Error in nginx-error.log

cvondra · April 11, 2024, 4:34pm

Problem I am troubleshooting is the ‘Unkown Error’ in the File Manager.

After running

Permissions of sshd_config are 644.

I’ve used v-rebuild-user admin and rm -f /home/admin/.ssh/*

Restarted sshd and still no love.

I am getting this error in my nginx-error.log:

#0 /usr/local/hestia/web/fm/vendor/league/flysystem-sftp/src/SftpAdapter.php(208): League\Flysystem\Sftp\SftpAdapter->setConnectionRoot()
#1 /usr/local/hestia/web/fm/vendor/league/flysystem/src/Adapter/AbstractFtpAdapter.php(650): League\Flysystem\Sftp\SftpAdapter->connect()
#2 /usr/local/hestia/web/fm/vendor/league/flysystem-sftp/src/SftpAdapter.php(360): League\Flysystem\Adapter\AbstractFtpAdapter->getConnection()
#3 /usr/local/hestia/web/fm/vendor/league/flysystem/src/Adapter/AbstractFtpAdapter.php(338): League\Flysystem\Sftp\SftpAdapter->listDirectoryContents()
#4 /usr/local/hestia/web/fm/vendor/league/flysystem/src/Filesystem.php(272): League\Flysystem\Adapter\AbstractFtpAdapter->listContents()
#5 /usr/local/hestia/web/fm/backend/Services/Storage/Filesystem.php(199): League\Flys" while reading response header from upstream, client: ...254, server: _, request: "POST /fm/?r=/getdir HTTP/2.0>
<esponse header from upstream, client: ..26.254, server: _, request: “GET /fm/?r=/getuser HTTP/2.0”, upstream: “fastcgi://unix:/run/hestia-php.sock:”, host: "...:8083", referrer: "https://2>

2024/04/11 15:49:53 [error] 1254#0: *47 FastCGI sent in stderr: “PHP message: PHP Warning: Undefined array key 2 in /usr/local/hestia/web/fm/configuration.php on line 110” while rea2024/04/11 15:49:53 [e>

Line 110 in the configuration.php is:
$user_list = explode(“,”, $matches[2]);

Any help would be greatly appreciated.

sahsanu · April 11, 2024, 5:23pm

Show the output of these commands:

grep -Ev '^#|^$' /etc/ssh/sshd_config
grep -rEv '^#|^$' /etc/ssh/sshd_config.d/

cvondra · April 11, 2024, 6:01pm

Include /etc/ssh/sshd_config.d/*.conf
LoginGraceTime 1m
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
DebianBanner no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp

AuthenticationMethods publickey
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/sbin/aad_certhandler %u %k
AuthorizedKeysCommandUser root
Match User sftp_dummy99,admin,admin_guysmiley,admin_sholtOldSite,admin_snipers
    ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp

/etc/ssh/sshd_config.d/50-cloud-init.conf:PasswordAuthentication yes
/etc/ssh/sshd_config.d/50-cloudimg-settings.conf:ClientAliveInterval 120

sahsanu · April 11, 2024, 8:25pm

Above directives are managing the authorized keys, do you know what that script (aad_certificate) does?

Could you please comment both lines, restart sshd and try again?

Warning: Once ssh is restarted, don’t close your current ssh session (if there is a problem with the sshd config you still will have the connection open), try to open a new connection to your server to check if you can connect via ssh after doing the change, if you can’t connect, undo the change and restart again sshd.

cvondra · April 11, 2024, 8:50pm

I believe those are both for SSH via the azure portal.

sahsanu · April 11, 2024, 9:51pm

But did you try to comment them and do the test?

cvondra · April 11, 2024, 10:10pm

Yes. Now I have other issues.

sahsanu · April 11, 2024, 10:25pm

Ok, that’s the reason I told you to not close the active ssh session so you should have the session open, uncomment the directives and restart sshd.

I don’t know what the command is doing but seems it could be interfering with the way in which the file manager tries to validate with a key and that could be the reason it can’t connect.

cvondra · April 11, 2024, 10:25pm

Even when I uncommented the lines and restart sshd I get that same error message.

sahsanu · April 11, 2024, 10:28pm

If you connected before the change you should connect again… are you using a private key to connect to your server?

cvondra · April 11, 2024, 10:30pm

I have a private key that works in winscp, however its not working through the Azure portal. SMH. I have several restore points like every 4 hrs so I guess I will just have to restore at some point. I tried to change the authenticationmethod to publickey,password but no love there either. It’s all quite odd.

sahsanu · April 11, 2024, 10:33pm

Ok, let me know how it goes but, if you are going to restore the server, could you please try again to comment the directives, restart sshd and try if you can access the file manager from Hestia Web UI?

cvondra · April 11, 2024, 11:33pm

Update. I commented out all the lines regarding using a private key and restarted sshd. I was then able to login to ssh using username/password. However the file manager still doesn’t work. Below is my full file for review.

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 1m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none
DebianBanner no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

# Hestia SFTP Chroot
# Match User *@*@*@*@*@*@*@*@*@*@*@*@*@*@*@*@*,????????-????-????-????-????????????||||#|Added|by|aadsshlogin|installer,admin,admin_guysmiley,admin_sholtOldSite,admin_snipers
#AuthenticationMethods publickey
#PubkeyAuthentication yes
#AuthorizedKeysCommand /usr/sbin/aad_certhandler %u %k
#AuthorizedKeysCommandUser root
Match User sftp_dummy99,admin,admin_guysmiley,admin_sholtOldSite,admin_snipers
    ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp

sahsanu · April 11, 2024, 11:53pm

If you want to use the File Manager that line must be uncommented.

# Hestia SFTP Chroot must be just before the Match directive, some scripts use it to add and remove the sftp users so remove it and add it again just before the Match directive.

# Hestia SFTP Chroot
Match User sftp_dummy99,admin,admin_guysmiley,admin_sholtOldSite,admin_snipers
    ChrootDirectory %h
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp

cvondra · April 11, 2024, 11:57pm

After last edits it works. Off to fix more shit now. Magento sux.

eris · April 12, 2024, 6:21am

I am sure if left uncommented default falls back to yes so unless you change it to no and uncomment it should break

Hestia SFTP Chroot must be just before the Match directive, some scripts use it to add and remove the sftp users so remove it and add it again just before the Match directive.

This was the issue as

Line 110 in the configuration.php is:
$user_list = explode(“,”, $matches[2]);

as $matches was empty…

cvondra · April 12, 2024, 12:26pm

It actually works with it uncommented and yes. Not sure why.