Topic: Non-root login to sme server

[DavidClarke]

I need to allow a remote user to access sme server for file transfer, and would like this to be secure.

I already use SSH for remote administration, and it seems that for sftp to be available to another user I have to allow that user account to login by changing the login shell from /bin/sshell to /bin/bash

Is this opening up more access than I need? Is there a way to configure (as there is with the much less secure ftp access) a limited access account that will run sftp, and chroot the external user to the required ibay?

David Clarke

[raem]

Get the user to VPN into the server.
Set up appropriate groups and make the ibay owned by the group the user is in.
You limit access to that ibay only for that user.
When connecting via VPN it's as if they are on the local network with the local network access privileges they have been given in server manager/groups.
VPN is secure, you only need to allow VPN access for that user and no others, if that's what you want.

[DavidClarke]

I know all obout VPN access - which I use for my own remote management without difficulty. However this is a need for allowing a non-admin user to access, and that user only has a limited range of methods to use - it is an system which sends out (commercially sensitive) orders to the company running the sme server.

FTP can be used, together with the firewall only allowing access from a limited range of addresses, but this does not hide the data.

SFTP is available on an sme server machine, (which does) but is only available by default to root.

David Clarke

[raem]

David

Sorry but I don't follow your answer/comments.

> I know all obout VPN access - which I use for my own remote management without difficulty.

ssh & VPN are quite different tools. I use ssh for remote management as admin/root, but VPN is really for remote access by non admin users (as you request) to server shares etc. Isn't that what you are asking for ?

> However this is a need for allowing a non-admin
> user to access, and that user only has a limited
> range of methods to use

What are the limited range of access methods that the user can use ?
Why can't they use VPN ?


> FTP can be used

You want secure, ftp is not secure.

> SFTP is available on an sme server machine, (which does) but is only available by default to root.

You need to run a sftp client on the users workstation eg WinSCP3 or similar, in conjunction with ssh user login (you have to enable ssh user logins though).
http://mirror.contribs.org/smeserver/contribs/bobk/SME_Manual/chpt-14.02.html

If you are concerned about security, we suggest you consider the scp "secure copy" command associated with ssh as an alternative to FTP.

Personally I think VPN is easier to use and user access to the server shares is automatically controlled by their group membership.

[del]

Hi David,

Could this be of help?

http://www.dungog.net/sme/help/SMEhelp/Server%20Shell%20Access.html
or
http://www.dungog.net/sme/help/SMEhelp/Ftp%20Root%20Directory.html

Hope this helps.  

Del

[DavidClarke]

Thanks to Del - the answer may well be RSSH mentioned in one of the links you posted.

The problem I'm faced with is that the remote 'user' is in fact a major customer's system which only knows about some proprietary protocols, together with HTTP and FTP -  setting up a VPN is a non-starter, and I'm even unsure about whether sftp will be an option.