FTP Transfer: Restricting WinSCP only to a particular folder
I am using WinSCP FTP tool to download files from the Linode.
It is the recommended FTP tool by Linode:
I am using a normal (non-root) unix user to log into the server to backup files on a regular basis. Once logged in, the WinSCP tool displays the whole file system.
How do I provide access only to a users home directory and restrict access to other files and directories.
Thanks,
Avinash
28 Replies
1) I am using CentOS 5.6-SP2. Will these changes work?
2) I actually tried and made the changes listed in the website. I am receiving an error when sshd is restarted.
Stopping sshd: [FAILED]
Starting sshd: /etc/ssh/sshd_config: line 120: Bad configuration option: Match
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
@bozo:
Create SFTP Jails?
sshd -V
it'll throw an error but it'll print the sshd version you have it could be centos 5 has an old version that doesn't support the match directive
sshd -v
sshd: illegal option – v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
/etc/sshd_config file:
PasswordAuthentication, PermitEmptyPasswords, and
"PermitRootLogin without-password". If you just want the PAM account and
session checks to run without PAM authentication, then enable this but set
ChallengeResponseAuthentication=no
UsePAM no
UsePAM yes
Accept locale-related environment variables
AcceptEnv LANG LCCTYPE LCNUMERIC LCTIME LCCOLLATE LCMONETARY LCMESSAGES
AcceptEnv LCPAPER LCNAME LCADDRESS LCTELEPHONE LC_MEASUREMENT
AcceptEnv LCIDENTIFICATION LCALL
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 3
ShowPatchLevel no
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10
PermitTunnel no
ChrootDirectory none
no default banner path
Banner /some/path
override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
@obs:
Post the contents of your sshd_config file, also run
sshd -Vit'll throw an error but it'll print the sshd version you have it could be centos 5 has an old version that doesn't support the match directive
@Avinash.Rao:
Subsystem sftp /usr/libexec/openssh/sftp-server
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
As defined in the tutorial you said you followed…
> Edit your /etc/ssh/sshd_config file, making sure the following line is present.If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following: File excerpt:/etc/ssh/sshd_config
> Subsystem sftp internal-sftp
You didn't edit the Subsystem line. I would start by fixing that first and then making sure you followed the rest of the tutorial properly.
Good luck!
I did change that to Subsystem sftp internal-sftp.
Regards..
@Typo:
@Avinash.Rao:Subsystem sftp /usr/libexec/openssh/sftp-server
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
As defined in the tutorial you said you followed…
> Edit your /etc/ssh/sshd_config file, making sure the following line is present.If your system's file has a line that begins with "Subsystem sftp" modify it to resemble the following: File excerpt:/etc/ssh/sshd_config
> Subsystem sftp internal-sftp
You didn't edit the Subsystem line. I would start by fixing that first and then making sure you followed the rest of the tutorial properly.Good luck!
Aren't these conflicting?
@Avinash.Rao:
I also noticed conflicting entries, the 'X11Forwarding' value is set to yes in the beginning but at the end we are setting this to 'no'.
Aren't these conflicting?
No, the second one overrides the x11forwarding only for the group 'filetransfer'.
I'm sorry for not looking earlier at your answer when someone asked but when checking your reply to what version your running, its obvious yours is quite old.
Yours:
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
I am pretty sure that match support like your trying to use wasn't added until version 5+ so yours is too outdated to support this option.
I would try updating.
yum update openssh
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base: mirror.sov.uk.goscomb.net
extras: mirror.sov.uk.goscomb.net
updates: mirrors.coreix.net
Setting up Update Process
Resolving Dependencies
–> Running transaction check
--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-clien ts
--> Processing Dependency: openssh = 4.3p2-72.el5_6.3 for package: openssh-serve r
---> Package openssh.x86_64 0:4.3p2-82.el5 set to be updated
--> Running transaction check
---> Package openssh-clients.x86_64 0:4.3p2-82.el5 set to be updated
---> Package openssh-server.x86_64 0:4.3p2-82.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
openssh x86_64 4.3p2-82.el5 base 291 k
Updating for dependencies:
openssh-clients x86_64 4.3p2-82.el5 base 456 k
openssh-server x86_64 4.3p2-82.el5 base 280 k
Transaction Summary
================================================================================
Install 0 Package(s)
Upgrade 3 Package(s)
Total download size: 1.0 M
Is this ok [y/N]:
@Typo:
Ok, it looks like your sshd is outdated.
