topic Re: Access control on sftp in Operating System - Linux

Access control on sftp

M. Tariq Ayub — Wed, 15 Jun 2005 18:03:12 GMT

Hi,

I want to put IP and user restriction for SFTP and FTP server. OS if Fedora core 2.

Re: Access control on sftp

Stuart Browne — Wed, 15 Jun 2005 18:17:56 GMT

For 'vsftpd', it's fairly easy to restrict which IP's can connect.

You can either firewall port 21 out, or use the '/etc/hosts.allow' / '/etc/hosts.deny' tcp wrappers.

'sftp' however is a different beast all together. As it's basically just an FTP interface to 'ssh', restricting IP addresses would also restrict them in using 'ssh'. If that's ok, then it's the same. Firewall port 22 out, or add tcpwrapper entries.

i.e.
/etc/hosts.deny:

vsftpd: ALL

/etc/hosts.allow:

vsftpd: ,

see 'man hosts_access' for more details on how TCP wrappers work.

Re: Access control on sftp

Steven E. Protter — Wed, 15 Jun 2005 23:09:14 GMT

You might be better off creating a menu system triggered by .bash_profile that keeps the users off the command prompt and connects them to various applications sftp/ftp in that manner.

The problem there is even if you trap the ctrl-c or ctrl-break keystroke there may ways for your users to break out.

SEP

Re: Access control on sftp

Stuart Browne — Wed, 15 Jun 2005 23:40:25 GMT

Wow, we read that and got completely opposite meanings!

So I guess clarification is in order.

Do you want to put restrictions on your usings FTPing out of your server?

or restrictions on users accessing your server?

Re: Access control on sftp

Gopi Sekar — Thu, 16 Jun 2005 00:27:07 GMT

can you please be more specific. as stuart mentioned it is not very clear about your objective.

*if you want to block ip access to your ftp server then you can do so by hosts access list(/etc/hosts.allow and /etc/hosts.deny) or by using iptables firewall. You can do the same to deny sftp access.

*if you want to deny access to particular user logins through ftp then you can do so by adding the login ids in /etc/vsftpd/ftpusers

I am not sure of sftp though.

Regards,
Gopi

Re: Access control on sftp

M. Tariq Ayub — Thu, 16 Jun 2005 01:32:56 GMT

I want to restrict users to access server. Not going out. Only incoming

Re: Access control on sftp

Stuart Browne — Thu, 16 Jun 2005 01:39:19 GMT

Then what i've told you already is most of what you need.

As for restricting what users can FTP in, that's different.

I don't believe 'sftp' (via ssh) can do such restrictions, but 'vsftpd' most certainly can in the '/etc/vsftpd/vsftpd.conf'.

Re: Access control on sftp

Gopi Sekar — Thu, 16 Jun 2005 01:45:17 GMT

so what i have told you holds true. use /etc/hosts.allow and /etc/hosts.deny for access restriction based on ip address. or you can use iptables to block the port

and if you want to restrict users by login id, then you can do so by adding them in /etc/vsftpd/ftpusers

Hope this helps,
Gopi

Re: Access control on sftp

Ivan Ferreira — Tue, 21 Jun 2005 17:42:56 GMT

You can restrict the users conectig throug sftp using the AllowUsers AllowGroups options in sshd_config (i think), but this restrict also the use of ssh, scp, etc.

Also, you can modify the /etc/pam.d/sshd pam file and stack pam_listfile.so

auth required pam_listfile.so item=user sense=deny file=/etc/sftpusers
onerr=succeed

This should do the job.