Task Status - Failed
-
user ‘ammar’ does not exist on App Server 1.
Below are the things performed on app server. Please help!thor@jump_host /$ ssh tony@stapp01
The authenticity of host ‘stapp01 (172.16.238.10)’ can’t be established.
ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘stapp01,172.16.238.10’ (ECDSA) to the list of known hosts.
tony@stapp01’s password:
[tony@stapp01 ~]$ sudo adduser --shell /bin/false amarWe trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
[sudo] password for tony:
[tony@stapp01 ~]$ sudo passwd amar Changing password for user amar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[tony@stapp01 ~]$ sudo mkdir -p /var/www/web
[tony@stapp01 ~]$ sudo groupadd sftpg
[tony@stapp01 ~]$ sudo chown amar:sftpg /var/www/web
[tony@stapp01 ~]$ sudo chown root:root /var/www/
[tony@stapp01 ~]$ sudo chmod 755 /var/www
[tony@stapp01 ~]$ sudo vi /etc/ssh/sshd_config
[tony@stapp01 ~]$ sudo cat /etc/ssh/sshd_config$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/bin:/usr/bin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options override the
default value.
If you want to change the port on a SELinux system, you have to tell
SELinux about this change.
semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_keyCiphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFOAuthentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobodyFor this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don’t trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yesChange to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication noKerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yesGSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users noSet this to ‘yes’ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of “PermitRootLogin without-password”.
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to ‘no’.
WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
problems.
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum noneno default banner path
#Banner none
Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERSoverride default of no subsystems
Subsystem sftp internal-sftp
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
Match User amar
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/www/web
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
[tony@stapp01 ~]$ sudo systemctl restart sshd.service
[tony@stapp01 ~]$ sftp amar@localhost
The authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
amar@localhost’s password:
packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
Couldn’t read packet: Connection reset by peer
[tony@stapp01 ~]$ sftp amar@stapp01
The authenticity of host ‘stapp01 (172.16.238.10)’ can’t be established.
ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘stapp01,172.16.238.10’ (ECDSA) to the list of known hosts.
amar@stapp01’s password:
packet_write_wait: Connection to 172.16.238.10 port 22: Broken pipe
Couldn’t read packet: Connection reset by peer
[tony@stapp01 ~]$ sftp amar@localhost ssh amar@stapp01
usage: sftp [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
[-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit]
[-o ssh_option] [-P port] [-R num_requests] [-S program]
[-s subsystem | sftp_server] host
sftp [user@]host[:file …]
sftp [user@]host[:dir[/]]
sftp -b batchfile [user@]host
[tony@stapp01 ~]$ ssh amar@stapp01
amar@stapp01’s password:
Permission denied, please try again.
amar@stapp01’s password:
Permission denied, please try again.
amar@stapp01’s password: