OpenSSH Windows Security

Discussion in 'Computer Security' started by Erik Naslund, Aug 2, 2006.

  1. Erik Naslund

    Erik Naslund Guest

    My company has a requirement for secure file transfer. We are limited
    to windows server 2003. I have successfully setup OpenSSH via cygwin on
    this server.

    The problem I am having is that I cannot seem to figure out how to
    isolate users. They are permitted to travel up the directory structure
    into the cygwin directories. Granted it is only read access, but how
    can I lock them into their home directory?

    I have tried chaning permissions on the parent directories, but as soon
    as I do, the user can no longer log in.
    Erik Naslund, Aug 2, 2006
    #1
    1. Advertising

  2. Erik Naslund

    Ludovic Joly Guest

    Maybe setting up chroot cages would help?

    Kind regards
    Ludovic
    Ludovic Joly, Aug 3, 2006
    #2
    1. Advertising

  3. Erik Naslund

    TwistyCreek Guest

    Erik Naslund wrote:

    > My company has a requirement for secure file transfer. We are limited
    > to windows server 2003. I have successfully setup OpenSSH via cygwin on
    > this server.
    >
    > The problem I am having is that I cannot seem to figure out how to
    > isolate users. They are permitted to travel up the directory structure
    > into the cygwin directories. Granted it is only read access, but how
    > can I lock them into their home directory?


    You need to put them in a chroot jail. Don't know about Cygwin, but
    instructions for doing this with OpenSSH in a "real" *nix environment
    can be found here...

    http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting

    OPenSSH really isn't the best choice if you just need to move files.
    It is, as the name implies, a "shell" which needs certain things to
    function. This makes chrooting users much more difficult.
    TwistyCreek, Aug 3, 2006
    #3
  4. Erik Naslund

    Erik Naslund Guest

    I can prevent them from having shell access by changing their default
    shell varialble to /usr/sbin/sftp-server or the like.

    The goal is to only allow SFTP/SCP access and to lock them into their
    home directories. As far as I know, OpenSSH is the only option for
    secure file transfer in windows. (welcoming alternatives at this point)

    I will have a look at the link you provided and see what mileage I can
    get with cygwin. I will post the results.

    TwistyCreek wrote:
    > Erik Naslund wrote:
    >
    > > My company has a requirement for secure file transfer. We are limited
    > > to windows server 2003. I have successfully setup OpenSSH via cygwin on
    > > this server.
    > >
    > > The problem I am having is that I cannot seem to figure out how to
    > > isolate users. They are permitted to travel up the directory structure
    > > into the cygwin directories. Granted it is only read access, but how
    > > can I lock them into their home directory?

    >
    > You need to put them in a chroot jail. Don't know about Cygwin, but
    > instructions for doing this with OpenSSH in a "real" *nix environment
    > can be found here...
    >
    > http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting
    >
    > OPenSSH really isn't the best choice if you just need to move files.
    > It is, as the name implies, a "shell" which needs certain things to
    > function. This makes chrooting users much more difficult.
    Erik Naslund, Aug 3, 2006
    #4
  5. Erik Naslund

    Roger Parks Guest

    On Wed, 02 Aug 2006 16:26:46 -0400, Erik Naslund <>
    wrote:

    > My company has a requirement for secure file transfer. We are limited
    > to windows server 2003. I have successfully setup OpenSSH via cygwin on
    > this server.
    >
    > The problem I am having is that I cannot seem to figure out how to
    > isolate users. They are permitted to travel up the directory structure
    > into the cygwin directories. Granted it is only read access, but how
    > can I lock them into their home directory?
    >
    > I have tried chaning permissions on the parent directories, but as soon
    > as I do, the user can no longer log in.
    >


    Try putty instead - small, fast, nice gui.

    http://www.chiark.greenend.org.uk/~sgtatham/putty/


    --
    Vista error#4711: TCPA / RIAA / NGSCP / WGA VIOLATION: Microsoft
    optical mouse detected Linux patterns on mousepad. Partition scan in
    progress to remove offending, unapproved products. Request permission,
    and apply for a new key to reactivate MS software at www.ms.com

    .
    Roger Parks, Aug 3, 2006
    #5
  6. Erik Naslund

    Todd H. Guest

    "Erik Naslund" <> writes:
    > My company has a requirement for secure file transfer. We are limited
    > to windows server 2003. I have successfully setup OpenSSH via cygwin on
    > this server.
    >
    > The problem I am having is that I cannot seem to figure out how to
    > isolate users. They are permitted to travel up the directory structure
    > into the cygwin directories. Granted it is only read access, but how
    > can I lock them into their home directory?
    >
    > I have tried chaning permissions on the parent directories, but as soon
    > as I do, the user can no longer log in.


