Menu

Sftp / lshell

2009-11-21
2013-04-25
  • Nobody/Anonymous

    When you allow sftp access they can still run any command sftp allows. Any way to avoid this ? Also any way to use lshell and openssh sftp chroot so it locks users in their home dir when sftp yet still allows ssh/lshell access?

     
  • Ignace Mouzannar

    Hi,

    When you sftp onto a machine, lshell launches the sftp-server that is configured in your OpenSSH daemon configuration file (/etc/ssh/sshd_config on a Debian), therefore, I am not able to restrict the access using lshell.

    However, as you have suggested, it is possible to configure OpenSSH to chroot your SFTP connections. In this case:<BR>
    - SSH: your user will be using lshell as main shell<BR>
    - SFTP: your user will connect to the chroot set up by OpenSSH sftp functionality.

    Here is a link to set up this kind of configuration: http://www.debian-administration.org/articles/590

    I hope this answers your question.

    Kind regards,
    Ignace M -ghantoos-

     
  • mmouterde

    mmouterde - 2009-11-22

    Hi,

    I meet a similar issue.

    I would like to allow my user 'myUser' to access my server using his sftp client OR using ssh.

    - In case he access by sftp, he should be chrooted in /home/myUser.
    - In case he access by ssh, he should not be chrooted but has a limited shell (lshell).

    According to http://www.debian-administration.org/articles/590, I configure sshd as below :

         …
         Subsystem sftp internal-sftp
         Match myUser
             ChrootDirectory /home/myUser/
             #ForceCommand internat-sftp #Ignored to allow lshell
        …

    And I change in /etc/passwd the myUser's shell to lshell

    However, it seem's that the directive ChrootDirectory is also applied to all ssh kind of connection ?!

    - If the ChrootDirectory is set : by ssh, I get  : "/usr/bin/lshell: No such file or directory" and by sftp the user is well chrooted.
    - If the ChrootDirectory is not set, by ssh i get the limited shell, but my sftp is not chrooted…

    Is there a configuration mistakes ?

    Is it really possible to separate sftp and ssh with lshell ?

    Thanks.

    Mmouterde

     
  • Ignace Mouzannar

    Hi Mmouterde,

    Thank you for reporting this. You are absolutely right about this.<BR>

    As you said, it looks like the ChrootDirectory parameter is applied to both SFTP and SSH connection, and therefore fails to find /usr/bin/lshell. <BR>
    Which means that, using the above configuration, users using lshell cannot have their SFTP connections chrooted, unless your chroot directory contains all the files needed to run lshell.

    I will look into this, and come back to you ASAP.

    If you have any ideas, they are more than welcome :)

    Regards,<BR>
    Ignace M -ghantoos-

     
  • mmouterde

    mmouterde - 2009-11-23

    Hi,

    ideas… hum, not really, sorry.

    I suppose that, a good solution could be to not use ChrootDirectory from ssh but a new tag in lshell ?!
    I do not know how 'GNU Rush' does to provide a chroot parameter…

    Anyway, thanks for your work !

    mmouterde

     
  • Nobody/Anonymous

    It looks like GNU Rush needs to have sftp-server in their home directory. From there it invokes the sftp-server command and then chdir them whatever directory. Something similar I guess could work… Can't wait for this feature in lshell !!!!

    6.3 sftp

    Executing sftp on the client machine invokes sftp-server, without arguments, on the server.

    We want to allow our users to use sftp to manage their ‘public_html’ directories. The sftp-server will be executed with the user's home directory as root, in a chrooted environment. For this to work, each user's home must contain a copy of sftp-server (which we'll place in ‘~/bin’ subdirectory) and all files it needs for normal execution: ‘/etc/group’ and ‘/etc/passwd’ with one entry (for the user and his group), and, unless the binary is linked statically, all the shared libraries it is linked with, in the subdirectory ‘~/lib’.

    Given these prerequisites, the following rule will ensure proper sftp interaction:

    rule sftp-incoming

    command ^.*/sftp-server

    set /bin/sftp-server

    chroot ~

    chdir public_html

     
  • Nobody/Anonymous

    I have gotten the following to work.
    lshell for shell access
    mysercureshell for sftp access
    My understanding is that mysecureshell is a port of sftp-server used by openssh.

     
  • mmouterde

    mmouterde - 2009-11-23

    How do you configure sshd to select the shell (lshell or mysecureshell) depending on access ?

     
  • Nobody/Anonymous

    so what I did is have lshell in /etc/passwd as the shell. Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server.
    This allows some users to have both ssh/sftp access with restrictions. If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.

     
  • Ignace Mouzannar

    > so what I did is have lshell in /etc/passwd as the shell.  <BR>
    > Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server. <BR>
    > This allows some users to have both ssh/sftp access with restrictions.<BR>
    >  If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.

    Thank you for this excellent tip!

    Ignace M -ghantoos-

     
  • Nobody/Anonymous

    Ignace M -ghantoos-, the solution above works great. I know it is knot within your project scope but something similar within lshell would be great. Thanks again for developing lshell.

     
  • mmouterde

    mmouterde - 2009-11-23

    > so what I did is have lshell in /etc/passwd as the shell.
    Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server.
    This allows some users to have both ssh/sftp access with restrictions.
    If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.

    What a nice solution !

    Thanks a lot !

     
  • Ignace Mouzannar

    > the solution above works great. I know it is knot within your project scope but something similar within lshell would be great.

    Hopefully, I will try to work on this soon. But I'm not sure how successful this will be :)

    Thanks to all of you for your suggestions and solutions! And thank you for using lshell and helping me improve it.

    &nbsp; Ignace M -ghantoos-

     
  • samad909

    samad909 - 2010-05-15

    Hey ghantoos just became a user of your lshell package. Firstly thanks for the neat piece of software. I would like to request you to add this feature too.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.