OpenSSH Windows Security

Discussion in 'Computer Security' started by Erik Naslund, Aug 2, 2006.

  1. Erik Naslund

    Erik Naslund Guest

    My company has a requirement for secure file transfer. We are limited
    to windows server 2003. I have successfully setup OpenSSH via cygwin on
    this server.

    The problem I am having is that I cannot seem to figure out how to
    isolate users. They are permitted to travel up the directory structure
    into the cygwin directories. Granted it is only read access, but how
    can I lock them into their home directory?

    I have tried chaning permissions on the parent directories, but as soon
    as I do, the user can no longer log in.
     
    Erik Naslund, Aug 2, 2006
    #1
    1. Advertisements

  2. Erik Naslund

    Ludovic Joly Guest

    Maybe setting up chroot cages would help?

    Kind regards
    Ludovic
     
    Ludovic Joly, Aug 3, 2006
    #2
    1. Advertisements

  3. Erik Naslund

    TwistyCreek Guest

    You need to put them in a chroot jail. Don't know about Cygwin, but
    instructions for doing this with OpenSSH in a "real" *nix environment
    can be found here...

    http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting

    OPenSSH really isn't the best choice if you just need to move files.
    It is, as the name implies, a "shell" which needs certain things to
    function. This makes chrooting users much more difficult.
     
    TwistyCreek, Aug 3, 2006
    #3
  4. Erik Naslund

    Erik Naslund Guest

    I can prevent them from having shell access by changing their default
    shell varialble to /usr/sbin/sftp-server or the like.

    The goal is to only allow SFTP/SCP access and to lock them into their
    home directories. As far as I know, OpenSSH is the only option for
    secure file transfer in windows. (welcoming alternatives at this point)

    I will have a look at the link you provided and see what mileage I can
    get with cygwin. I will post the results.
     
    Erik Naslund, Aug 3, 2006
    #4
  5. Erik Naslund

    Roger Parks Guest

    Try putty instead - small, fast, nice gui.

    http://www.chiark.greenend.org.uk/~sgtatham/putty/


    --
    Vista error#4711: TCPA / RIAA / NGSCP / WGA VIOLATION: Microsoft
    optical mouse detected Linux patterns on mousepad. Partition scan in
    progress to remove offending, unapproved products. Request permission,
    and apply for a new key to reactivate MS software at www.ms.com

    .
     
    Roger Parks, Aug 3, 2006
    #5
  6. Erik Naslund

    Todd H. Guest

    VanDyke VShell Server is what our company ultimately implemented for
    windows ssh/scp due to several issues with cygwin/openssh on the
    windows side.

    If you can't get openssh to get where you wanna go with cygwin on
    windows, this may be worth looking into.

    There are also dedicated ssh newsgroups where mega ssh gurus hang out
    and could tell you best practices.

    Best Regards,
     
    Todd H., Aug 3, 2006
    #6
  7. Erik Naslund

    nemo_outis Guest

    There is also SFTP and FTP/TLS-SSL. Serv-u and other Windows ftp servers
    provide directory limits.

    The user experience is not a transparent Windows Explorer sort, though.

    Regards,
     
    nemo_outis, Aug 3, 2006
    #7
  8. SFTP is typically defined as using an SSH capable FTP client to connect
    to an SSH server. It uses the "native" commands on the server to provide
    directory services, and needs to be secure exactly like a "raw" SSH
    session would be with respect to up-level directory access.

    http://kb.iu.edu/data/akqg.html

    There is a server daemon named SFTP, but it also allows access to all
    the directories a user has permission to access, and requires that
    permissions be set in such a way that access to $FTPROOT is allowed for
    all users. The same problem the OP is running up against with SSH
    I think. :-(
    FTPS and a proper FTP server would be my choice, and with the right
    file manager on the client side moving files back and forth could be as
    transparent as moving them from folder to folder on your own machine
    (does Tuxcmd have a Windows port)? <g> It wouldn't be all that
    complicated to script the whole thing if these file transfers followed
    patterns or routine.

    My second choice would be a full blown VPN solution, FWIW. Second to
    FTPS only because I think it's a little bit of an over kill for the
    problem the OP is trying to solve.
    Are there no VFS "plugins" for Windows file managers?

    I knew there was a reason I dumped all things Windows years ago. ;-)
     
    Borked Pseudo Mailed, Aug 3, 2006
    #8
  9. Try Novell NetDrive (but be aware of the improper ACLs set by the
    installer). It allows you to mount FTPVFS with FTPS as a net drive.
    There are, but only third-party.
     
    Sebastian Gottschalk, Aug 3, 2006
    #9
  10. NetDrive is nothing more than a "wrapper" for common Internet
    protocols, most of them not even even secured by encryption as the OP
    mandated, and none of them immune to the problem the OP is having with
    SSH.

    Your "advice", as is typically the case, is completely useless.
     
    George Orwell, Aug 4, 2006
    #10
  11. Wrong. It fully implements a file system driver.
    As I already mentioned, it does support FTPS. And with FTPVFS the
    problem is addresses as well.
    I'm sorry that due to some management issue, your rather stupid postings
    slipped through the filter. :)
     
    Sebastian Gottschalk, Aug 4, 2006
    #11
  12. Erik Naslund

    Ludovic Joly Guest

    Borked Pseudo Mailed wrote :
    A full blown VPN is maybe a bit heavy, but today, most versions of
    Windows make establishing IPSEC tunnels between too machines (IP
    addresses) very easy. Wouldn't that be a simple and good choice for
    solving the problem of the OP?

    A page with links to IPSec Resources for Windows 2000:
    http://labmice.techtarget.com/networking/ipsec.htm

    IPSec tunneling resources:
    http://support.microsoft.com/?kbid=252735
    http://support.microsoft.com/?kbid=301284

    Kind regards,
    Nomen Nescio
     
    Ludovic Joly, Aug 4, 2006
    #12
  13. Erik Naslund

    Charly Oz Guest

    Erik,

    If you have a bit of cash (relative), BitVise provide an easy-to-install and
    manage OpenSSH server + commercial support.
    http://www.bitvise.com/

    There are a couple of other providers but these guys seem ok to me.

    Hope this helps.

    Charly.
     
    Charly Oz, Aug 15, 2006
    #13
  14. Erik Naslund

    jmlynn Guest

    Hi,

    I installed OpenSSH for Windows on a Windows 2003 server. As long as
    my server userid has admin privilege, I can use that id to remote
    connect from the Net using SFTP client.

    However, my SFTP client connection will be rejected with "access
    denied' error if the windows id has only "Users" privilege, even thought
    I had verify that the directory was created and assigned all privilege
    for thelogin id under the SFTP home root directory. As soon as I added
    admin privilege to the login id, it all works but you would understand
    that I do not want all SFTP user to have admin right.

    So what how do I resove this access problem?

    Thanks

    jml
     
    jmlynn, Nov 26, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.