OpenSSH Windows Security

My company has a requirement for secure file transfer. We are limited
to windows server 2003. I have successfully setup OpenSSH via cygwin on
this server.

The problem I am having is that I cannot seem to figure out how to
isolate users. They are permitted to travel up the directory structure
into the cygwin directories. Granted it is only read access, but how
can I lock them into their home directory?

I have tried chaning permissions on the parent directories, but as soon
as I do, the user can no longer log in.

Maybe setting up chroot cages would help?

Kind regards
Ludovic

Erik Naslund wrote:

> My company has a requirement for secure file transfer. We are limited
> to windows server 2003. I have successfully setup OpenSSH via cygwin on
> this server.
>
> The problem I am having is that I cannot seem to figure out how to
> isolate users. They are permitted to travel up the directory structure
> into the cygwin directories. Granted it is only read access, but how
> can I lock them into their home directory?

You need to put them in a chroot jail. Don't know about Cygwin, but
instructions for doing this with OpenSSH in a "real" *nix environment
can be found here...

http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting

OPenSSH really isn't the best choice if you just need to move files.
It is, as the name implies, a "shell" which needs certain things to
function. This makes chrooting users much more difficult.

I can prevent them from having shell access by changing their default
shell varialble to /usr/sbin/sftp-server or the like.

The goal is to only allow SFTP/SCP access and to lock them into their
home directories. As far as I know, OpenSSH is the only option for
secure file transfer in windows. (welcoming alternatives at this point)

I will have a look at the link you provided and see what mileage I can
get with cygwin. I will post the results.

TwistyCreek wrote:
> Erik Naslund wrote:
>
> > My company has a requirement for secure file transfer. We are limited
> > to windows server 2003. I have successfully setup OpenSSH via cygwin on
> > this server.
> >
> > The problem I am having is that I cannot seem to figure out how to
> > isolate users. They are permitted to travel up the directory structure
> > into the cygwin directories. Granted it is only read access, but how
> > can I lock them into their home directory?
>
> You need to put them in a chroot jail. Don't know about Cygwin, but
> instructions for doing this with OpenSSH in a "real" *nix environment
> can be found here...
>
> http://wiki.linuxquestions.org/wiki/OpenSSH_chrooting
>
> OPenSSH really isn't the best choice if you just need to move files.
> It is, as the name implies, a "shell" which needs certain things to
> function. This makes chrooting users much more difficult.

On Wed, 02 Aug 2006 16:26:46 -0400, Erik Naslund <erik.naslund@gmail.com>
wrote:

> My company has a requirement for secure file transfer. We are limited
> to windows server 2003. I have successfully setup OpenSSH via cygwin on
> this server.
>
> The problem I am having is that I cannot seem to figure out how to
> isolate users. They are permitted to travel up the directory structure
> into the cygwin directories. Granted it is only read access, but how
> can I lock them into their home directory?
>
> I have tried chaning permissions on the parent directories, but as soon
> as I do, the user can no longer log in.
>

Try putty instead - small, fast, nice gui.

http://www.chiark.greenend.org.uk/~sgtatham/putty/


--
Vista error#4711: TCPA / RIAA / NGSCP / WGA VIOLATION: Microsoft
optical mouse detected Linux patterns on mousepad. Partition scan in
progress to remove offending, unapproved products. Request permission,
and apply for a new key to reactivate MS software at www.ms.com

"Erik Naslund" <erik.naslund@gmail.com> writes:
> My company has a requirement for secure file transfer. We are limited
> to windows server 2003. I have successfully setup OpenSSH via cygwin on
> this server.
>
> The problem I am having is that I cannot seem to figure out how to
> isolate users. They are permitted to travel up the directory structure
> into the cygwin directories. Granted it is only read access, but how
> can I lock them into their home directory?
>
> I have tried chaning permissions on the parent directories, but as soon
> as I do, the user can no longer log in.

VanDyke VShell Server is what our company ultimately implemented for
windows ssh/scp due to several issues with cygwin/openssh on the
windows side.

If you can't get openssh to get where you wanna go with cygwin on
windows, this may be worth looking into.

There are also dedicated ssh newsgroups where mega ssh gurus hang out
and could tell you best practices.

Best Regards,
--
Todd H.
http://www.toddh.net/

"Erik Naslund" <erik.naslund@gmail.com> wrote in
news:1154606956.116352.205580@h48g2000cwc.googlegr oups.com:

> I can prevent them from having shell access by changing their default
> shell varialble to /usr/sbin/sftp-server or the like.
>
> The goal is to only allow SFTP/SCP access and to lock them into their
> home directories. As far as I know, OpenSSH is the only option for
> secure file transfer in windows. (welcoming alternatives at this
> point)

There is also SFTP and FTP/TLS-SSL. Serv-u and other Windows ftp servers
provide directory limits.

The user experience is not a transparent Windows Explorer sort, though.

Regards,

nemo_outis wrote:

> "Erik Naslund" <erik.naslund@gmail.com> wrote in
> news:1154606956.116352.205580@h48g2000cwc.googlegr oups.com:
>
> > I can prevent them from having shell access by changing their default
> > shell varialble to /usr/sbin/sftp-server or the like.
> >
> > The goal is to only allow SFTP/SCP access and to lock them into their
> > home directories. As far as I know, OpenSSH is the only option for
> > secure file transfer in windows. (welcoming alternatives at this
> > point)
>
> There is also SFTP

SFTP is typically defined as using an SSH capable FTP client to connect
to an SSH server. It uses the "native" commands on the server to provide
directory services, and needs to be secure exactly like a "raw" SSH
session would be with respect to up-level directory access.

http://kb.iu.edu/data/akqg.html

There is a server daemon named SFTP, but it also allows access to all
the directories a user has permission to access, and requires that
permissions be set in such a way that access to $FTPROOT is allowed for
all users. The same problem the OP is running up against with SSH
I think. :-(

> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
> provide directory limits.