    VanDyke VShell Server is what our company ultimately implemented for
    windows ssh/scp due to several issues with cygwin/openssh on the
    windows side.

    If you can't get openssh to get where you wanna go with cygwin on
    windows, this may be worth looking into.

    There are also dedicated ssh newsgroups where mega ssh gurus hang out
    and could tell you best practices.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., Aug 3, 2006
    #6
  7. Erik Naslund

    nemo_outis Guest

    "Erik Naslund" <> wrote in
    news::

    > I can prevent them from having shell access by changing their default
    > shell varialble to /usr/sbin/sftp-server or the like.
    >
    > The goal is to only allow SFTP/SCP access and to lock them into their
    > home directories. As far as I know, OpenSSH is the only option for
    > secure file transfer in windows. (welcoming alternatives at this
    > point)


    There is also SFTP and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    provide directory limits.

    The user experience is not a transparent Windows Explorer sort, though.

    Regards,
    nemo_outis, Aug 3, 2006
    #7
  8. nemo_outis wrote:

    > "Erik Naslund" <> wrote in
    > news::
    >
    > > I can prevent them from having shell access by changing their default
    > > shell varialble to /usr/sbin/sftp-server or the like.
    > >
    > > The goal is to only allow SFTP/SCP access and to lock them into their
    > > home directories. As far as I know, OpenSSH is the only option for
    > > secure file transfer in windows. (welcoming alternatives at this
    > > point)

    >
    > There is also SFTP


    SFTP is typically defined as using an SSH capable FTP client to connect
    to an SSH server. It uses the "native" commands on the server to provide
    directory services, and needs to be secure exactly like a "raw" SSH
    session would be with respect to up-level directory access.

    http://kb.iu.edu/data/akqg.html

    There is a server daemon named SFTP, but it also allows access to all
    the directories a user has permission to access, and requires that
    permissions be set in such a way that access to $FTPROOT is allowed for
    all users. The same problem the OP is running up against with SSH
    I think. :-(

    > and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    > provide directory limits.


    FTPS and a proper FTP server would be my choice, and with the right
    file manager on the client side moving files back and forth could be as
    transparent as moving them from folder to folder on your own machine
    (does Tuxcmd have a Windows port)? <g> It wouldn't be all that
    complicated to script the whole thing if these file transfers followed
    patterns or routine.

    My second choice would be a full blown VPN solution, FWIW. Second to
    FTPS only because I think it's a little bit of an over kill for the
    problem the OP is trying to solve.

    > The user experience is not a transparent Windows Explorer sort, though.


    Are there no VFS "plugins" for Windows file managers?

    I knew there was a reason I dumped all things Windows years ago. ;-)
    Borked Pseudo Mailed, Aug 3, 2006
    #8
  9. Borked Pseudo Mailed wrote:

    >> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    >> provide directory limits.

    >
    > FTPS and a proper FTP server would be my choice, and with the right
    > file manager on the client side moving files back and forth could be as
    > transparent as moving them from folder to folder on your own machine
    > (does Tuxcmd have a Windows port)? <g>


    Try Novell NetDrive (but be aware of the improper ACLs set by the
    installer). It allows you to mount FTPVFS with FTPS as a net drive.

    >> The user experience is not a transparent Windows Explorer sort, though.

    >
    > Are there no VFS "plugins" for Windows file managers?


    There are, but only third-party.
    Sebastian Gottschalk, Aug 3, 2006
    #9
  10. Sebastian Gottschalk wrote:

    > Borked Pseudo Mailed wrote:
    >
    > >> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    > >> provide directory limits.

    > >
    > > FTPS and a proper FTP server would be my choice, and with the right
    > > file manager on the client side moving files back and forth could be as
    > > transparent as moving them from folder to folder on your own machine
    > > (does Tuxcmd have a Windows port)? <g>

    >
    > Try Novell NetDrive (but be aware of the improper ACLs set by the
    > installer). It allows you to mount FTPVFS with FTPS as a net drive.


    NetDrive is nothing more than a "wrapper" for common Internet
    protocols, most of them not even even secured by encryption as the OP
    mandated, and none of them immune to the problem the OP is having with
    SSH.

