Topic: Help with SFTP

[tdbsoft]

Trying to setup secure SFTP access nearly done but small problem with user access.

I have SME 7.4 and have installed Smeserver-remoteuseraccess.  Setup a new user and allowed sshh + vpn for the user.  I can login with Filezilla and all is working except that I can change directory up throu the folder tree, some folders are protected others allow uploading or downloading of files.

This is unacceptable as each user should not be able to change up from their home directory and see other uses files etc.  I have set the chroot path but it has little or no affect on access except for changing the initial directory shown.  Any ideas as to what I might be do wrong or pointers to a how document would be muchly appreciated.

Also if anyone knows how to setup SFTP too an I-bay that would be as good.

[Stefano]

Hi

unfortunately smeserver-remoteaccess can "chroot" only ftp.. actually there's no (easy) way to chroot ssh/sftp access

if you search the forums you'll find other 3ads about it.. one possible solution not supported, i.e. do at your own risk is to upgrade to the last openssh release.. as I said, search the forums..

anyway, as you can easily verify, user can only see names of files/dirs.. he can't do anything if he has not the right permission

[tdbsoft]

Hi Stefano,

Thanks for the info. 
Documentation for SME all says to use SFTP as FTP is insecure but it seems that there is no easy way to implement SFTP. 

Anyway can you suggest best way to provide basic FTP to the SME server that works and can provide basic security.  Must not allow user to see others files or change folder from there root directory.

What do others use to implement FTP on the SME server?

Thanks for your help

Hi

unfortunately smeserver-remoteaccess can "chroot" only ftp.. actually there's no (easy) way to chroot ssh/sftp access

if you search the forums you'll find other 3ads about it.. one possible solution not supported, i.e. do at your own risk is to upgrade to the last openssh release.. as I said, search the forums..

anyway, as you can easily verify, user can only see names of files/dirs.. he can't do anything if he has not the right permission

[janet]

tdbsoft

What do others use to implement FTP on the SME server?

Just don't.
Why do they need ftp type access anyway, just to access files ?

Use VPN, and user access will be limited to ibays that they are owners of via group memberships, and their own homefolder.

[tdbsoft]

Hi Mary,

Need FTP type access as users will be connecting via the Internet and storing files on the server.  Very occasionally they will need to retrieving files also.  IE Serve is employed in backup role to store files.

So need FTP or SFTP to work and as securely as possible.

tdbsoft

Just don't.
Why do they need ftp type access anyway, just to access files ?

Use VPN, and user access will be limited to ibays that they are owners of via group memberships, and their own homefolder.

[janet]

tdbsoft

ftp is not secure so don't even consider that if you are talking about a secure connection, plain text passwords are sent etc.
sftp is the only possibility, but that has other issues on sme server that you are not happy with, so forget sftp also.

With VPN, you allow users to have VPN access, so already there is high security.
Users who are not allowed access (the default) cannot even connect via VPN.

Once connected you are part of the local network and have access to shares based on your group membership, you can upload or download files etc.

Do you understand what VPN is ?

The alternative is to create a ssh tunnel using Putty and connect that way.
Search forums etc for tips on doing that.
Not sure if there is a wiki Howto, so look.

[tdbsoft]

We tried your suggestion of using VPN but it is even less secure than ftp.  VPN gave access to the i-bay but it also gave access to the LAN and although I could put the server on its own separate LAN outside of my main LAN I prefer not to.

Anyway SFTP allows file transfers to be resumed, it is also suppose to be secure.  So I will be pursuing a way to chroot the user to their home directory.  If SFTP is so secure as mooted by all the documentation then there must be a way to chroot the user, I see howto's in the other distro's.

tdbsoft

ftp is not secure so don't even consider that if you are talking about a secure connection, plain text passwords are sent etc.
sftp is the only possibility, but that has other issues on sme server that you are not happy with, so forget sftp also.

With VPN, you allow users to have VPN access, so already there is high security.
Users who are not allowed access (the default) cannot even connect via VPN.

Once connected you are part of the local network and have access to shares based on your group membership, you can upload or download files etc.

Do you understand what VPN is ?

[janet]

tdbsoft

Create a ssh tunnel, search here as I'm sure there are numerous notes about it.

Another alternative which I've used for years, is the webshare contrib. See dmay contrib folders. It saves data in /opt in subfolders you create via the server manager interface. It uses a seperate user database than sme. Upload or download. I've seen some people mentioning to create a symlink to an ibay as required, never tried that myself.

By the way, a VPN connection is secure, your complaint is about the access rights the user then has. You control this with group ownership of ibays, and allow users membership of groups as required. You can limit a users ability to send email with a db command ie to local only.

