Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
Dear All, I have allowed remote user to log into the server via these two (SSH and SFTP) method. The problem now I have read on the net some are ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2010
    Posts
    72

    Ssh and SFTP access control


    Dear All,
    I have allowed remote user to log into the server via these two (SSH and SFTP) method. The problem now I have read on the net some are talking about chroot etc. What I want is actually say a particular user I want to allow only certain folder to be accessed when he/she logs in what is the best method to achieve this.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    Look in this file: /etc/sshd/sshd_config, which controls the configuration of your SSH/SFTP server. Near the bottom, you need something like:
    Code:
    Match group sftponly
      ChrootDirectory /home/%u
      X11Forwarding no
      AllowTcpForwarding no
      ForceCommand internal-sftp
    Then restart your SSH service (varies by distro - try: /etc/init.d/sshd restart)

    Then create a group named sftponly, e.g.:
    Code:
    groupadd sftponly
    And add your user(s) to that group. They will be locked to their home directory, by default (as per sshd_config above).

  3. #3
    Just Joined!
    Join Date
    Jul 2010
    Posts
    72
    Dear Atreyu,
    I dont have sshd folder but just ssh and in that I found the config file and below is the contents. So where must I add those codes your gave right at the bottom is it? I would like to understand further about this access control but confuse between this chroot and vsftpd. I am kind of lost.
    # $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $

    # This is the ssh client system-wide configuration file. See
    # ssh_config(5) for more information. This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.

    # Configuration data is parsed as follows:
    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for some commonly used options. For a comprehensive
    # list of available options, their meanings and defaults, please see the
    # ssh_config(5) man page.

    # Host *
    # ForwardAgent no
    # ForwardX11 no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # AddressFamily any
    # ConnectTimeout 0
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    # EscapeChar ~
    # Tunnel no
    # TunnelDevice any:any
    # PermitLocalCommand no
    Host *
    GSSAPIAuthentication yes
    # If this option is set to yes then remote X11 clients will have full access
    # to the original X11 display. As virtually no X11 client supports the untrusted
    # mode correctly we set this to yes.
    ForwardX11Trusted yes
    # Send locale-related environment variables
    SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    SendEnv LC_IDENTIFICATION LC_ALL

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    sorry, i meant /etc/ssh/sshd_config.

    not sure what your follow-up question means. this configuration should only allow someone in the sftpgroup to sftp in (no SSH at all) and only be allowed to access the directory listed in the sshd_config file.

    but i forget one important thing: you need to set the permissions of this folder to be owned by root, and be r-x by all. Therefore, you may want to use some other dir rather than the home dir. For example, say your username is joeb, make a dir like this:
    Code:
    install -d -o root -g root -m 0755 /var/pub/sftp/joeb
    then add something like this to the end of the file:
    Code:
    # allow only specific users
    AllowUsers root joeb
    
    # override default of no subsystems
    Subsystem       sftp    internal-sftp
    
    # any users in the sftponly group will only have r/o SFTP access to the dir listed
    Match group sftponly
      ChrootDirectory /var/pub/sftp/%u
      X11Forwarding no
      AllowTcpForwarding no
      ForceCommand internal-sftp
    then restart sshd and test...

  5. #5
    Just Joined!
    Join Date
    Jul 2010
    Posts
    72
    Dear Atreyu,
    MY follow up question is this process means we are doing chroot? What does this code means install -d -o root -g root -m 0755 /var/pub/sftp/joeb. So must I first create a folder joeb. So if I got few folder I want to allow the user once he logged in how to achieve that.

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    Yes, if user joeb uses sftp to log in, he will be chrooted to /var/pub/sftp/joeb.

    That "install" command just makes the directory and gives it the right ownership/permissions - you could have done the same with mkdir/chown/chmod commands.

    The folders that you want him access to will have to be under the chrooted dir, e.g.:

    /var/pub/sftp/joeb/dir1
    /var/pub/sftp/joeb/dir2

    hth

  7. #7
    Just Joined!
    Join Date
    Jul 2010
    Posts
    72
    Dear Atreyu,
    Below is my latest config file and it get this error Starting sshd: /etc/ssh/sshd_config: line 128: Bad configuration option: Match
    /etc/ssh/sshd_config: line 132: Bad configuration option: ForceCommand
    /etc/ssh/sshd_config: terminating, 2 bad configuration options
    [FAILED]

    Beside that I have add group sftponly added user joe to the group too.


    # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication mechanism.
    # Depending on your PAM configuration, this may bypass the setting of
    # PasswordAuthentication, PermitEmptyPasswords, and
    # "PermitRootLogin without-password". If you just want the PAM account and
    # session checks to run without PAM authentication, then enable this but set
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes

    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL
    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    #Subsystem sftp /usr/libexec/openssh/sftp-server

    # allow only specific users
    AllowUsers root joe

    # override default of no subsystems
    Subsystem sftp internal-sftp

    # any users in the sftponly group will only have r/o SFTP access to the dir listed
    Match group sftponly
    ChrootDirectory /var/www/html/test1
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

  8. #8
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    I'm guessing that your version of OpenSSH is too old, I think - it doesn't support that feature. You'll have to update your OpenSSH package to get this functionality.

    That is not terribly easy, if the updated package is not provided by your distro. What is your distro? Also, you can check your SSH version, I think you need version 5 to do the match/chroot stuff.

  9. #9
    Just Joined!
    Join Date
    Jul 2010
    Posts
    72
    Dear Atreyu,
    MY distro is centos 5.5. So what is your advice what must I do please advice? The version is
    ssh -v
    OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
    Thank you.

  10. #10
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,307
    Yeah, you need an updated version of OpenSSH. I see two possible solutions for you:

    1. Use a different Linux distro, that has OpenSSH version 5.x provided with the OS.

    2. Rebuild the OpenSSH server version 5.x from source and install on your existing CentOS system.

    If you like the sound of option 1, then I would recommend ScientificLinux, which, like CentOS, is a binary-compatible clone of RHEL, with the difference that it comes in version 6.0, whereas CentOS has not caught up with the latest RHEL version yet. I've looked and the SL 6.0 release comes with OpenSSH server version 5.3p1, which should be sufficient for your needs. You have to be prepared to back up all your data and migrate it to the new server, though. If you are in complete control of the server, and it does not already have a lot of configuration/data on it, and there is no real need for it to be CentOS 5.5, then I'd recommend this path.

    If the second option sounds better, or is the only viable solution, then you'll have to download the source packages from here and install them. Scroll down and under Download, select your mirror. The latest version AOTW is 5.8p2. Then you do the usual to install it, but I would recommend installing it to /opt or /usr/local or whatever, making sure not to overwrite your existing SSH files.

    NOTE: only do this option if you are fine with possibly completely screwing up SSH on your machine! i.e., if you do this, you should be sitting in front of the machine, logged into a console and no other users should be expecting to log into it while you're messing with it. The recompile/installation process is not too bad, provided everything proceeds normally, but you never know what hiccups might occur. I'll try to help you if you want to go this route, but I can make no promises...

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •