Ssh and SFTP access control

[newbie14]

Dear All,
I have allowed remote user to log into the server via these two (SSH and SFTP) method. The problem now I have read on the net some are talking about chroot etc. What I want is actually say a particular user I want to allow only certain folder to be accessed when he/she logs in what is the best method to achieve this.

[atreyu]

Look in this file: /etc/sshd/sshd_config, which controls the configuration of your SSH/SFTP server. Near the bottom, you need something like:

Code:

Match group sftponly
  ChrootDirectory /home/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

Then restart your SSH service (varies by distro - try: /etc/init.d/sshd restart)

Then create a group named sftponly, e.g.:

Code:

groupadd sftponly

And add your user(s) to that group. They will be locked to their home directory, by default (as per sshd_config above).

[newbie14]

Dear Atreyu,
I dont have sshd folder but just ssh and in that I found the config file and below is the contents. So where must I add those codes your gave right at the bottom is it? I would like to understand further about this access control but confuse between this chroot and vsftpd. I am kind of lost.

# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

[atreyu]

sorry, i meant /etc/ssh/sshd_config.

not sure what your follow-up question means. this configuration should only allow someone in the sftpgroup to sftp in (no SSH at all) and only be allowed to access the directory listed in the sshd_config file.

but i forget one important thing: you need to set the permissions of this folder to be owned by root, and be r-x by all. Therefore, you may want to use some other dir rather than the home dir. For example, say your username is joeb, make a dir like this:

Code:

install -d -o root -g root -m 0755 /var/pub/sftp/joeb

then add something like this to the end of the file:

Code:

# allow only specific users
AllowUsers root joeb

# override default of no subsystems
Subsystem       sftp    internal-sftp

# any users in the sftponly group will only have r/o SFTP access to the dir listed
Match group sftponly
  ChrootDirectory /var/pub/sftp/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

then restart sshd and test...

[newbie14]

Dear Atreyu,
MY follow up question is this process means we are doing chroot? What does this code means install -d -o root -g root -m 0755 /var/pub/sftp/joeb. So must I first create a folder joeb. So if I got few folder I want to allow the user once he logged in how to achieve that.

[atreyu]

Yes, if user joeb uses sftp to log in, he will be chrooted to /var/pub/sftp/joeb.

That "install" command just makes the directory and gives it the right ownership/permissions - you could have done the same with mkdir/chown/chmod commands.

The folders that you want him access to will have to be under the chrooted dir, e.g.:

/var/pub/sftp/joeb/dir1
/var/pub/sftp/joeb/dir2

hth

[newbie14]

Dear Atreyu,
Below is my latest config file and it get this error Starting sshd: /etc/ssh/sshd_config: line 128: Bad configuration option: Match
/etc/ssh/sshd_config: line 132: Bad configuration option: ForceCommand
/etc/ssh/sshd_config: terminating, 2 bad configuration options
[FAILED]

Beside that I have add group sftponly added user joe to the group too.

# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server

# allow only specific users
AllowUsers root joe

# override default of no subsystems
Subsystem sftp internal-sftp

# any users in the sftponly group will only have r/o SFTP access to the dir listed
Match group sftponly
ChrootDirectory /var/www/html/test1
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

[atreyu]

I'm guessing that your version of OpenSSH is too old, I think - it doesn't support that feature. You'll have to update your OpenSSH package to get this functionality.

That is not terribly easy, if the updated package is not provided by your distro. What is your distro? Also, you can check your SSH version, I think you need version 5 to do the match/chroot stuff.

[newbie14]

Dear Atreyu,
MY distro is centos 5.5. So what is your advice what must I do please advice? The version is
ssh -v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Thank you.

[atreyu]

Yeah, you need an updated version of OpenSSH. I see two possible solutions for you:

1. Use a different Linux distro, that has OpenSSH version 5.x provided with the OS.

2. Rebuild the OpenSSH server version 5.x from source and install on your existing CentOS system.

If you like the sound of option 1, then I would recommend ScientificLinux, which, like CentOS, is a binary-compatible clone of RHEL, with the difference that it comes in version 6.0, whereas CentOS has not caught up with the latest RHEL version yet. I've looked and the SL 6.0 release comes with OpenSSH server version 5.3p1, which should be sufficient for your needs. You have to be prepared to back up all your data and migrate it to the new server, though. If you are in complete control of the server, and it does not already have a lot of configuration/data on it, and there is no real need for it to be CentOS 5.5, then I'd recommend this path.

If the second option sounds better, or is the only viable solution, then you'll have to download the source packages from here and install them. Scroll down and under Download, select your mirror. The latest version AOTW is 5.8p2. Then you do the usual to install it, but I would recommend installing it to /opt or /usr/local or whatever, making sure not to overwrite your existing SSH files.

NOTE: only do this option if you are fine with possibly completely screwing up SSH on your machine! i.e., if you do this, you should be sitting in front of the machine, logged into a console and no other users should be expecting to log into it while you're messing with it. The recompile/installation process is not too bad, provided everything proceeds normally, but you never know what hiccups might occur. I'll try to help you if you want to go this route, but I can make no promises...