Ah, sftp is a subsystem within sshd, so it does not and can not have it's own HBAC
rule, it uses any rule that authorises sshd.
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Wednesday, 12 September 2018 12:07 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hicks(a)nesi.org.nz>; Alexander Bokovoy
<abokovoy(a)redhat.com>
Subject: Re: [Freeipa-users] Re: sftp file broswer causes 4 (System Error)
Alexander Bokovoy via FreeIPA-users wrote:
On Tue, 11 Sep 2018, Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
>
>
>
> We just had a bit of fuss involved user logins. We're using sssd
> 1.16.1 on a
> client and FreeIPA 4.5.4 (ok, it's really RHIdM)
>
>
>
> We had a lot of users having issues logging and/or resetting their
> passwords on a host with 2FA enabled, and it turns out when they're
> using an advanced SSH client (e.g. MobaXterm) that also starts a SFTP
> session they can't login and we see error like:
>
>
>
> Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for
> user
> testuser: 4 (System error)
>
> Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication
> failure for testuser from remote.local
>
>
>
> If the SFTP file browser is disabled, or it's protocol is set to use
> SCP then logins progress normally.
>
>
>
> In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule
> only allows sshd services, so if these were the cause of the '4
> (System error)'
> failures then it'd be much better if the error reports were more
> meaningful.
>
>
>
> Does anyone have any advice on setting up SFTP so that it works (and
> ideally, doesn't need repeated entry of credentials).
>
Can you check into sssd domain logs (after setting debug_level=9 for a
domain) what exactly happened there for such a session?
Sure seems like an hbac issue to me. You can allow the sftp service as well to see if that
alleviates the issue.
To change the message you'd want to file a bug against sssd.
rob