HPE Community
Operating System - HP-UX
1820072 Members
3013 Online
109608 Solutions
New Discussion юеВ

Want to restrict access to SFTP and SSH

 
John O'Neill_6
Regular Advisor

тАО06-22-2008 05:23 PM

тАО06-22-2008 05:23 PM

Want to restrict access to SFTP and SSH

Hi All,

I've just converted my HP UX 11.23 production candidate machine to trusted mode and have run bastille on it.

TELNET and FTP have been disabled along with a bunch of other daemons and services, so far applications look good.

Now, I am going to have my users connect via SSH. Using the TinyTerm Application, for those familiar with TinyTerm you can make it so that the user gets no menu bar and can not display the menu bar, which denies access to things like SFTP and so on.

However, I would like to tighten things up a bit more...

I would like to be able to achieve the following:

A) Restrict SFTP to one specific user other than root (This will be a 'maintenance' user used by I.T Admin only)

B) Block remote ROOT sftp and SSH access

This will mean that even if a user tries somehow to SFTP files off the box they won't be able to.

I've looked into CHROOT, but I think it would creaet a lot of issues with how our applications work.

Is this possible? I am worried that even though we've secured our comms and shut down unneeded services, that a user could 'steal' application data / programs that they have 'read' access to if they somehow manage to create an SFTP connection with their SSH user credentials...

Does HP UX have a mechanism other than CHROOT to restrict this type of access.

Any thoughts.
0 Kudos
Reply
9 REPLIES 9
Bill Hassell
Honored Contributor

тАО06-22-2008 07:26 PM

тАО06-22-2008 07:26 PM

Re: Want to restrict access to SFTP and SSH

ssh and sftp know nothing about users. They ask the remote system to authenticate the user but otherwise, the user is just a name. You can protect access to sensitive files with ACLs. See man 5 acl


Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО06-22-2008 07:33 PM

тАО06-22-2008 07:33 PM

Re: Want to restrict access to SFTP and SSH

Are your users getting access to the shell? If so, that is your primary problem. If you really want to lock things down you need to get your users directly into the application.

This can be accomplished in several different ways. Changing the users default shell to a menu script is one. You also need to make sure they can't get out to a shell from within the app.
0 Kudos
Reply
John O'Neill_6
Regular Advisor

тАО06-22-2008 08:31 PM

тАО06-22-2008 08:31 PM

Re: Want to restrict access to SFTP and SSH

Hi,

Thanks for the replies.

To answer some questions...

The users can not access any shell and are never presented with a shell.

The .profile script launches the user into the application immediately without any prompts.

My worry is if a user somehow gets hold of an SFTP program (though I don't allow users to run their windows PC's as local admins, they can't install anything) somehow and run it against the server I'm wanting to protect.

0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО06-23-2008 12:17 AM

тАО06-23-2008 12:17 AM

Re: Want to restrict access to SFTP and SSH

Hi John,

you can configure the sshd to not allow any root logins by setting "PermitRootLogin no" in sshd_config.
Similarly, you can restrict who from which host is allowed to login by specifying a list of patterns along with the AllowUsers directive in sshd_config.
See man sshd_config for details.
Madness, thy name is system administration
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО06-23-2008 03:40 AM

тАО06-23-2008 03:40 AM

Re: Want to restrict access to SFTP and SSH

A) Examine /opt/ssh/libexec/sftp-server. This is a symbolic link to the binary that provides the SFTP server functionality. Use "ll /opt/ssh/libexec/sftp-server" to see where the link points to.

The binary path varies according to your hardware architecture: for example, on a 64-bit PA-RISC it's /opt/ssh/PA-RISC2.0/libexec/sftp-server.

Change the permissions of the sftp-server binary so that only your specific user can run it.
(The sftp-server binary is run using the account of the connecting user. If the user has insufficient permissions to run the sftp-server binary, the sftp connection will fail.)

B) As someone already said, change the PermitRootLogin setting in /opt/ssh/etc/sshd_config to "no".

MK
MK
0 Kudos
Reply
inukoti
Frequent Advisor

тАО06-23-2008 03:43 AM

тАО06-23-2008 03:43 AM

Re: Want to restrict access to SFTP and SSH

Hi John,

you can restrict root access to specified machine by editing in sshd_config

PermitRootLogin no

to stop SFTP serer or configure your acess to SFTP server can be done by changing the following parameters in sshd_config

# override default of no subsystems
#Subsystem sftp /opt/ssh/libexec/sftp-server

# sftp-server umask control
#SftpUmask
#SftpPermitChmod yes
#SftpPermitChown yes

Have fun !!!
0 Kudos
Reply
John O'Neill_6
Regular Advisor

тАО06-23-2008 03:54 PM

тАО06-23-2008 03:54 PM

Re: Want to restrict access to SFTP and SSH

Thanks for advice so far.

I've disabled remote 'root' login via updating the sshd_config file.

So I'm halfway there.

However, i've gone over all the man pages on the topic and - bear with me hear please - can not find an easy way to do the following:

A) Allow SSH for my application users
B) Deny SFTP for my application users
C) Allow SFTP for my 'maintenance' user

(I don't like the idea of using root for anything other than specific systems admin, and do not log in remotely, some people are happy to do application maintenance as root, but i've seen what happened once when someone logged in via FTP to a remote host one day and 'dragged and dropped' the wrong folder with a mouse track pad... ergh..ugly).

It seems to be an 'all or nothing' option, i can disable SSH (and subsequently SFTP) easily, but I want to be able to have more granualarity.

Am I missing something? I'm keen to gain a better understanding, have read all the doco's but I must be mising something.

-John
0 Kudos
Reply
Heironimus
Honored Contributor

тАО06-30-2008 10:13 AM

тАО06-30-2008 10:13 AM

Re: Want to restrict access to SFTP and SSH

I think users without real shells (ie the shell is "/some/application" instead of "/usr/bin/sh") won't be able to sftp or scp. As I recall, sshd uses the shell specified in /etc/passwd to invoke the subprocesses that run the server's scp and sftp components.
0 Kudos
Reply
Anilkumar BVN
New Member

тАО07-04-2008 05:04 AM

тАО07-04-2008 05:04 AM

Re: Want to restrict access to SFTP and SSH

Hi Niel,

My 2 cents....

A) Allow SSH for my application users
You can set AllowGroups directive in sshd_config by putting your application users as part of a group.

Thanks,
BVN
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.