    Your "advice", as is typically the case, is completely useless.
    George Orwell, Aug 4, 2006
    #10
  11. George Orwell wrote:

    >>>> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    >>>> provide directory limits.
    >>> FTPS and a proper FTP server would be my choice, and with the right
    >>> file manager on the client side moving files back and forth could be as
    >>> transparent as moving them from folder to folder on your own machine
    >>> (does Tuxcmd have a Windows port)? <g>

    >> Try Novell NetDrive (but be aware of the improper ACLs set by the
    >> installer). It allows you to mount FTPVFS with FTPS as a net drive.

    >
    > NetDrive is nothing more than a "wrapper" for common Internet
    > protocols,


    Wrong. It fully implements a file system driver.

    > most of them not even even secured by encryption as the OP
    > mandated, and none of them immune to the problem the OP is having with
    > SSH.


    As I already mentioned, it does support FTPS. And with FTPVFS the
    problem is addresses as well.

    > Your "advice", as is typically the case, is completely useless.


    I'm sorry that due to some management issue, your rather stupid postings
    slipped through the filter. :)
    Sebastian Gottschalk, Aug 4, 2006
    #11
  12. Erik Naslund

    Ludovic Joly Guest

    Borked Pseudo Mailed wrote :
    > My second choice would be a full blown VPN solution, FWIW. Second to
    > FTPS only because I think it's a little bit of an over kill for the
    > problem the OP is trying to solve.


    A full blown VPN is maybe a bit heavy, but today, most versions of
    Windows make establishing IPSEC tunnels between too machines (IP
    addresses) very easy. Wouldn't that be a simple and good choice for
    solving the problem of the OP?

    A page with links to IPSec Resources for Windows 2000:
    http://labmice.techtarget.com/networking/ipsec.htm

    IPSec tunneling resources:
    http://support.microsoft.com/?kbid=252735
    http://support.microsoft.com/?kbid=301284

    Kind regards,
    Nomen Nescio
    Ludovic Joly, Aug 4, 2006
    #12
  13. Erik Naslund

    Charly Oz Guest

    Erik,

    If you have a bit of cash (relative), BitVise provide an easy-to-install and
    manage OpenSSH server + commercial support.
    http://www.bitvise.com/

    There are a couple of other providers but these guys seem ok to me.

    Hope this helps.

    Charly.

    "Erik Naslund" <> wrote in message
    news:...
    > My company has a requirement for secure file transfer. We are limited
    > to windows server 2003. I have successfully setup OpenSSH via cygwin on
    > this server.
    >
    > The problem I am having is that I cannot seem to figure out how to
    > isolate users. They are permitted to travel up the directory structure
    > into the cygwin directories. Granted it is only read access, but how
    > can I lock them into their home directory?
    >
    > I have tried chaning permissions on the parent directories, but as soon
    > as I do, the user can no longer log in.
    >
    Charly Oz, Aug 15, 2006
    #13
  14. Erik Naslund

    jmlynn Guest

    Hi,

    I installed OpenSSH for Windows on a Windows 2003 server. As long as
    my server userid has admin privilege, I can use that id to remote
    connect from the Net using SFTP client.

    However, my SFTP client connection will be rejected with "access
    denied' error if the windows id has only "Users" privilege, even thought
    I had verify that the directory was created and assigned all privilege
    for thelogin id under the SFTP home root directory. As soon as I added
    admin privilege to the login id, it all works but you would understand
    that I do not want all SFTP user to have admin right.

    So what how do I resove this access problem?

    Thanks

    jml


    ------------------------------------------------------------------------
    View this thread: http://www.wirelessforums.org/showthread.php?t=5863
    http://www.wirelessforums.org
    jmlynn, Nov 26, 2007
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Truth Monopoly

    Setting home directory for OpenSSH logins

    Truth Monopoly, May 24, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    14,360
    brccabral
    Nov 17, 2010
  2. David

    Openssh 4.2 out

    David, Sep 5, 2005, in forum: Computer Security
    Replies:
    1
    Views:
    490
    Imhotep
    Sep 5, 2005
  3. vbMark

    SFTP via SSHWindows/OpenSSH qustion.

    vbMark, Mar 6, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    723
  4. perr

    OpenSSH on Windows Syntax question.

    perr, Jan 18, 2008, in forum: Computer Security
    Replies:
    1
    Views:
    769
    Todd H.
    Jan 18, 2008
  5. Gordy

    OpenSSH (WinXP) Wan loopback testing?

    Gordy, Mar 5, 2008, in forum: NZ Computing
    Replies:
    5
    Views:
    647
    Allistar
    Mar 6, 2008
Loading...

Share This Page