SSH (User - System - Copy files)


  • Moderator

    I am trying to allow SSH Copy from a server on my local network to pfSense Firewall.

    I created a new user, saved, added "User - System - Copy files" and saved again.

    I installed the SCPonly package with "pkg_add -r scponly" on pfSense.

    Is there a specific directory where SCP can copy files to? I tried to SCP file user@x.x.x.x /home/user/file, it asks for a password but gets "lost connection"

    If I try to ssh with the "copy only right"

    ssh user@x.x.x.x
        Password:
        Last login: Wed Feb 26 11:32:18 2014 from 10.1.34.9
        Copyright © 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

    Connection to x.x.x.x closed.

    If I add user rights for SSH and Copy-Only, i can ssh into the user without issue.

    I tried to delete the user and re-enter user without success.

    Any help would be appreciated.

    ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
    it brings the GUI to the next user in the User Manager??



  • ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
    it brings the GUI to the next user in the User Manager??

    That is a feature  ;)
    After editing and saving a user privilege, the internal user list can end up in a different order and so the index of the user (that the code remembered and is trying to return to) ends up being a different user. It is fixed in 2.1.1-prerelase by:
    https://github.com/pfsense/pfsense/commit/b7ef3d173f013dd45ec0a60f1526bbe1358502e0


  • Moderator

    @phil.davis:

    That is a feature  ;)
    After editing and saving a user privilege, the internal user list can end up in a different order and so the index of the user (that the code remembered and is trying to return to) ends up being a different user. It is fixed in 2.1.1-prerelase by:
    https://github.com/pfsense/pfsense/commit/b7ef3d173f013dd45ec0a60f1526bbe1358502e0

    Thanks Phil. Makes sense.

    Would you have any solutions for my SCP copy issue above?



  • @BBcan17:

    I am trying to allow SSH Copy from a server on my local network to pfSense Firewall.

    I created a new user, saved, added "User - System - Copy files" and saved again.

    I installed the SCPonly package with "pkg_add -r scponly" on pfSense.

    Is there a specific directory where SCP can copy files to? I tried to SCP file user@x.x.x.x /home/user/file, it asks for a password but gets "lost connection"

    If I try to ssh with the "copy only right"

    ssh user@x.x.x.x
        Password:
        Last login: Wed Feb 26 11:32:18 2014 from 10.1.34.9
        Copyright © 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

    Connection to x.x.x.x closed.

    If I add user rights for SSH and Copy-Only, i can ssh into the user without issue.

    I tried to delete the user and re-enter user without success.

    Any help would be appreciated.

    ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
    it brings the GUI to the next user in the User Manager??

    Have you tested if you can SCP to the share from winscp or another scp client?


  • Moderator

    @bryan.paradis:

    Have you tested if you can SCP to the share from winscp or another scp client?

    Thanks Bryan,

    I test PSCP from a Windows server and that worked ok. I tried SFTP from the same Ubuntu machine that SCP doesn't work and SFTP worked.

    I just can't seem to get SCP to work… Strange.



  • @BBcan17:

    @bryan.paradis:

    Have you tested if you can SCP to the share from winscp or another scp client?

    Thanks Bryan,

    I test PSCP from a Windows server and that worked ok. I tried SFTP from the same Ubuntu machine that SCP doesn't work and SFTP worked.

    I just can't seem to get SCP to work… Strange.

    Can't quite understand what didn't work. PSCP worked? but on ubuntu SCP didn't? but SFTP did?


  • Moderator

    @bryan.paradis:

    Can't quite understand what didn't work. PSCP worked? but on ubuntu SCP didn't? but SFTP did?

