Re: sftp with restricted user accounts

Simeon Harwood · ‎01-21-2003

Good afternoon,

I need a little help with setting up sftp on and FTP server.

Our FTP server will sit in a DMZ, so before I put it there, I ran a security scan via nessus to make sure that the machine was clean. I also create a script to create restricted user accounts. (i.e a user that when logged in can only move arround their own home directory).

Here's the problem. I've installed open ssh from HP. When I create a normal user, sftp works fine, but the user can roam around the file system at will. (not good!) If I create a restricted user using my script, I get a connection error when I try and use sftp: -
Fatal: unable to initilise SFTP:could not connect.
If I go into /etc/passwd and change the "false" shell for a posix shell, the user is able to log in again, but has full system access (not good!)
BTW the script that I'm using is in one of the man pages, just a simple one for changeing permissions on home dirs etc.

extra info: -
I'm running HP-UX 11.00 on an A180c

Any info or help would be appreciated.

Sime.

You never had this problem with a pencil and paper!

Steven E. Protter · ‎01-21-2003

What you want to do is put ftp users into a chroot jail.

You can scan for the terms and find insturctions on ITRC.

Or you can cheat and run the Bastille security check tool(HP approved and ported it) which will automatically if you answer the questions right configure ftp users into a chroot jail.

Bastille.
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

This will make sure your machine is REALLY clean.

Also, run this tool
security_patch_check

It will make sure your machine is REALLY up to date on known security problems.

https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

Further issues:

Is the system a trusted system with password shadowing.

If not, have you run crack on a copy of your password file to make sure passwords are not guessable? Its a really good idea, and there is public domain tar for that which will work on most 11.X systems.

Have you run the saint utility to probe the server for vulnerabilities? That's a good idea.

It's public domain, but a good tool.

P

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Simeon Harwood · ‎01-21-2003

Steve,

Thanks for you info. Not sure it realy solves my questions tho.
A few answers first: - yes I'm running Trusted systems, I've run Nessus against the server and it came out clean, and I have got my users is a chrooted jail per user. I.e when I create a new ftp user, thet are restricted to their own home directory. when they are ftp connected, and type "pwd", it says that they are at "/", but in fact thay are in "/home/".

I still have the question on how to get "secure FTP" (part of open ssh) to run in this configuration. The error message I receive is in the first mail.

Any further help is appreciated.

Sime.

You never had this problem with a pencil and paper!

Tim Maletic · ‎01-22-2003

See this thread: http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x4bd8cdec06f1d61190050090279cd0f9,00.html

If building OpenSSH from source is an option, I have some very bare-bones patches at:
http://home.attbi.com/~tmaletic/openssh_chroot.html. Googling on the topic will reveal several more robust options.

Simeon Harwood · ‎01-24-2003

Tim,
Right on the money with this one. This is exactly what I want to do. I've downloaded the code for openssh and your patch. I've compiled openssh and it works fine. I now need to re-compile it again with your bit of code to get it all working. Just the last question is, where do I put your bit of code to get it encorported? (I not to hot on codeing or compiling)

Ta,

Sime.

You never had this problem with a pencil and paper!

Tim Maletic · ‎01-24-2003

Just copy the patch file into the openssh source directory, then, in that directory, run "patch session.c [patchfile]". HP's /usr/bin/patch will save a copy of session.c in session.c.orig by default. You'll then need to rerun the make and make install.

Simeon Harwood · ‎01-24-2003

Tim,
You are the man. I'm compiling now.
Thanks for an execlent answer.

Sime.

You never had this problem with a pencil and paper!

Steven E. Protter · ‎01-29-2003

Sorry I'm late with this, but here is a copy of my secure shell cookbook.

Mostly written by HP, a few mods. Becuase I don't have it at home, I'm linking to a prior post.

This link has a post by me and a copy of the cookbook. Its a word doc. Let me know if you need it http.

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xfb2a5bd3782dd711abdc0090277a778c,00.html

P

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Simeon Harwood · ‎02-18-2005

done

You never had this problem with a pencil and paper!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: sftp with restricted user accounts

sftp with restricted user accounts