Distinguishing ssh-logins from sftp-logins - SSH

This is a discussion on Distinguishing ssh-logins from sftp-logins - SSH ; Hello everybody, I've got a case concerning sftp and ssh. I want to setup an enviroment, in which user can do filetransfers using sftp in a jail (chroot). Unfortunately there are some special requirements to meet. 1. All user should ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Distinguishing ssh-logins from sftp-logins

  1. Distinguishing ssh-logins from sftp-logins

    Hello everybody,

    I've got a case concerning sftp and ssh.

    I want to setup an enviroment, in which user can do filetransfers using
    sftp in a jail (chroot). Unfortunately there are some special
    requirements to meet.

    1. All user should be able to use sftp in a jail (their home
    directory).

    2. The majority of user (say regular users) should be able to login to
    use sftp but should NOT get a Login to a system's shell! These users
    are sftp-only-users.

    3. A set of user (call them admins) should be able to login to use sftp
    (like described in 1.) and should get a login to a shell too (in
    contrast to 2.). I call them "ssh-users"

    Does anybody know, how to achieve this or how to achieve a similar
    functionality.
    Any contributions are welcome.

    I'm running debian woody on an Intel x86.

    Thanks in advance und regards from Hamburg,

    Mattes Opel


  2. Re: Distinguishing ssh-logins from sftp-logins

    mog128 a écrit :
    > Hello everybody,
    >
    > I've got a case concerning sftp and ssh.
    >
    > I want to setup an enviroment, in which user can do filetransfers using
    > sftp in a jail (chroot). Unfortunately there are some special
    > requirements to meet.
    >
    > 1. All user should be able to use sftp in a jail (their home
    > directory).
    >
    > 2. The majority of user (say regular users) should be able to login to
    > use sftp but should NOT get a Login to a system's shell! These users
    > are sftp-only-users.
    >
    > 3. A set of user (call them admins) should be able to login to use sftp
    > (like described in 1.) and should get a login to a shell too (in
    > contrast to 2.). I call them "ssh-users"
    >
    > Does anybody know, how to achieve this or how to achieve a similar
    > functionality.
    > Any contributions are welcome.
    >
    > I'm running debian woody on an Intel x86.
    >
    > Thanks in advance und regards from Hamburg,
    >
    > Mattes Opel
    >

    Sorry I can't help you, but I have a similar request. I tried many times
    and sftp restricted shell via rssh doesn't work for me in the chroot
    jail - while it is okay without the chroot jail. I'm running gentoo, not
    Debian though.

    You can see my post above : "weird rssh/sftp problem". If you find some
    way of doing it, I would be glad to know how you did achieve it, because
    I tried everything I had in mind already !!

    Cheers.


  3. Re: Distinguishing ssh-logins from sftp-logins

    mog128 wrote:
    > Hello everybody,
    >
    > I've got a case concerning sftp and ssh.
    >
    > I want to setup an enviroment, in which user can do filetransfers using
    > sftp in a jail (chroot). Unfortunately there are some special
    > requirements to meet.
    >
    > 1. All user should be able to use sftp in a jail (their home
    > directory).
    >
    > 2. The majority of user (say regular users) should be able to login to
    > use sftp but should NOT get a Login to a system's shell! These users
    > are sftp-only-users.
    >
    > 3. A set of user (call them admins) should be able to login to use sftp
    > (like described in 1.) and should get a login to a shell too (in
    > contrast to 2.). I call them "ssh-users"
    >
    > Does anybody know, how to achieve this or how to achieve a similar
    > functionality.
    > Any contributions are welcome.
    >
    > I'm running debian woody on an Intel x86.
    >
    > Thanks in advance und regards from Hamburg,
    >
    > Mattes Opel
    >

    Why not using /usr/bin/false as shell for your non ssh-users?

    stéphane.

  4. Re: Distinguishing ssh-logins from sftp-logins

    Hey,

    thank you both for your interesst.

    I've tried using /bin/false or /dev/null as shell for non-ssh users,
    but experienced that the sftp-server did not execute correctly. I think
    putting something like "SubSystem '/bin/sh /PATH/TO/sftp-server'" in
    shhd_config would do the job. I took my hands from it, because of some
    specialities specific to my system.

    I've found a way using rssh. Works pretty nice and configuration is
    very flexible. Also the mkchroot.sh script created a working chroot for
    me.
    I didn't know that rssh is a replacement shell, I thought it was a
    service.

    Does somebody know, how to hide the dot files, when accessing by
    sftp-server? I'm using openssh 3.8.1.

    Greetings from Hamburg,

    Mattes Opel


  5. Re: Distinguishing ssh-logins from sftp-logins

    You can try running a wrapper script, which is exectued by sshd.

    You then need to configure "SubSystem /PATH/TO/mysshwrapper.sh" in
    sshd_config.

    The wrapper script could look like this. (Don't know if this code
    works, but to give an idea...)

    #!/bin/bash

    if[$LOGNAME = "cantabile"];
    then
    /PATH/TO/sftp-server
    else
    /bin/echo "Nice try."
    sleep 3;
    fi

    exit;


  6. Re: Distinguishing ssh-logins from sftp-logins

    >>>>> "MO" == mog128 writes:

    MO> Hey, thank you both for your interesst.

    MO> I've tried using /bin/false or /dev/null as shell for non-ssh
    MO> users, but experienced that the sftp-server did not execute
    MO> correctly.

    That's because sshd uses the remote account's shell to run any programs on
    the user's behalf ($SHELL -c ...).

    --
    Richard Silverman
    res@qoxp.net


  7. Re: Distinguishing ssh-logins from sftp-logins

    mog128 wrote:
    > Hello everybody,
    >
    > I've got a case concerning sftp and ssh.
    >
    > I want to setup an enviroment, in which user can do filetransfers using
    > sftp in a jail (chroot). Unfortunately there are some special
    > requirements to meet.
    >
    > 1. All user should be able to use sftp in a jail (their home
    > directory).


    Use scponly (http://www.sublimation.org/scponly/) and set it up so it
    uses chroot, then disable connection forwarding in sshd_config. If you
    really need connection forwarding for some users, apply the Match patch
    and make some rules:

    http://bugzilla.mindrot.org/show_bug.cgi?id=1180

    Steven

  8. Re: Distinguishing ssh-logins from sftp-logins

    Steven Mocking wrote:
    > mog128 wrote:
    >
    >>Hello everybody,
    >>
    >>I've got a case concerning sftp and ssh.
    >>
    >>I want to setup an enviroment, in which user can do filetransfers using
    >>sftp in a jail (chroot). Unfortunately there are some special
    >>requirements to meet.
    >>
    >>1. All user should be able to use sftp in a jail (their home
    >>directory).

    >
    >
    > Use scponly (http://www.sublimation.org/scponly/) and set it up so it
    > uses chroot, then disable connection forwarding in sshd_config. If you
    > really need connection forwarding for some users, apply the Match patch
    > and make some rules:
    >
    > http://bugzilla.mindrot.org/show_bug.cgi?id=1180
    >
    > Steven

    With unix/linux sshd servers (not sure about windows sshd servers), when you connect with
    scp it effectivley connects with ssh and runs the servers scp command.

    If you want to prevent the users from doing anything other than scp all you need to do is
    edit the users $HOME/.ssh/authorized_keys(2) file and add command="scp" at the beginning
    of the line.

    This way no matter what command they try and run when they connect, only scp will actually
    run.

    Regards
    David Gempton.

  9. Re: Distinguishing ssh-logins from sftp-logins

    In article <4484e6ef$1@clear.net.nz> David Gempton
    writes:
    >
    >If you want to prevent the users from doing anything other than scp all
    >you need to do is
    >edit the users $HOME/.ssh/authorized_keys(2) file and add command="scp"
    >at the beginning
    >of the line.


    Did you try that? I assume not, because it surely won't work...

    >This way no matter what command they try and run when they connect, only
    >scp will actually
    >run.


