4 Replies Latest reply: Mar 5, 2009 1:56 PM by MrHoffman
deanr Level 1 Level 1 (15 points)
Server 10.5.6 on an Xserve

I can FTP and SFTP from my Mac, but no one else can connect with either method. I've even tried the same user name and password between Macs. I edited all of the /Users/user/.ssh/known_hosts files on all of the Macs as well.

Am I missing something obvious?

Thanks,

Dean Roberts

Xserve 10.5.6, Mac OS X (10.5.6), 500 Macs, 22 servers
  • MrHoffman Level 6 Level 6 (13,305 points)
    Please elaborate some on the network configuration, particularly including any firewalls and NAT devices that might be present, and on the commands used and any error messages that were received by you and by users in the same or a similar configuration.

    Please start out working with and debugging sftp, as it is far easier to punch that through firewalls. And it's more secure.

    Do also confirm (via dig -x 0.0.0.0, dig mumble.example.com, whois and such) that the IP addresses and IP names and DNS are functional.

    I can variously end up cleaning out the accumulated cruft found in the ssh subdirectories when things go seriously weird at a customer site, and starting over again with a fresh load of certificates and such.
  • deanr Level 1 Level 1 (15 points)
    I don't use the server's firewall. Our university has it's own firewall for the data center. here are ports that are open:
    Open TCP Port: 21 ftp
    Open TCP Port: 22 ssh
    Open TCP Port: 80 http
    Open TCP Port: 88 kerberos
    Open TCP Port: 311 asip-webadmin
    Open TCP Port: 443 https
    Open TCP Port: 548 afpovertcp
    Open TCP Port: 625 dec_dlm
    Open TCP Port: 3031 eppc
    Open TCP Port: 3306 mysql
    Open TCP Port: 5900 vnc-server
    Open TCP Port: 8086
    Open TCP Port: 8087

    Here is the error that occurs when someone on a Mac other than mine tries to SFTP to the server:
    Mar 5 09:14:42 photos ftpd: xxx-xx-xxx-xxx.wiu.edu: connected: I [54802]: USER_PROCESS: 54801 ftp54801
    Mar 5 09:15:18 photos ftpd: xxx-xx-xxx-xxx.wiu.edu: connected: I [54802]: DEAD_PROCESS: 54801 ftp54801

    Here is what I see when I connect from my desktop:
    Mar 5 13:51:12 photos sshd[3286]: Accepted keyboard-interactive/pam for lightbox from xxx-xx-xxx-xx port 56442 ssh2
    Mar 5 13:51:12 photos sshd[3295]: subsystem request for sftp
    Mar 5 13:52:20 photos sshd[3317]: /etc/sshd_config line 74: Unsupported option KerberosGetAFSToken
    Mar 5 13:52:20 photos com.apple.SecurityServer[33]: checkpw() succeeded, creating credential for user lightbox
    Mar 5 13:52:20 photos com.apple.SecurityServer[33]: checkpw() succeeded, creating shared credential for user lightbox
    Mar 5 13:52:20 photos com.apple.SecurityServer[33]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/
  • deanr Level 1 Level 1 (15 points)
    Additional info:
    xxx-xx-xxx-xx:~ dean$ dig -x xxx.xx.xxx.xx

    ; <<>> DiG 9.4.2-P2 <<>> -x xxx.xx.xxx.xx
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4801
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;xx.xxx.xx.xxx.in-addr.arpa. IN PTR

    ;; ANSWER SECTION:
    xx.xxx.xx.xxx.in-addr.arpa. 7200 IN PTR photos.wiu.edu.

    ;; AUTHORITY SECTION:
    xxx.xx.xxx.xx.in-addr.arpa. 7200 IN NS dns2.wiu.edu.
    xxx.xx.xxx.xx.in-addr.arpa. 7200 IN NS dns1.wiu.edu.

    ;; ADDITIONAL SECTION:
    dns1.wiu.edu. 7200 IN A xxx.xx.xxx.xxx
    dns2.wiu.edu. 7200 IN A xxx.xxx.xxx.xx

    ;; Query time: 5 msec
    ;; SERVER: xxx.xx.xxx.xx#53(xxx.xx.xxx.xx)
    ;; WHEN: Thu Mar 5 14:05:49 2009
    ;; MSG SIZE rcvd: 142

    xxx-xx-xxx-xx:~ dean$ dig photos.wiu.edu

    ; <<>> DiG 9.4.2-P2 <<>> photos.wiu.edu
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41225
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;photos.wiu.edu. IN A

    ;; ANSWER SECTION:
    photos.wiu.edu. 15 IN A xxx.xx.xxx.xx

    ;; AUTHORITY SECTION:
    wiu.edu. 7200 IN NS dns2.wiu.edu.
    wiu.edu. 7200 IN NS dns1.wiu.edu.

    ;; ADDITIONAL SECTION:
    dns1.wiu.edu. 7200 IN A xxx.xx.xxx.xxx
    dns2.wiu.edu. 7200 IN A xxx.xxx.xxx.xx

    ;; Query time: 83 msec
    ;; SERVER: xxx-xx-xxx-xx#53(xxx-xx-xxx-xx)
    ;; WHEN: Thu Mar 5 14:09:51 2009
    ;; MSG SIZE rcvd: 118
  • MrHoffman Level 6 Level 6 (13,305 points)
    Some of what is shown indicates use of sftp (which is a better choice) and some shows use of ftp (which requires [ephemeral ports be opened|http://64.223.189.234/node/530]), so I'm not sure what's being compared here. sftp rides on ssh. And it's quite different from ftp.

    And I'd raise the firewall on the server. Otherwise, one malware-infested or trojan-codec laptop box that gets connected inside the firewall can ruin your whole day.