[cactus]

We tried your suggestion of using VPN but it is even less secure than ftp.  VPN gave access to the i-bay but it also gave access to the LAN and although I could put the server on its own separate LAN outside of my main LAN I prefer not to.

That does not have much to do with security. It merely is a feature you do not desire. Sending password over the line unencrypted (as is done using FTP) is a far bigger risk than a controlled set of users being able to see and access files from others.

If you assign users to the correct groups, with the proper privileges, they should not be able to access your ibays if you do not desire that.

Perhpas you are better of specifying your goals and boundaries so we can help guide you and work things out. At the moment we keep suggesting things which seem to be turned down with new arguments. It might help if you specify your desires and things you absolutely do not want.

[tdbsoft]

Goal is very simple SFTP that dose not allow users of the SFTP to be able to see other users files of folders.  File transfer with resume of a upload or download, security, no viewing of others files or access, not worried if it is to i-bay or users home directory. 

All of this is what SFTP is designed for and the documentation all says to use SFTP and it works except for the viewing of other peoples folders/Files.  It might be possible to use VPN or tunneling etc, but why when SFTP is exactly what is needed and yet is seems that it is not able to stop people from see other peoples files.

Using VPN and Tunneling is like programming a accounting program in Excel it might be possible but is not the best choice for the job.

Has anyone been able to chroot SFTP users to a home directory?

Perhpas you are better of specifying your goals and boundaries so we can help guide you and work things out. At the moment we keep suggesting things which seem to be turned down with new arguments. It might help if you specify your desires and things you absolutely do not want.

[janet]

tdbsoft

Your question was answered in the second post of this thread, by a person who appears reasonably knowledgable about sme server.
http://forums.contribs.org/index.php/topic,45394.msg220398.html#msg220398

The feature you require appears to be not available with current stable release of sme server.

You have been given alternatives and no one else is coming forward and providing you with the answer you are wanting, so I suggest you re-read the advices given here or wait until further development occurs which incorporates the functionality you are after.

Please lodge a new feature request (NFR) in bugzilla.

The sme server security model has been chosen for good reasons, and some may feel it is stricter than other similar Linux servers. It's probably more accurate to say it the other way around, ie that other distros security models are not as strict as they should be.

It appears with the current sme design concepts that sftp with the limitations you desire is not easy to implement while still retaining the high security model of sme, and that's probably the very reason why it has not yet been implemented.

[tdbsoft]

tdbsoft

Your question was answered in the second post of this thread, by a person who appears reasonably knowledgable about sme server.
http://forums.contribs.org/index.php/topic,45394.msg220398.html#msg220398

The feature you require appears to be not available with current stable release of sme server.

You have been given alternatives and no one else is coming forward and providing you with the answer you are wanting, so I suggest you re-read the advices given here or wait until further development occurs which incorporates the functionality you are after.

Mary

Thank you for your help.

Please lodge a new feature request (NFR) in bugzilla.

It not a new feature SFTP SECURE FTP, letting a SFTP client view others files is not secure.

The sme server security model has been chosen for good reasons, and some may feel it is stricter than other similar Linux servers. It's probably more accurate to say it the other way around, ie that other distros security models are not as strict as they should be.

Yes SME it great distro, but that dose not change the fact that SFTP is a common service and is documented as secure in the documentation in SME.  It says several times in SME documentation to use SFTP as it is secure.

It appears with the current sme design concepts that sftp with the limitations you desire is not easy to implement while still retaining the high security model of sme, and that's probably the very reason why it has not yet been implemented.

Yes true SME dose not have secure FTP either, I will wait for the next version which hopefully will allow the chrooting of the user to the folder.

Thanks to all (Topic Closed)

[janet]

tdbsoft

What's wrong with webshare ?

The NFR I referred to was the ability to sftp without seeing others folders and files.

[tdbsoft]

tdbsoft

What's wrong with webshare ?

The NFR I referred to was the ability to sftp without seeing others folders and files.

Mary,

Will check out Webshare it might be Ok for the job.

NFR / bug think this is already posted (2nd post above) next version of openssh will likely support chrooting the user to their home directory or other folder.

Thank you, I will let you know how I go with Webshare, Cheers Trevor

[Stefano]

Goal is very simple SFTP that dose not allow users of the SFTP to be able to see other users files of folders.  File transfer with resume of a upload or download, security, no viewing of others files or access, not worried if it is to i-bay or users home directory. 

All of this is what SFTP is designed for and the documentation all says to use SFTP and it works except for the viewing of other peoples folders/Files.  It might be possible to use VPN or tunneling etc, but why when SFTP is exactly what is needed and yet is seems that it is not able to stop people from see other peoples files.

this is not a SME issue/limitation.. it's a limit of the openssh package that come with Centos4.x

Has anyone been able to chroot SFTP users to a home directory?

as I told you since the beginning, no, but...

HTH