SSH (User - System - Copy files)
-
I am trying to allow SSH Copy from a server on my local network to pfSense Firewall.
I created a new user, saved, added "User - System - Copy files" and saved again.
I installed the SCPonly package with "pkg_add -r scponly" on pfSense.
Is there a specific directory where SCP can copy files to? I tried to SCP file user@x.x.x.x /home/user/file, it asks for a password but gets "lost connection"
If I try to ssh with the "copy only right"
ssh user@x.x.x.x
Password:
Last login: Wed Feb 26 11:32:18 2014 from 10.1.34.9
Copyright
1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.Connection to x.x.x.x closed.
If I add user rights for SSH and Copy-Only, i can ssh into the user without issue.
I tried to delete the user and re-enter user without success.
Any help would be appreciated.
ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
it brings the GUI to the next user in the User Manager?? -
ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
it brings the GUI to the next user in the User Manager??That is a feature ;)
After editing and saving a user privilege, the internal user list can end up in a different order and so the index of the user (that the code remembered and is trying to return to) ends up being a different user. It is fixed in 2.1.1-prerelase by:
https://github.com/pfsense/pfsense/commit/b7ef3d173f013dd45ec0a60f1526bbe1358502e0 -
That is a feature ;)
After editing and saving a user privilege, the internal user list can end up in a different order and so the index of the user (that the code remembered and is trying to return to) ends up being a different user. It is fixed in 2.1.1-prerelase by:
https://github.com/pfsense/pfsense/commit/b7ef3d173f013dd45ec0a60f1526bbe1358502e0Thanks Phil. Makes sense.
Would you have any solutions for my SCP copy issue above?
-
@BBcan17:
I am trying to allow SSH Copy from a server on my local network to pfSense Firewall.
I created a new user, saved, added "User - System - Copy files" and saved again.
I installed the SCPonly package with "pkg_add -r scponly" on pfSense.
Is there a specific directory where SCP can copy files to? I tried to SCP file user@x.x.x.x /home/user/file, it asks for a password but gets "lost connection"
If I try to ssh with the "copy only right"
ssh user@x.x.x.x
Password:
Last login: Wed Feb 26 11:32:18 2014 from 10.1.34.9
Copyright 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.Connection to x.x.x.x closed.
If I add user rights for SSH and Copy-Only, i can ssh into the user without issue.
I tried to delete the user and re-enter user without success.
Any help would be appreciated.
ps - Might be a BUG - when I added the user and saved, go back to edit the user and add "Copy-Only" right,
it brings the GUI to the next user in the User Manager??Have you tested if you can SCP to the share from winscp or another scp client?
-
Have you tested if you can SCP to the share from winscp or another scp client?
Thanks Bryan,
I test PSCP from a Windows server and that worked ok. I tried SFTP from the same Ubuntu machine that SCP doesn't work and SFTP worked.
I just can't seem to get SCP to work… Strange.
-
@BBcan17:
Have you tested if you can SCP to the share from winscp or another scp client?
Thanks Bryan,
I test PSCP from a Windows server and that worked ok. I tried SFTP from the same Ubuntu machine that SCP doesn't work and SFTP worked.
I just can't seem to get SCP to work… Strange.
Can't quite understand what didn't work. PSCP worked? but on ubuntu SCP didn't? but SFTP did?
-
Can't quite understand what didn't work. PSCP worked? but on ubuntu SCP didn't? but SFTP did?
From windows server PSCP worked
From Ubuntu SCP failed, SFTP workedtried several combinations with SCP Download and upload not working..
scp -v test user@x.x.x.x:/home/user/test
Executing: program /usr/bin/ssh host x.x.x.x, user user, command scp -v -t – /home/smuser/test
OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug1: Host 'x.x.x.x' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to x.x.x.x ([x.x.x.x]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_CA.UTF-8
debug1: Sending command: scp -v -t – /home/user/test
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2016, received 1872 bytes, in 0.0 seconds
Bytes per second: sent 364753.6, received 338699.7
debug1: Exit status 1
lost connectionDo I need to make any changes to ssh_config?
cat /etc/ssh/ssh_config
This is the ssh client system-wide configuration file. See
ssh_config(5) for more information. This file provides defaults for
users, and the values can be changed in per-user configuration files
or on the command line.
Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide fileAny configuration value is only changed the first time it is set.
Thus, host-specific definitions should be at the beginning of the
configuration file, and defaults at the end.
Site-wide defaults for some commonly used options. For a comprehensive
list of available options, their meanings and defaults, please see the
ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials noOn another note - I also tried the TFTP package in pfSense.. Its listening on the LAN.
tftp x.x.x.x
tftp> verbose
Verbose mode on.
tftp> put test
putting test to x.x.x.x:test [netascii]
Transfer timed out.I also tried to add a NAT from the routers local LAN address:69 to 127.0.0.1, but no luck.
-
The bouncing to another user when editing permissions was a bug, it has been fixed on 2.1.1
you shouldn't have to add anything else manually aside from adding scponly. That said, scponly does have several build options that control compatibility for certain clients. You may need to manually build scponly on a FreeBSD system of you own to enable some extra non-default compatibility options for all clients to work.
-
The bouncing to another user when editing permissions was a bug, it has been fixed on 2.1.1
you shouldn't have to add anything else manually aside from adding scponly. That said, scponly does have several build options that control compatibility for certain clients. You may need to manually build scponly on a FreeBSD system of you own to enable some extra non-default compatibility options for all clients to work.
Hi Jim,
The client is on Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-60-generic x86_64)
Do you think there should be any issues with that client? I can SFTP using the same credentials without any issues.
-
This still does not work with exact same symptoms (connection just closed after successful auth) - filed a bug: https://redmine.pfsense.org/issues/7012
-
Before we had a proper pkg building system someone must have hand configured the options for the version it pulled, I didn't see anywhere we set them. I pushed a change to fix the options up so it'll come through with the next update. pkg is smart enough to pick up that the options changed and it needs a nudge on the client side.
