, please try again.
sftp-default@<local_ip>'s password:
Permission denied, please try again.
sftp-default@<local_ip>'s password:
sftp-default@<local_ip>: Permission denied (password).
Connection closed.
Connection closed
注:<local_ip>为本地IP地址
通过 SSH 的连接以同样的方式拒绝。运行ssh sftp-default@<local_ip> -p 468 -v,输出:
OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to <local_ip> [<local_ip>] port 468.
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to <local_ip>:468 as 'sftp-default'
debug1: load_hostkeys: fopen /home/%user%/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WK/sXtplQBRUA/guEF9HF6XiMZORiXdPVwweF5m467Q
debug1: load_hostkeys: fopen /home/%user%/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[<local_ip>]:468' is known and matches the ECDSA host key.
debug1: Found key in /home/theophil/.ssh/known_hosts:5
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected]=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
sftp-default@<local_ip>'s password:
[2 more authentication tries]
debug1: Authentications that can continue: password
debug1: No more authentication methods to try.
sftp-default@<local_ip>: Permission denied (password).
注意:我必须为垃圾邮件过滤器取出一些部件。本地 IP 地址替换为<local_ip>,尝试连接到服务器的用户名替换为%user%,一些 SHA 校验和替换为[Checksum hidden]。
有什么明显的事情吗,我失踪了?我在网上找不到太多说明这个问题的解决方案。
我也不太清楚这Subsystem sftp /usr/lib/openssh/sftp-server意味着什么,但是将其注释掉并重新启动 SSH 守护进程也对问题没有任何作用。
我已经在 UFW 上打开了端口 468。 SFTP 是否使用其他端口进行数据传输?还尝试了 777 (drwxrwxrwx) 权限/mnt/raid/mediaServers/sftp以及root用户sftp-default使用# chown sftp-default:sftp -R /mnt/raid/mediaServers/sftp和# chmod 777 -R /mnt/raid/mediaServers/sftp
答案1
我找到了有关 Google Authenticator PAM 模块的答案,我已在我的主 SSH 帐户上设置了 2FA。不知何故,它阻止了对所有未设置它的帐户的访问,这意味着我的sftp-default帐户也被阻止了。对我来说,解决方法是禁用 group 的 Google Authenticator PAM 模块sftp,我在以下行中执行了此操作/etc/pam.d/sshd:
#Disable SSH PAM authentication for SFTP-Users
auth [success=done default=ignore] pam_succeed_if.so user ingroup sftp
现在一切正常,我可以使用我的帐户登录sftp-default:
sftp-default@<local_ip>'s password:
Connected to <local_ip>.
sftp> pwd
Remote working directory: /mnt/raid/mediaServers/sftp
sftp> bye