Sftp / lshell
Brought to you by:
ghantoos
Menu
▾
▴
When you allow sftp access they can still run any command sftp allows. Any way to avoid this ? Also any way to use lshell and openssh sftp chroot so it locks users in their home dir when sftp yet still allows ssh/lshell access?
Hi,
When you sftp onto a machine, lshell launches the sftp-server that is configured in your OpenSSH daemon configuration file (/etc/ssh/sshd_config on a Debian), therefore, I am not able to restrict the access using lshell.
However, as you have suggested, it is possible to configure OpenSSH to chroot your SFTP connections. In this case:<BR>
- SSH: your user will be using lshell as main shell<BR>
- SFTP: your user will connect to the chroot set up by OpenSSH sftp functionality.
Here is a link to set up this kind of configuration: http://www.debian-administration.org/articles/590
I hope this answers your question.
Kind regards,
Ignace M -ghantoos-
Hi,
I meet a similar issue.
I would like to allow my user 'myUser' to access my server using his sftp client OR using ssh.
- In case he access by sftp, he should be chrooted in /home/myUser.
- In case he access by ssh, he should not be chrooted but has a limited shell (lshell).
According to http://www.debian-administration.org/articles/590, I configure sshd as below :
…
Subsystem sftp internal-sftp
Match myUser
ChrootDirectory /home/myUser/
#ForceCommand internat-sftp #Ignored to allow lshell
…
And I change in /etc/passwd the myUser's shell to lshell
However, it seem's that the directive ChrootDirectory is also applied to all ssh kind of connection ?!
- If the ChrootDirectory is set : by ssh, I get : "/usr/bin/lshell: No such file or directory" and by sftp the user is well chrooted.
- If the ChrootDirectory is not set, by ssh i get the limited shell, but my sftp is not chrooted…
Is there a configuration mistakes ?
Is it really possible to separate sftp and ssh with lshell ?
Thanks.
Mmouterde
Hi Mmouterde,
Thank you for reporting this. You are absolutely right about this.<BR>
As you said, it looks like the ChrootDirectory parameter is applied to both SFTP and SSH connection, and therefore fails to find /usr/bin/lshell. <BR>
Which means that, using the above configuration, users using lshell cannot have their SFTP connections chrooted, unless your chroot directory contains all the files needed to run lshell.
I will look into this, and come back to you ASAP.
If you have any ideas, they are more than welcome :)
Regards,<BR>
Ignace M -ghantoos-
Hi,
ideas… hum, not really, sorry.
I suppose that, a good solution could be to not use ChrootDirectory from ssh but a new tag in lshell ?!
I do not know how 'GNU Rush' does to provide a chroot parameter…
Anyway, thanks for your work !
mmouterde
It looks like GNU Rush needs to have sftp-server in their home directory. From there it invokes the sftp-server command and then chdir them whatever directory. Something similar I guess could work… Can't wait for this feature in lshell !!!!
6.3 sftp
Executing sftp on the client machine invokes sftp-server, without arguments, on the server.
We want to allow our users to use sftp to manage their ‘public_html’ directories. The sftp-server will be executed with the user's home directory as root, in a chrooted environment. For this to work, each user's home must contain a copy of sftp-server (which we'll place in ‘~/bin’ subdirectory) and all files it needs for normal execution: ‘/etc/group’ and ‘/etc/passwd’ with one entry (for the user and his group), and, unless the binary is linked statically, all the shared libraries it is linked with, in the subdirectory ‘~/lib’.
Given these prerequisites, the following rule will ensure proper sftp interaction:
rule sftp-incoming
command ^.*/sftp-server
set /bin/sftp-server
chroot ~
chdir public_html
I have gotten the following to work.
lshell for shell access
mysercureshell for sftp access
My understanding is that mysecureshell is a port of sftp-server used by openssh.
How do you configure sshd to select the shell (lshell or mysecureshell) depending on access ?
so what I did is have lshell in /etc/passwd as the shell. Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server.
This allows some users to have both ssh/sftp access with restrictions. If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.
> so what I did is have lshell in /etc/passwd as the shell. <BR>
> Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server. <BR>
> This allows some users to have both ssh/sftp access with restrictions.<BR>
> If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.
Thank you for this excellent tip!
Ignace M -ghantoos-
Ignace M -ghantoos-, the solution above works great. I know it is knot within your project scope but something similar within lshell would be great. Thanks again for developing lshell.
> so what I did is have lshell in /etc/passwd as the shell.
Then within sshd_config Subsystem sftp /bin/MySecureShell -c sftp-server as the sftp server.
This allows some users to have both ssh/sftp access with restrictions.
If I wanted an sftp only account then change passwd to /bin/MySecureShell and they will only have sftp access.
What a nice solution !
Thanks a lot !
> the solution above works great. I know it is knot within your project scope but something similar within lshell would be great.
Hopefully, I will try to work on this soon. But I'm not sure how successful this will be :)
Thanks to all of you for your suggestions and solutions! And thank you for using lshell and helping me improve it.
Ignace M -ghantoos-
Hey ghantoos just became a user of your lshell package. Firstly thanks for the neat piece of software. I would like to request you to add this feature too.