FTPS and a proper FTP server would be my choice, and with the right
file manager on the client side moving files back and forth could be as
transparent as moving them from folder to folder on your own machine
(does Tuxcmd have a Windows port)? <g> It wouldn't be all that
complicated to script the whole thing if these file transfers followed
patterns or routine.

My second choice would be a full blown VPN solution, FWIW. Second to
FTPS only because I think it's a little bit of an over kill for the
problem the OP is trying to solve.

> The user experience is not a transparent Windows Explorer sort, though.

Are there no VFS "plugins" for Windows file managers?

I knew there was a reason I dumped all things Windows years ago. ;-)

Borked Pseudo Mailed wrote:

>> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
>> provide directory limits.
>
> FTPS and a proper FTP server would be my choice, and with the right
> file manager on the client side moving files back and forth could be as
> transparent as moving them from folder to folder on your own machine
> (does Tuxcmd have a Windows port)? <g>

Try Novell NetDrive (but be aware of the improper ACLs set by the
installer). It allows you to mount FTPVFS with FTPS as a net drive.

>> The user experience is not a transparent Windows Explorer sort, though.
>
> Are there no VFS "plugins" for Windows file managers?

There are, but only third-party.

Sebastian Gottschalk wrote:

> Borked Pseudo Mailed wrote:
>
> >> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
> >> provide directory limits.
> >
> > FTPS and a proper FTP server would be my choice, and with the right
> > file manager on the client side moving files back and forth could be as
> > transparent as moving them from folder to folder on your own machine
> > (does Tuxcmd have a Windows port)? <g>
>
> Try Novell NetDrive (but be aware of the improper ACLs set by the
> installer). It allows you to mount FTPVFS with FTPS as a net drive.

NetDrive is nothing more than a "wrapper" for common Internet
protocols, most of them not even even secured by encryption as the OP
mandated, and none of them immune to the problem the OP is having with
SSH.

Your "advice", as is typically the case, is completely useless.

George Orwell wrote:

>>>> and FTP/TLS-SSL. Serv-u and other Windows ftp servers
>>>> provide directory limits.
>>> FTPS and a proper FTP server would be my choice, and with the right
>>> file manager on the client side moving files back and forth could be as
>>> transparent as moving them from folder to folder on your own machine
>>> (does Tuxcmd have a Windows port)? <g>
>> Try Novell NetDrive (but be aware of the improper ACLs set by the
>> installer). It allows you to mount FTPVFS with FTPS as a net drive.
>
> NetDrive is nothing more than a "wrapper" for common Internet
> protocols,

Wrong. It fully implements a file system driver.

> most of them not even even secured by encryption as the OP
> mandated, and none of them immune to the problem the OP is having with
> SSH.

As I already mentioned, it does support FTPS. And with FTPVFS the
problem is addresses as well.

> Your "advice", as is typically the case, is completely useless.

I'm sorry that due to some management issue, your rather stupid postings
slipped through the filter. :-)

Borked Pseudo Mailed wrote :
> My second choice would be a full blown VPN solution, FWIW. Second to
> FTPS only because I think it's a little bit of an over kill for the
> problem the OP is trying to solve.

A full blown VPN is maybe a bit heavy, but today, most versions of
Windows make establishing IPSEC tunnels between too machines (IP
addresses) very easy. Wouldn't that be a simple and good choice for
solving the problem of the OP?

A page with links to IPSec Resources for Windows 2000:
http://labmice.techtarget.com/networking/ipsec.htm

IPSec tunneling resources:
http://support.microsoft.com/?kbid=252735
http://support.microsoft.com/?kbid=301284

Kind regards,
Nomen Nescio

Erik,

If you have a bit of cash (relative), BitVise provide an easy-to-install and
manage OpenSSH server + commercial support.
http://www.bitvise.com/

There are a couple of other providers but these guys seem ok to me.

Hope this helps.

Charly.

"Erik Naslund" <erik.naslund@gmail.com> wrote in message
news:1154550406.594821.299900@s13g2000cwa.googlegr oups.com...
> My company has a requirement for secure file transfer. We are limited
> to windows server 2003. I have successfully setup OpenSSH via cygwin on
> this server.
>
> The problem I am having is that I cannot seem to figure out how to
> isolate users. They are permitted to travel up the directory structure
> into the cygwin directories. Granted it is only read access, but how
> can I lock them into their home directory?
>
> I have tried chaning permissions on the parent directories, but as soon
> as I do, the user can no longer log in.
>

Hi,

I installed OpenSSH for Windows on a Windows 2003 server. As long as my server userid has admin privilege, I can use that id to remote connect from the Net using SFTP client.

However, my SFTP client connection will be rejected with "access denied' error if the windows id has only "Users" privilege, even thought I had verify that the directory was created and assigned all privilege for thelogin id under the SFTP home root directory. As soon as I added admin privilege to the login id, it all works but you would understand that I do not want all SFTP user to have admin right.

So what how do I resove this access problem?

Thanks

jml