    From windows server PSCP worked
    From Ubuntu SCP failed, SFTP worked

    tried several combinations with SCP Download and upload not working..

    scp -v test user@x.x.x.x:/home/user/test

    Executing: program /usr/bin/ssh host x.x.x.x, user user, command scp -v -t – /home/smuser/test
    OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308
    debug1: match: OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    debug1: Host 'x.x.x.x' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/id_rsa
    debug1: Trying private key: /root/.ssh/id_dsa
    debug1: Trying private key: /root/.ssh/id_ecdsa
    debug1: Next authentication method: keyboard-interactive
    Password:
    debug1: Authentication succeeded (keyboard-interactive).
    Authenticated to x.x.x.x ([x.x.x.x]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_CA.UTF-8
    debug1: Sending command: scp -v -t – /home/user/test
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 1 clearing O_NONBLOCK
    Transferred: sent 2016, received 1872 bytes, in 0.0 seconds
    Bytes per second: sent 364753.6, received 338699.7
    debug1: Exit status 1
    lost connection

    Do I need to make any changes to ssh_config?

    cat  /etc/ssh/ssh_config

    This is the ssh client system-wide configuration file.  See

    ssh_config(5) for more information.  This file provides defaults for

    users, and the values can be changed in per-user configuration files

    or on the command line.

    Configuration data is parsed as follows:

    #  1. command line options
    #  2. user-specific file
    #  3. system-wide file

    Any configuration value is only changed the first time it is set.

    Thus, host-specific definitions should be at the beginning of the

    configuration file, and defaults at the end.

    Site-wide defaults for some commonly used options.  For a comprehensive

    list of available options, their meanings and defaults, please see the

    ssh_config(5) man page.

    Host *
    #  ForwardAgent no
    #  ForwardX11 no
    #  ForwardX11Trusted yes
    #  RhostsRSAAuthentication no
    #  RSAAuthentication yes
    #  PasswordAuthentication yes
    #  HostbasedAuthentication no
    #  GSSAPIAuthentication no
    #  GSSAPIDelegateCredentials no
    #  GSSAPIKeyExchange no
    #  GSSAPITrustDNS no
    #  BatchMode no
    #  CheckHostIP yes
    #  AddressFamily any
    #  ConnectTimeout 0
    #  StrictHostKeyChecking ask
    #  IdentityFile ~/.ssh/identity
    #  IdentityFile ~/.ssh/id_rsa
    #  IdentityFile ~/.ssh/id_dsa
        Port 22
    #  Protocol 2,1
    #  Cipher 3des
    #  Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
    #  MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    #  EscapeChar ~
    #  Tunnel no
    #  TunnelDevice any:any
    #  PermitLocalCommand no
    #  VisualHostKey no
    #  ProxyCommand ssh -q -W %h:%p gateway.example.com
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials no

    On another note - I also tried the TFTP package in pfSense.. Its listening on the LAN.

    tftp x.x.x.x
    tftp> verbose
    Verbose mode on.
    tftp> put test
    putting test to x.x.x.x:test [netascii]
    Transfer timed out.

    I also tried to add a NAT from the routers local LAN address:69 to 127.0.0.1, but no luck.


  • Rebel Alliance Developer Netgate

    The bouncing to another user when editing permissions was a bug, it has been fixed on 2.1.1

    you shouldn't have to add anything else manually aside from adding scponly. That said, scponly does have several build options that control compatibility for certain clients. You may need to manually build scponly on a FreeBSD system of you own to enable some extra non-default compatibility options for all clients to work.


  • Moderator

    @jimp:

    The bouncing to another user when editing permissions was a bug, it has been fixed on 2.1.1

    you shouldn't have to add anything else manually aside from adding scponly. That said, scponly does have several build options that control compatibility for certain clients. You may need to manually build scponly on a FreeBSD system of you own to enable some extra non-default compatibility options for all clients to work.

    Hi Jim,

    The client is on Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)

    Do you think there should be any issues with that client? I can SFTP using the same credentials without any issues.


  • Banned

    This still does not work with exact same symptoms (connection just closed after successful auth) - filed a bug: https://redmine.pfsense.org/issues/7012


  • Rebel Alliance Developer Netgate

    Before we had a proper pkg building system someone must have hand configured the options for the version it pulled, I didn't see anywhere we set them. I pushed a change to fix the options up so it'll come through with the next update. pkg is smart enough to pick up that the options changed and it needs a nudge on the client side.