Support » Plugin: SSH SFTP Updater Support » The session allows sftp connections only

  • Hi,

    I have a chroot jail set up to allow only SFTP connections without a shell for WordPress installations, one user per site. The following is set in SSH daemon configuration, of which the login users are part of the sftp group:

    Match group sftp
    AllowTcpForwarding no
    ChrootDirectory %h
    ForceCommand internal-sftp
    PasswordAuthentication yes
    X11Forwarding no

    This jail doesn’t have any special setup. It works fine with FileZilla’s SFTP support and is not intended to be used as a shell. No device files or basic tools like ls, mkdir etc. have been created in the spirit of keeping it simple.

    This fails with the SFTP plugin however. sshd complains about the following when the SFTP plugin attempts to connect:

    sshd[15870]: The session allows sftp connections only [postauth]

    So it doesn’t seem to be “pure” SFTP. Would it be possible to get support for SFTP-only, shell-less connections?

    I’ve not given the web server permissions to modify it’s own files directly (in the name of security), so the FS_METHOD direct option is not an alternative.

    Plugin version according to readme: 0.8.0
    Wordpress version: 4.8.3

    • This topic was modified 2 years, 8 months ago by rathios.
    • This topic was modified 2 years, 8 months ago by rathios.
    • This topic was modified 2 years, 8 months ago by rathios.
    • This topic was modified 2 years, 8 months ago by rathios.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter rathios


    A note to any googlers who might find this page:

    The update process works when removing “ForceCommand internal-sftp”, as long as “Subsystem” is also set to internal-sftp and not sftp-server. Eg.

    Subsystem sftp internal-sftp -f AUTHPRIV -l INFO

    I had forgotten to update this from /usr/libexec/openssh/sftp-server.

    Still doesn’t work with ForeCommand internal-sftp though.

    • This reply was modified 2 years, 8 months ago by rathios.

    Dear rathios,

    I’m glad you pointed this out. It seems like this plugin is only made for specific use-cases and I don’t even know if it works with OpenSSH. After I fixed an error due to missing PHP-Plugin, I could actually get it to not throw any error, BUT it always asks for credentials again, without showing an error. So yeah, network-tab to the rescue: {"success":false,"data":{"delete":"plugin","slug":"akismet","plugin":"akismet\/akismet.php","pluginName":"Akismet Anti-Spam","errorCode":"unable_to_connect_to_filesystem","errorMessage":"Private key incorrect for wp"}}

    I generated multiple keys now, I tested them remotely, I reverted the chroot-jail and what not. I couldn’t get it to work so far and I even tested with domain-name, IP, localhost, – u name it. All points lead to an invalid private-key and the last resort could be to generate one by putty.

    If you have some new information I would appreciate if you share them with us. At least you’re further than me, since you could actually get it to authenticate, so how did you generated your keypairs?

    Edit: Tested it with Putty Keys now and it doesn’t work out too – as expected. What we could do to at least get this Plugin to work is just using passwords. I still get a prompt everytime and I’ve to put in my password everytime. This plugin needs a lil overhaul and it would work out well – but in this state, it is a pain. At least my user is still jailed now and if needed I could alter the plugin so it doesn’t asks for credentials over and over again and uses the password stored inside a cookie or whatever. The file that needs to be altered should be admin-ajax.php.

    Cheers o7

    • This reply was modified 2 years, 5 months ago by n4ll.

    How did you set your FTP_BASE variable in wp-config.php? I’m asking because you have “ChrootDirectory %h” defined in your sshd_config. So the actual “root” for your user is whatever you defined that user home directory (%h) is. For instance /home/$USER.

    So in your case /home/%USER is actually “/” for your user. So if you defined your FTP_BASE as something like “/home/$USER/sitename/public_html” that is false, and it should only be “/sitename/public_html”.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘The session allows sftp connections only’ is closed to new replies.