    True, but it will be run without any arguments, and thus immediately
    fail with an error message. The 'command' option gives the complete
    commandline, the arguments supplied by the user are (of course) ignored
    along with the command name. Thus unless you're prepared to restrict scp
    to only be done to (or from, but not both) a specific file, the argument
    to the 'command' option must be a semi-clever program/script that
    examines the SSH_ORIGINAL_COMMAND env.variable, applies whatever
    restrictions / sanity checks that are desired, and then executes scp
    with the appropriate arguments.

    Plus of course the whole thing only works for pubkey authentication.

    --Per Hedeland
    per@hedeland.org

  10. Re: Distinguishing ssh-logins from sftp-logins

    On 2006-06-06, Per Hedeland wrote:
    > True, but it will be run without any arguments, and thus immediately
    > fail with an error message. The 'command' option gives the complete
    > commandline, the arguments supplied by the user are (of course) ignored
    > along with the command name. Thus unless you're prepared to restrict scp
    > to only be done to (or from, but not both) a specific file, the argument
    > to the 'command' option must be a semi-clever program/script that
    > examines the SSH_ORIGINAL_COMMAND env.variable, applies whatever
    > restrictions / sanity checks that are desired, and then executes scp
    > with the appropriate arguments.


    And what about:

    command="/usr/lib/openssh/sftp-server" ssh-rsa ....

    ?

    This seems to work.

    > --Per Hedeland
    > per@hedeland.org


    --
    hondza aka "kinderzrout" | GPG key: http://www.hondza.adslink.cz/key.asc
    Fingerprint: 31E7 EF56 7280 5C89 75E9 FF9D 010E 175F 7823 CF38

  11. Re: Distinguishing ssh-logins from sftp-logins

    hondza wrote:
    > And what about:
    > command="/usr/lib/openssh/sftp-server" ssh-rsa ....
    > ?
    >
    > This seems to work.


    Just make sure that the authorized_keys file itself isn't writable
    by that sftp process (by any means, including renaming away the .ssh
    directory), or else users will be able to SFTP in, overwrite that
    file, and de-restrict their own public keys.
    --
    Simon Tatham "I'm cross. I'm going to have a tantrum.
    How do I start?" - my uncle

  12. Re: Distinguishing ssh-logins from sftp-logins

    >>>>> "hondza" == hondza writes:

    hondza> On 2006-06-06, Per Hedeland wrote:
    >> True, but it will be run without any arguments, and thus
    >> immediately fail with an error message. The 'command' option gives
    >> the complete commandline, the arguments supplied by the user are
    >> (of course) ignored along with the command name. Thus unless you're
    >> prepared to restrict scp to only be done to (or from, but not both)
    >> a specific file, the argument to the 'command' option must be a
    >> semi-clever program/script that examines the SSH_ORIGINAL_COMMAND
    >> env.variable, applies whatever restrictions / sanity checks that
    >> are desired, and then executes scp with the appropriate arguments.


    hondza> And what about:

    hondza> command="/usr/lib/openssh/sftp-server" ssh-rsa ....

    hondza> ?

    hondza> This seems to work.

    This works because, unlike scp, the sftp server does not need any
    arguments. The information on what files to transfer etc. is carried in
    the protocol.

    >> --Per Hedeland per@hedeland.org


    hondza> -- hondza aka "kinderzrout" | GPG key:
    hondza> http://www.hondza.adslink.cz/key.asc Fingerprint: 31E7 EF56
    hondza> 7280 5C89 75E9 FF9D 010E 175F 7823 CF38

    --
    Richard Silverman
    res@qoxp.net


  13. Re: Distinguishing ssh-logins from sftp-logins

    On 2006-06-06, Simon Tatham wrote:
    > hondza wrote:
    >> And what about:
    >> command="/usr/lib/openssh/sftp-server" ssh-rsa ....
    >> ?
    >>
    >> This seems to work.

    >
    > Just make sure that the authorized_keys file itself isn't writable
    > by that sftp process (by any means, including renaming away the .ssh
    > directory), or else users will be able to SFTP in, overwrite that
    > file, and de-restrict their own public keys.


    In OpenSSH, you can also use the AuthorizedKeysFile directive in
    sshd_config to put the authorized_keys file some place other than the
    users' home directories and, eg, make that owned by root.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread