Topic: Help with SFTP

[tdbsoft]

Trying to setup secure SFTP access nearly done but small problem with user access.

I have SME 7.4 and have installed Smeserver-remoteuseraccess.  Setup a new user and allowed sshh + vpn for the user.  I can login with Filezilla and all is working except that I can change directory up throu the folder tree, some folders are protected others allow uploading or downloading of files.

This is unacceptable as each user should not be able to change up from their home directory and see other uses files etc.  I have set the chroot path but it has little or no affect on access except for changing the initial directory shown.  Any ideas as to what I might be do wrong or pointers to a how document would be muchly appreciated.

Also if anyone knows how to setup SFTP too an I-bay that would be as good.

[Stefano]

Hi

unfortunately smeserver-remoteaccess can "chroot" only ftp.. actually there's no (easy) way to chroot ssh/sftp access

if you search the forums you'll find other 3ads about it.. one possible solution not supported, i.e. do at your own risk is to upgrade to the last openssh release.. as I said, search the forums..

anyway, as you can easily verify, user can only see names of files/dirs.. he can't do anything if he has not the right permission

[tdbsoft]

Hi Stefano,

Thanks for the info. 
Documentation for SME all says to use SFTP as FTP is insecure but it seems that there is no easy way to implement SFTP. 

Anyway can you suggest best way to provide basic FTP to the SME server that works and can provide basic security.  Must not allow user to see others files or change folder from there root directory.

What do others use to implement FTP on the SME server?

Thanks for your help

Hi

unfortunately smeserver-remoteaccess can "chroot" only ftp.. actually there's no (easy) way to chroot ssh/sftp access

if you search the forums you'll find other 3ads about it.. one possible solution not supported, i.e. do at your own risk is to upgrade to the last openssh release.. as I said, search the forums..

anyway, as you can easily verify, user can only see names of files/dirs.. he can't do anything if he has not the right permission

[janet]

tdbsoft

What do others use to implement FTP on the SME server?

Just don't.
Why do they need ftp type access anyway, just to access files ?

Use VPN, and user access will be limited to ibays that they are owners of via group memberships, and their own homefolder.

[tdbsoft]

Hi Mary,

Need FTP type access as users will be connecting via the Internet and storing files on the server.  Very occasionally they will need to retrieving files also.  IE Serve is employed in backup role to store files.

So need FTP or SFTP to work and as securely as possible.

tdbsoft

Just don't.
Why do they need ftp type access anyway, just to access files ?

Use VPN, and user access will be limited to ibays that they are owners of via group memberships, and their own homefolder.

[janet]

tdbsoft

ftp is not secure so don't even consider that if you are talking about a secure connection, plain text passwords are sent etc.
sftp is the only possibility, but that has other issues on sme server that you are not happy with, so forget sftp also.

With VPN, you allow users to have VPN access, so already there is high security.
Users who are not allowed access (the default) cannot even connect via VPN.

Once connected you are part of the local network and have access to shares based on your group membership, you can upload or download files etc.

Do you understand what VPN is ?

The alternative is to create a ssh tunnel using Putty and connect that way.
Search forums etc for tips on doing that.
Not sure if there is a wiki Howto, so look.

[tdbsoft]

We tried your suggestion of using VPN but it is even less secure than ftp.  VPN gave access to the i-bay but it also gave access to the LAN and although I could put the server on its own separate LAN outside of my main LAN I prefer not to.

Anyway SFTP allows file transfers to be resumed, it is also suppose to be secure.  So I will be pursuing a way to chroot the user to their home directory.  If SFTP is so secure as mooted by all the documentation then there must be a way to chroot the user, I see howto's in the other distro's.

tdbsoft

ftp is not secure so don't even consider that if you are talking about a secure connection, plain text passwords are sent etc.
sftp is the only possibility, but that has other issues on sme server that you are not happy with, so forget sftp also.

With VPN, you allow users to have VPN access, so already there is high security.
Users who are not allowed access (the default) cannot even connect via VPN.

Once connected you are part of the local network and have access to shares based on your group membership, you can upload or download files etc.

Do you understand what VPN is ?

[janet]

tdbsoft

Create a ssh tunnel, search here as I'm sure there are numerous notes about it.

Another alternative which I've used for years, is the webshare contrib. See dmay contrib folders. It saves data in /opt in subfolders you create via the server manager interface. It uses a seperate user database than sme. Upload or download. I've seen some people mentioning to create a symlink to an ibay as required, never tried that myself.

By the way, a VPN connection is secure, your complaint is about the access rights the user then has. You control this with group ownership of ibays, and allow users membership of groups as required. You can limit a users ability to send email with a db command ie to local only.

[cactus]

We tried your suggestion of using VPN but it is even less secure than ftp.  VPN gave access to the i-bay but it also gave access to the LAN and although I could put the server on its own separate LAN outside of my main LAN I prefer not to.

That does not have much to do with security. It merely is a feature you do not desire. Sending password over the line unencrypted (as is done using FTP) is a far bigger risk than a controlled set of users being able to see and access files from others.

If you assign users to the correct groups, with the proper privileges, they should not be able to access your ibays if you do not desire that.

Perhpas you are better of specifying your goals and boundaries so we can help guide you and work things out. At the moment we keep suggesting things which seem to be turned down with new arguments. It might help if you specify your desires and things you absolutely do not want.

[tdbsoft]

Goal is very simple SFTP that dose not allow users of the SFTP to be able to see other users files of folders.  File transfer with resume of a upload or download, security, no viewing of others files or access, not worried if it is to i-bay or users home directory. 

All of this is what SFTP is designed for and the documentation all says to use SFTP and it works except for the viewing of other peoples folders/Files.  It might be possible to use VPN or tunneling etc, but why when SFTP is exactly what is needed and yet is seems that it is not able to stop people from see other peoples files.

Using VPN and Tunneling is like programming a accounting program in Excel it might be possible but is not the best choice for the job.

Has anyone been able to chroot SFTP users to a home directory?

Perhpas you are better of specifying your goals and boundaries so we can help guide you and work things out. At the moment we keep suggesting things which seem to be turned down with new arguments. It might help if you specify your desires and things you absolutely do not want.

[janet]

tdbsoft

Your question was answered in the second post of this thread, by a person who appears reasonably knowledgable about sme server.
http://forums.contribs.org/index.php/topic,45394.msg220398.html#msg220398

The feature you require appears to be not available with current stable release of sme server.

You have been given alternatives and no one else is coming forward and providing you with the answer you are wanting, so I suggest you re-read the advices given here or wait until further development occurs which incorporates the functionality you are after.

Please lodge a new feature request (NFR) in bugzilla.

The sme server security model has been chosen for good reasons, and some may feel it is stricter than other similar Linux servers. It's probably more accurate to say it the other way around, ie that other distros security models are not as strict as they should be.

It appears with the current sme design concepts that sftp with the limitations you desire is not easy to implement while still retaining the high security model of sme, and that's probably the very reason why it has not yet been implemented.

[tdbsoft]

tdbsoft

Your question was answered in the second post of this thread, by a person who appears reasonably knowledgable about sme server.
http://forums.contribs.org/index.php/topic,45394.msg220398.html#msg220398

The feature you require appears to be not available with current stable release of sme server.

You have been given alternatives and no one else is coming forward and providing you with the answer you are wanting, so I suggest you re-read the advices given here or wait until further development occurs which incorporates the functionality you are after.

Mary

Thank you for your help.

Please lodge a new feature request (NFR) in bugzilla.

It not a new feature SFTP SECURE FTP, letting a SFTP client view others files is not secure.

The sme server security model has been chosen for good reasons, and some may feel it is stricter than other similar Linux servers. It's probably more accurate to say it the other way around, ie that other distros security models are not as strict as they should be.

Yes SME it great distro, but that dose not change the fact that SFTP is a common service and is documented as secure in the documentation in SME.  It says several times in SME documentation to use SFTP as it is secure.

It appears with the current sme design concepts that sftp with the limitations you desire is not easy to implement while still retaining the high security model of sme, and that's probably the very reason why it has not yet been implemented.

Yes true SME dose not have secure FTP either, I will wait for the next version which hopefully will allow the chrooting of the user to the folder.

Thanks to all (Topic Closed)

[janet]

tdbsoft

What's wrong with webshare ?

The NFR I referred to was the ability to sftp without seeing others folders and files.

[tdbsoft]

tdbsoft

What's wrong with webshare ?

The NFR I referred to was the ability to sftp without seeing others folders and files.

Mary,

Will check out Webshare it might be Ok for the job.

NFR / bug think this is already posted (2nd post above) next version of openssh will likely support chrooting the user to their home directory or other folder.

Thank you, I will let you know how I go with Webshare, Cheers Trevor

[Stefano]

Goal is very simple SFTP that dose not allow users of the SFTP to be able to see other users files of folders.  File transfer with resume of a upload or download, security, no viewing of others files or access, not worried if it is to i-bay or users home directory. 

All of this is what SFTP is designed for and the documentation all says to use SFTP and it works except for the viewing of other peoples folders/Files.  It might be possible to use VPN or tunneling etc, but why when SFTP is exactly what is needed and yet is seems that it is not able to stop people from see other peoples files.

this is not a SME issue/limitation.. it's a limit of the openssh package that come with Centos4.x

Has anyone been able to chroot SFTP users to a home directory?

as I told you since the beginning, no, but...

HTH

[mmccarn]

I use DAV to get what you want (encrypted remote access to ibays): http://wiki.contribs.org/DAV

There are some oddities about how the authentication works, see Bug 4564 - I don't know if these have been addressed in the contrib itself.

[Stefano]

tdbsoft :
if you are interested, I've just built openssh5.3p1 rpms for centos 4.7

[Brenno]

So, I'm jumping into this thread a little late, but hopefully on point.

We have hired a web developer to produce some content for us that will be hosted on our 7.4 machine.  They need access to an ibay in order to deposit their work (and ongoing access for maintenance/updates).

In reading the best way to allow access, I see many warnings about using FTP due to the plain text transmission of credentials.  sFTP is encouraged, yet the wiki articles imply a security risk in enabling Remote Access via SSH.  VPN access is mentioned as an alternative here, but as tbdsoft points out, this is a little dicey as this web developer would have access not only to the SME server, where specific permissions will govern which files/folders are accessible, but will also have access to all IP nodes behind the SME server (we're running in server/gateway).

So... forgive my ignorance because I'm really not a guru at this, but what is the best way to grant an outside user access to a specific ibay? Or am I in a position of picking the lesser of a few evils?

[janet]

Brenno

sFTP is encouraged, yet the wiki articles imply a security risk in enabling Remote Access via SSH.

AFAIK sftp and ssh are different. I'm not aware of any security issues with ssh. You can ssh (using Putty) as a user rather than root and be very limited in what you can do/access, as determined by ssh access permissions granted to the user (seperate permission model than server manager groups). You can use the scp command to copy.


 

VPN access ..... is a little dicey ..... where specific permissions will govern which files/folders are accessible, but will also have access to all IP nodes behind the SME server

The permission model is governed by Group membership, the use of which should be standard in all sme installations. When correctly setup, a VPN user would have NO access to ibays on the server unless or until they are made a member of the Group that owns the ibay. If you wish to limit access to one ibay for uploading files for a specific website, then you create a unique Group that ONLY your web developer is a member of. They and admin will be the only people who can access that ibay via samba.
Re access to all other hosts (IP's) on the network, this would usually be limited by domain membership. All host access would only be granted to users who have logged into the domain, and basic VPN access does not log a user into the domain. Again a VPN user cannot access hosts(IP's) behind sme unless they have permission to do so.
Typically a VPN user would be a trusted user as VPN access needs to be enabled on a per user basis, they need to firstly be a sme user (with limited access permissions if required), but VPN access needs to be enabled too.

Re giving a user access to an ibay, I see no problem with VPN on a system configured correctly.

