Hi all. I wonder who and how this is been resolved? I have centos 7 where an sftp server is running. Authentication is with freeIPA 4.5.4. all the users connect to the sftp server normally but when there are multiple connections randomly I got this error
Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied for user nifi_sftp: 4 (System error) Not sure why. The same user doesn't have any issue connecting manually but when different connections from 3 nodes (running a open source sftp client called NIFI from apache.org) I got that error. I have to say that I tried to reproduce with a script running multiple connections at the same time and I get the same errors. If I use controlmaster mechanism on ssh client I dont' get the error at all. Any idea? cheers On Mon, Sep 17, 2018 at 3:43 AM Aaron Hicks via FreeIPA-users < [email protected]> wrote: > Hi Simo, > > Yes, we recognise this as a client side issue. This was as much a FYI post > for people in the future searching for similar issues to latch onto. I've > also made similar comments back to the developers of the MobaXterm client > we observed this with. We now ask our users to switch the file browser > protocol to SCP which I think uses the master connection method you've > recommended. > > Regards, > > Aaron > > -----Original Message----- > From: Simo Sorce <[email protected]> > Sent: Thursday, 13 September 2018 4:20 AM > To: FreeIPA users list <[email protected]> > Cc: Aaron Hicks <[email protected]> > Subject: Re: [Freeipa-users] sftp file broswer causes 4 (System Error) > > On Tue, 2018-09-11 at 14:10 +1200, Aaron Hicks via FreeIPA-users wrote: > > Hello the list, > > > > > > > > We just had a bit of fuss involved user logins. We're using sssd > > 1.16.1 on a client and FreeIPA 4.5.4 (ok, it's really RHIdM) > > > > > > > > We had a lot of users having issues logging and/or resetting their > > passwords on a host with 2FA enabled, and it turns out when they're > > using an advanced SSH client (e.g. MobaXterm) that also starts a SFTP > > session they can't login and we see error like: > > > > > > > > Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for > > user > > testuser: 4 (System error) > > > > Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure > > for testuser from remote.local > > > > > > > > If the SFTP file browser is disabled, or it's protocol is set to use > > SCP then logins progress normally. > > > > > > > > In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule > > only allows sshd services, so if these were the cause of the '4 (System > error)' > > failures then it'd be much better if the error reports were more > meaningful. > > > > > > > > Does anyone have any advice on setting up SFTP so that it works (and > > ideally, doesn't need repeated entry of credentials). > > You should find out if your client supports using a master connection for > SSH, instead of trying to open multiple different connection for SSH and > SFTP. In the end it is a client issue if it can't properly prompt for > credentials when it uses multiple different authenticated connections (I > assume this client is caching passwords and trying to resubmit old 2FA > codes in the process ? [Caching of password seem already bad in itself if > that's the case, how long does it hold onto your creds? will it leak them?]) > > HTH, > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- *Alfredo*
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
