RE: ssh.com sshd 3.2.x, really enforcing sftp-only

• Previous message: Don Krajewski: "Time Betweeen retries"
• Maybe in reply to: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"
• Next in thread: Mark Senior: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 25 Apr 2005 11:35:54 -0500
To: "Mark Senior" <Mark.Senior@gov.ab.ca>, <secureshell@securityfocus.com>

We are running ssh.com's version 4.1, and unfortunately I can confirm
that remote command execution using plink.exe is possible. I am greatly
dismayed. For the most part I have limited my testing to the client
from ssh.com but users can obviously use any SSH client that they want.
I will need to greatly expand my testing.

I can't get to the 4.3 upgrade right away to see if it will also allow
it. My suspicion is that they are talking about connecting with THEIR
client when they say "when terminal access is denied so is remote
command execution".
What I can do is reconfigure my server so that SSH Users do not have
execute permissions in ~\system32 and other folders containing
executables, (make sure that the local 'Users' group does not contain
Everyone or Authenticated Users or Domain Users). I already have their
destination directories locked down but you will also want to make sure
that they can't upload an executable file and then run it.

Thanks,
Tom Pfister

-----Original Message-----
From: Mark Senior [mailto:Mark.Senior@gov.ab.ca]
Sent: Friday, April 22, 2005 12:34 PM
To: secureshell@securityfocus.com
Subject: ssh.com sshd 3.2.x, really enforcing sftp-only

Hello group

This seems strange to me, perhaps someone here has encountered this
situation, and either has found a solution to it, or can confirm that
there is no solution:

Using ssh.com's version 3.2 ssh server for Windows, I can't seem to
actually prevent remote command execution. The server is intended for
sftp only, and yet it doesn't seem to be possible to completely prevent
remote commands.

The "PermitUserTerminal" variable is set to "no" in the config file -
this has the effect of preventing an interactive login, but executing
individual commands is still entirely possible:

plink user@host
Using username "user".
user@host's password:
FATAL ERROR: Server refused to start a shell/command

plink user@host cmd /c dir c:\
Using username "user".
user@host's password:
[SNIP - big old directory listing]

The 4.3 version adds two new options: Terminal.AllowUsers and
Terminal.DenyUsers. In the 4.3 documentation it states: "Note that when
terminal access is denied so is remote command execution"

So, my question is twofold -

(A) Am I right that it's actually impossible to set up a truly sftp-only
server using the 3.2.x series of ssh servers for Windows? This seems
counterintuitive, but dumber things have been true of even more
expensive commercial software...

(B) Can anyone confirm that it actually does work in the 4.3.x version?

Thanks in advance, and apologies if this has been covered recently
already.
Mark Senior

---End sensible content---

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager. This message contains confidential information and is
intended only for the individual named. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail.

• Previous message: Don Krajewski: "Time Betweeen retries"
• Maybe in reply to: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"
• Next in thread: Mark Senior: "RE: ssh.com sshd 3.2.x, really enforcing sftp-only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]