Re: Solaris 9 sftp-server

From: malcolm.carlock@btinternet.com
Date: 04/09/03

  • Next message: andy: "Re: Solaris 9 sftp-server"
    Date: Wed, 9 Apr 2003 18:17:51 +0100 (BST)
    From: malcolm.carlock@btinternet.com
    To: focus-sun@securityfocus.com
    
    

    On Tue, 8 Apr 2003, David M. Fetter wrote:
    > You could use something like restricted ksh
    > (rksh) or some other restricted shell to tighten down their login access
    > in a way that might make it so only SFTP is feasible to use for them.

    You can refine this further by forcing the user into a chrooted SFTP-only environment. I can think of two ways to do this (both of which I know work), one hard and one relatively easy (beware, this post will be a bit verbose):

    a. The "hard" way (but the one I prefer): Run a chrooted SSH server, listening on another port and/or virtual interface. This server will need its own set of dynamic libraries etc (which will bring joyous memories to those who've set up anonymous users in ftpd/wuftpd), and its own /etc/passwd (which is a good thing, since the SFTP users won't exist in your main unix environment.)

    b. The easier way (but more vulnerable to per-user misconfiguration): Set up a chrooted shell that runs just sftp-server.

    I really don't like solution (b) due to the many possibilities of creating a hole through misconfiguration, but for the sake of discussion I'll mention a few details:

    The SFTP user's shell as set in /etc/passwd (i.e., /the/chroot/shell/mentioned/above):

      #!/bin/sh
      exec /usr/bin/sudo /usr/mumble/bin/sftp-startup "$HOME"

    The file /usr/mumble/bin/sftp-startup looks like:

      #!/bin/sh
      # ...various arg, error, env and sanity checks...
      exec /usr/sbin/chroot "$1" /usr/local/libexec/sftp-server

    The rationale is as follows:

    - chroot must run as root, hence the SUDO command above, which would run passwordless =8-0 and be available only to the sftp user(s) in question
    - $HOME is passed in from the SFTP user's original login environment
    - /usr/local/libexec/sftp-server is actually the local copy of sftp-server, i.e., /home/sftpuser/usr/local/libexec/sftp-server

    Needless to say (but I'll say it anyway):

    - The sftp user, by default, MUST NOT be able to modify ANY file or directory in its homedir (including the homedir itself), except for, possibly, one or more subdirectories into which the user is allowed to write.
    - In particular, the user must NOT be able to modify its home directory (set to 500 or 550), nor .ssh directory or its contents.

    These cautions apply to both solutions a and b, incidentally.

    Hope this helps (and that I've not stated too much of the obvious.)

    Regards,

    Malcolm


  • Next message: andy: "Re: Solaris 9 sftp-server"

    Relevant Pages

    • internal-sftp: client unable to initialise server with chrooted user
      ... - smartcard: Enables smartcard support ... The problem is when trying to use sftp in an internal-sftp chroot, ... Fatal: unable to initialise SFTP on server: could not connect. ...
      (SSH)
    • Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
      ... The obvious answer was to use SSH and limit those users to SFTP only. ... Locking them into a chroot was not a requirement, but it seemed like a good idea to me. ... For some reason which I cannot work out for now, the home directory must be owned by root and have the permissions 755. ...
      (Debian-User)
    • Re: sftp server with speed throttling
      ... configuration work or pass sftp traffic through PF and throttle it ... Only OpenSSH alternative I use sometimes is ... would like to use SSH for the connections, as opposed to FTP, but I ... directives to chroot the groupand/or userthat are to have ...
      (freebsd-questions)
    • Re: FTPS Server?
      ... It suffers from most of the design ... It behaves exactly like an ordinary FTP ... Did not find out how to do this with sftp (we only ... The actual chroot is $HOME/depot and sshd is to proceed according to ...
      (freebsd-stable)
    • Re: Want unusual config...
      ... > SFTP in using sftp-server, and have their home directory appear to be the ... > there is no reason for them to need shell access to the server. ... You may need a chroot cage. ... chroot tools built into it, you can easily manage quite a secure little set ...
      (comp.security.ssh)