SFTP without SSH fails if SSH in "no password" mode

Support
, ,
1

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 12.1.39
How are you able to access your server: The webadmin
SSH
Direct access via physical keyboard/screen
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: I connect via ssh using the “no password only” mode, only authentication via keyfile is authorized.

Describe your issue

Hi everyone !

TL;DR : user with sftp permission but no ssh cannot connect if password authentication for ssh is not allowed.

I have granted stfp permission to a non-admin user, but not ssh. I then activated the “password authentication” mode and uploaded my keyfile using ssh-copy-id, which went as expected. The upload was followed by the message “This service allows sftp connections only.”, which is coherent with the authorization I granted to this user.
But after the fact, have the following behavior :

  • “password authentication” no allowed : command line and filezilla send the same kind of error :
    • Filezilla
      FATAL ERROR: No supported authentication methods available (server sent: publickey)
    • Command line :
      Permission denied (publickey)
  • “password authentication” no allowed : command line and filezilla send the same kind of error :
    • Filezilla : Connects without asking for a password
    • Command line : Ask the password and then connects

Is this an intended behavior ? Is there a way to fix it ? Thank you for your attention, sorry for the very specific usecase ! :heart:

Share relevant logs or error messages

FileZilla :
FATAL ERROR: No supported authentication methods available (server sent: publickey)
sftp command :
Permission denied (publickey)

1 Like
2

Additional info that was implied but not made clear:

This issue does not affect an admin account that has full ssh access via keyfile only.

3

Can that match your problem?

2 Likes
4

I am not sure I fully understand this solution. My understanding is that this solution implies building a specific folder (or even folder structure) with very specific ownerships and permissions. I would like to be able to access the home directory of the user. Is there a fundamental thing that would prevent this access. I know next to nothing about ssh or sftp :sweat_smile:

Also, I don’t understand what is the purpose of the “sftp” permission (separate from ssh) in yunohost (command line or web ui) if not to access the home folder. Hence my tag oif this post as a bug because this appeared to me as the first usage I could think of.

Thank you very much for your help, time and attention !

1 Like
5

Ssh to your server then run

sudo yunohost tools basic-space-cleanup

Then sudo apt install ncdu -y

Then run ncdu / -x

You’ll be able to do some cleanup using ncdu.

Note that it’s not recommended to delete files in data folder of nextcloud manually

6

I don’t really see how that is related to my issue, am I missing something ?

7

Sorry, wrong thread

2 Likes
8

This is expected behavior rather than a bug. SFTP runs over SSH as a subsystem, which means it inherits all the SSH authentication policies — including PasswordAuthentication no. When you restrict SSH to publickey-only, that restriction applies to ALL SSH connections, including SFTP connections made by SFTP-only users.

The solution for giving SFTP-only users password-based access while keeping SSH locked to keys would be to use Match User blocks in sshd_config to override PasswordAuthentication specifically for that user. However, YunoHost manages sshd_config through its own tooling, so you’d want to check if there’s a YunoHost-level way to configure per-user SFTP settings rather than editing sshd_config directly (which might get overwritten on updates).

1 Like
9

But that’s the thing, I don’t want password-based access for SFTP-only user. I want certificate oonly access for both SFTP-only user(s) and SSH user(s).