You could also use ssh/Putty or WinSCP and login as a user with limited access permissions, which both use the ssh protocol which is known to be secure.

With sftp the ability to see folders is somewhat irrelevant if you don't have permission to access them. There is a suggestion made to use a newer openssh rpm which may fix the chroot jail issue and therefore resolve this problem.

You can use WebDAV as suggested with it's potential bugs.

[Brenno]

Mary - thanks for your input.  I did some brainstorming...

I think what I've settled on is giving the user VPN access (since they already have to have a valid account on the SME box) and then having them use a standard FTP client through the VPN tunnel (via internal IP of the server, which will be reachable once the VPN is established) and using the sme_remoteuseraccess contrib to sandbox or jail the user to the specific ibay in question.

This should limit the amount of access they have to the SME box while also limiting the amount of changes I have to make to the remote access settings in server-manager.  Additionally, since the user will be connected via VPN, they'll essentially be on the local network and I can turn off FTP access from outside networks, which is a gain.  I guess I'll think of a way to limit their ability to snoop about in the network, though I imagine they'd not risk the intrusion for fear of reprisal (though I understand potential risks may exist due to situations out of the user's control, such as viruses or malware which may probe the network unbeknowst to the user).

Does this sound reasonable?  Any advice?

[tdbsoft]

Brenno

AFAIK sftp and ssh are different. I'm not aware of any security issues with ssh. You can ssh (using Putty) as a user rather than root and be very limited in what you can do/access, as determined by ssh access permissions granted to the user (seperate permission model than server manager groups). You can use the scp command to copy.

ssh works well and security is not a issue.  Webshare works well but the backup program we have chosen needs a mapped drive or sftp.  sftp would be perfect unfortunately not ready yet.  Investigating using VPN with security tunneling as suggested by Mary as that may work or alternately may need to setup on a separate Linux PC with sftp using Ubuntu, Centos, Red hat etc.

 
The permission model is governed by Group membership, the use of which should be standard in all sme installations. When correctly setup, a VPN user would have NO access to ibays on the server unless or until they are made a member of the Group that owns the ibay. If you wish to limit access to one ibay for uploading files for a specific website, then you create a unique Group that ONLY your web developer is a member of. They and admin will be the only people who can access that ibay via samba.
Re access to all other hosts (IP's) on the network, this would usually be limited by domain membership. All host access would only be granted to users who have logged into the domain, and basic VPN access does not log a user into the domain. Again a VPN user cannot access hosts(IP's) behind sme unless they have permission to do so.
Typically a VPN user would be a trusted user as VPN access needs to be enabled on a per user basis, they need to firstly be a sme user (with limited access permissions if required), but VPN access needs to be enabled too.

Re giving a user access to an ibay, I see no problem with VPN on a system configured correctly.

You could also use ssh/Putty or WinSCP and login as a user with limited access permissions, which both use the ssh protocol which is known to be secure.

With sftp the ability to see folders is somewhat irrelevant if you don't have permission to access them. There is a suggestion made to use a newer openssh rpm which may fix the chroot jail issue and therefore resolve this problem.

You can use WebDAV as suggested with it's potential bugs.

[tdbsoft]

tdbsoft :
if you are interested, I've just built openssh5.3p1 rpms for centos 4.7

Yes please, could you post or email.

[janet]

Brenno

There is no need to use the added layer of ftp & sandboxing complexity inside the network unless you prefer the "ftp browser" interface. You can leave both external or internal ftp disabled.

Just establish the VPN connection and map a drive letter to the ibay in question via a small batch file, see
http://wiki.contribs.org/VPN_practical_tips#Establishing_connections_.26_drive_mapping
or connect directly to the drive via My Network Places \\servername\ibayname.
Access will have been allowed/limited in server manager via Group membership, and then use Windows Explorer to copy the files to the ibay/html folder. Couldn't be easier.

[Stefano]

Yes please, could you post or email.

please follow up here;
you'll find the src.rpm to be compiled on a test machine..
actually this feature needs modifications to SME's dir permission so it's dangerous