OpenSSH - sftp not working for non-Administrator users

Doug Lim doug.lim@tigroup-usa.com
Mon Jul 20 10:30:00 GMT 2009


Doug Lim wrote:
> Christopher Faylor wrote:
>> On Sun, Jul 19, 2009 at 08:50:47PM -0500, Doug Lim wrote:
>>  
>>> After a bit more research on the problem, I found a discussion 
>>> thread on the web discussing a similar problem from 2006. The 
>>> difference is that the thread discusses scp connections dropping 
>>> immediately after non-administrator authentication.
>>>
>>> http://winscp.net/forum/viewtopic.php?t=3782
>>>
>>> A response to a thread from March of this year indicates that 
>>> copying all of the DLL files from cygwin\usr\bin to cygwin\usr\sbin 
>>> as a workaround. I've copied the DLL files on my server per the 
>>> workaround and now non-administrator users are able to use sftp.
>>>
>>> I've attached a copy of cygcheck.out from the server where this is 
>>> happening.
>>>     
>>
>> That sounds like a pretty <insert negative adjective here> workaround.
>>
>> Just setting the PATH to include cygwin's bin directory is likely to
>> work better.  I know that someone in that thread said that they did that
>> already but I'm not convinced that they really knew what they were
>> doing.
>>
>> cgf
>>
>> -- 
>> Problem reports:       http://cygwin.com/problems.html
>> FAQ:                   http://cygwin.com/faq/
>> Documentation:         http://cygwin.com/docs.html
>> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>>
>>
>>   
>
> Except, cygwin\bin was already in the path as indicated in the 
> cygcheck.out I attached. It doesn't explain why users belonging to the 
> Local Administrators group would be able to maintain an SFTP 
> connection while non-Administrators would get dropped immediately 
> following authentication.
>
> I just reconfirmed. I left cygwin\bin in the path and took the DLLs 
> back out of cygwin\usr\sbin. Non-Administrator users are again dropped 
> immediately after authentication.
>
> Here's the sftp debug output with the DLLs removed from 
> cygwin\usr\sbin on the server
>
> dlim@vorlon ~ $ sftp -v <nonpriv-user>@<host>
> Connecting to <host>...
> OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to <host> [xx.xx.xx.xx] port 22.
> debug1: Connection established.
> debug1: identity file /home/dlim/.ssh/id_rsa type -1
> debug1: identity file /home/dlim/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '<host>' is known and matches the RSA host key.
> debug1: Found key in /home/dlim/.ssh/known_hosts:21
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: 
> publickey,password,keyboard-interactive
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/dlim/.ssh/id_rsa
> debug1: Trying private key: /home/dlim/.ssh/id_dsa
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue: 
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> <nonpriv-user>@<host>'s password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions@openssh.com
> debug1: Entering interactive session.
> debug1: Sending subsystem: sftp
> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
> debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
> debug1: channel 0: free: client-session, nchannels 1
> debug1: fd 0 clearing O_NONBLOCK
> Transferred: sent 1584, received 2104 bytes, in 1.6 seconds
> Bytes per second: sent 991.7, received 1317.2
> debug1: Exit status 128
> Connection closed
>
>
> -- 
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>
More information about the problem. Having to copy all of the DLLs from 
cygwin\bin to cygwin\usr\sbin is overkill. I started removing DLL copies 
from cygwin\usr\sbin until non-admin users started getting dropped from 
sftp after authentication. I was able to remove all of the DLLs except 
cygwin1.dll. As soon as I removed cygwin1.dll from cygwin\usr\sbin 
non-admin users started getting dropped from sftp sessions immediately 
after authentication again.



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list