SSH Avec clé privée, authentificateur Google et SFTP

J'ai suivi la gestion de la configuration SSH Utilisation d'une clé fermée et d'un authentificateur Google, Et ça marche bien ... J'ai éteint Rootaccess, Configuration de la clé privée et authentifiant.

Ensuite, j'ai essayé de permettre à un autre utilisateur de se connecter uniquement à travers SFTP, Mais j'ai eu des problèmes et j'ai toujours reçu un message "L'accès est interdit".

Voici ma configuration:

/etc/pam.d/sshd

#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth [success=1 default=ignore] pam_succeed_if.so user ingroup group sftpusers
auth required pam_google_authenticator.so

/ etc. / SSH / sshd_config

Port 53000
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Protocol 2
SyslogFacility AUTHPRIV

PermitRootLogin no

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp internal-sftp

AllowUsers guest sftpuser <user>

# SFTP
Match Group sftpusers
ForceCommand internal-sftp
ChrootDirectory /data/%u
PasswordAuthentication yes
AuthenticationMethods password

Un exemple de connexion à travers SSH Utilisation de l'utilisateur actuel:

login as: guest
Authenticating with public key "openssh-key"
Passphrase for key "openssh-key":
Further authentication required
Keyboard-interactive authentication prompts from server:
| Verification code:
End of keyboard-interactive prompts from server
Last login: Sat Oct 26 01:46:19 2019 from mob-109-112-40-115.net.vodafone.it

CentOS Linux 7 (Core)

Linux #943709 SMP Fri Oct 18 08:31:47 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[guest@servername ~]$

Un exemple de connexion à travers SFTP Utilisation de l'utilisateur actuel SFTP:

[root@ns3156958 ~]# sftp -P <port> <user>@XXX.XXX.XXX.XXX
The authenticity of host '[XXX.XXX.XXX.XXX]:<port> ([XXX.XXX.XXX.XXX]:<port>)' can't b e established.
ECDSA key fingerprint is SHA256:7Nc7ZynvuviXGJu1QJNYecHEbTZtRBZ9V5FqAf8pEtA.
ECDSA key fingerprint is MD5:95:0f:fa:54:ce:87:67:f4:86:05:c1:8c:ef:d0:25:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[XXX.XXX.XXX.XXX]:<port>' (ECDSA) to the list of known hosts.
<user>@XXX.XXX.XXX.XXX's password:
Permission denied, please try again.

J'ai essayé avec ces deux paramètres pour le dossier à domicile

drwxr-xr-x  4 <user>  sftpusers 4096 Oct 26 01:08 <user>
drwxr-x--- 4 <user> sftpusers 4096 Oct 26 01:08 <user>

Ce sont le contenu du répertoire de base du fichier

-rwxr-xr-x  1 <user> sftpusers  119 Oct 26 01:42 .bash_history
-rwxr-xr-x 1 <user> sftpusers 18 Aug 8 14:06 .bash_logout
-rwxr-xr-x 1 <user> sftpusers 193 Aug 8 14:06 .bash_profile
-rwxr-xr-x 1 <user> sftpusers 231 Aug 8 14:06 .bashrc
-rwxr-xr-x 1 <user> sftpusers 0 Oct 26 01:53 .google_authenticator
drwxr-xr-x 2 <user> sftpusers 4096 Oct 26 01:40 .ssh

Tout conseil est le bienvenu ...
</user></user></user></user></user></user></user></user></user></user></user></port></port></port></user></port></user>
Invité:

Pour répondre aux questions, connectez-vous ou registre