Install And Configure SFTP: User amar is created still task is failed

Task Status - Failed
  • user ‘ammar’ does not exist on App Server 1.
    Below are the things performed on app server. Please help!

    thor@jump_host /$ ssh tony@stapp01
    The authenticity of host ‘stapp01 (172.16.238.10)’ can’t be established.
    ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
    ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘stapp01,172.16.238.10’ (ECDSA) to the list of known hosts.
    tony@stapp01’s password:
    [tony@stapp01 ~]$ sudo adduser --shell /bin/false amar

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

      #1) Respect the privacy of others.
      #2) Think before you type.
      #3) With great power comes great responsibility.
    

    [sudo] password for tony:
    [tony@stapp01 ~]$ sudo passwd amar Changing password for user amar.
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    [tony@stapp01 ~]$ sudo mkdir -p /var/www/web
    [tony@stapp01 ~]$ sudo groupadd sftpg
    [tony@stapp01 ~]$ sudo chown amar:sftpg /var/www/web
    [tony@stapp01 ~]$ sudo chown root:root /var/www/
    [tony@stapp01 ~]$ sudo chmod 755 /var/www
    [tony@stapp01 ~]$ sudo vi /etc/ssh/sshd_config
    [tony@stapp01 ~]$ sudo cat /etc/ssh/sshd_config

    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

    This is the sshd server system-wide configuration file. See

    sshd_config(5) for more information.

    This sshd was compiled with PATH=/usr/local/bin:/usr/bin

    The strategy used for options in the default sshd_config shipped with

    OpenSSH is to specify options with their default value where

    possible, but leave them commented. Uncommented options override the

    default value.

    If you want to change the port on a SELinux system, you have to tell

    SELinux about this change.

    semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    Ciphers and keying

    #RekeyLimit default none

    Logging

    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10

    #PubkeyAuthentication yes

    The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

    but this is overridden so installations will only check .ssh/authorized_keys

    AuthorizedKeysFile .ssh/authorized_keys

    #AuthorizedPrincipalsFile none

    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody

    For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

    #HostbasedAuthentication no

    Change to yes if you don’t trust ~/.ssh/known_hosts for

    HostbasedAuthentication

    #IgnoreUserKnownHosts no

    Don’t read the user’s ~/.rhosts and ~/.shosts files

    #IgnoreRhosts yes

    To disable tunneled clear text passwords, change to no here!

    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

    Change to no to disable s/key passwords

    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    Kerberos options

    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes

    GSSAPI options

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    #GSSAPIEnablek5users no

    Set this to ‘yes’ to enable PAM authentication, account processing,

    and session processing. If this is enabled, PAM authentication will

    be allowed through the ChallengeResponseAuthentication and

    PasswordAuthentication. Depending on your PAM configuration,

    PAM authentication via ChallengeResponseAuthentication may bypass

    the setting of “PermitRootLogin without-password”.

    If you just want the PAM account and session checks to run without

    PAM authentication, then enable this but set PasswordAuthentication

    and ChallengeResponseAuthentication to ‘no’.

    WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several

    problems.

    UsePAM no

    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PermitTTY yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation sandbox
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none

    no default banner path

    #Banner none

    Accept locale-related environment variables

    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS

    override default of no subsystems

    Subsystem sftp internal-sftp

    Example of overriding settings on a per-user basis

    #Match User anoncvs

    X11Forwarding no

    AllowTcpForwarding no

    PermitTTY no

    ForceCommand cvs server

    Match User amar
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/www/web
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no
    [tony@stapp01 ~]$ sudo systemctl restart sshd.service
    [tony@stapp01 ~]$ sftp amar@localhost
    The authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
    ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
    ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
    amar@localhost’s password:
    packet_write_wait: Connection to 127.0.0.1 port 22: Broken pipe
    Couldn’t read packet: Connection reset by peer
    [tony@stapp01 ~]$ sftp amar@stapp01
    The authenticity of host ‘stapp01 (172.16.238.10)’ can’t be established.
    ECDSA key fingerprint is SHA256:MxAb7+RG4gKiYdaL/kXvXHK87USxZyCyMhd15HztY38.
    ECDSA key fingerprint is MD5:74:53:07:16:41:6e:0e:54:ad:9d:e5:97:7c:96:7d:91.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added ‘stapp01,172.16.238.10’ (ECDSA) to the list of known hosts.
    amar@stapp01’s password:
    packet_write_wait: Connection to 172.16.238.10 port 22: Broken pipe
    Couldn’t read packet: Connection reset by peer
    [tony@stapp01 ~]$ sftp amar@localhost ssh amar@stapp01
    usage: sftp [-1246aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]
    [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit]
    [-o ssh_option] [-P port] [-R num_requests] [-S program]
    [-s subsystem | sftp_server] host
    sftp [user@]host[:file …]
    sftp [user@]host[:dir[/]]
    sftp -b batchfile [user@]host
    [tony@stapp01 ~]$ ssh amar@stapp01
    amar@stapp01’s password:
    Permission denied, please try again.
    amar@stapp01’s password:
    Permission denied, please try again.
    amar@stapp01’s password:

Hello, @bhvk49
User is ammar not amar.

1 Like