I'm sorry for not looking earlier at your answer when someone asked but when checking your reply to what version your running, its obvious yours is quite old.
Yours:
> OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
I am pretty sure that match support like your trying to use wasn't added until version 5+ so yours is too outdated to support this option.I would try updating.
@Avinash.Rao:
Should I upgrade openssh?
Yes, but I'm not sure how repositories work with centos so you may not be updating to a new enough version so be sure to check what version it updates to when done.
Crossing my fingers for ya.
sshd -v
sshd: illegal option – v
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
usage: sshd [-46Ddeiqt] [-b bits] [-f configfile] [-g logingrace_time]
[-h hostkeyfile] [-k keygentime] [-o option] [-p port] [-u len]
@Typo:
@Avinash.Rao:Should I upgrade openssh?
Yes, but I'm not sure how repositories work with centos so you may not be updating to a new enough version so be sure to check what version it updates to when done.Crossing my fingers for ya.
:)
@Avinash.Rao:
You are right, I finished the update and the version is the same!
Ok, the following is from a random website but I updated the instructions for the latest version of openssh available (6.0).
> How to install openssh 5 on Centos 5
Execute this in shell
rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpmConfirm the installation
rpm -qa | grep ssh
I take no responsibility for how well the above works, I did not make it but found it fromand did minor editing (5.6 to 6.0) for you. this site
Let me know how it goes.
p.s. There are other sites with info on building openssh for centos so if this fails, dont give up.
rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget uname -i && uname -i && ls -l && rpm -Uvh openssh*rpm openssh-4.3p2-82.el56.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp ope openssh-clients-4.3p2-82.el5enssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p openssh-server-4.3p2-82.el5URCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -p Loaded plugins: fastestmirror_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb Loading mirror speeds from cached hostfileuname -i` && uname -i && ls -l && rpm * base: mirror.sov.uk.goscomb.net
extras: mirror.sov.uk.goscomb.net
updates: mirrors.coreix.net
Setting up Install Process
Package gcc-4.1.2-52.el5.x86_64 already installed and latest version
Package automake-1.9.6-2.3.el5.noarch already installed and latest version
Package autoconf-2.59-12.noarch already installed and latest version
Package libtool-1.5.22-7.el54.x8664 already installed and latest version
Package 1:make-3.81-3.el5.x86_64 already installed and latest version
Package openssl-devel-0.9.8e-22.el58.1.x8664 already installed and latest version
Package openssl-devel-0.9.8e-22.el5_8.1.i386 already installed and latest version
Package pam-devel-0.99.6.2-6.el55.2.x8664 already installed and latest version
Package pam-devel-0.99.6.2-6.el5_5.2.i386 already installed and latest version
Package rpm-build-4.4.2.3-28.el58.x8664 already installed and latest version
Nothing to do
--2012-04-23 12:22:03--
Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1126034 (1.1M) [application/octet-stream]
Saving to: `openssh-6.0p1.tar.gz'
100%[==============================================================================================================================>] 1,126,034 4.58M/s in 0.2s
2012-04-23 12:22:03 (4.58 MB/s) - `openssh-6.0p1.tar.gz' saved [1126034/1126034]
–2012-04-23 12:22:04--
Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 188 [application/octet-stream]
Saving to: `openssh-6.0p1.tar.gz.asc'
100%[==============================================================================================================================>] 188 –.-K/s in 0s
2012-04-23 12:22:04 (8.08 MB/s) - `openssh-6.0p1.tar.gz.asc' saved [188/188]
-bash: gpg: command not found
–2012-04-23 12:22:04--
Resolving ftp.halifax.rwth-aachen.de… 137.226.34.42
Connecting to ftp.halifax.rwth-aachen.de|137.226.34.42|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1725 (1.7K) [application/octet-stream]
Saving to: `STDOUT'
0% [ ] 0 –.-K/s in 0s
Cannot write to `-' (Broken pipe).
[root@hostname ~]#
2) I also tried adding the mirror listed in
rpm -ihv
Retrieving
error: skipping
3) yum update
Finished Dependency Resolution
openssh-clients-5.8p2-16.el5.1.x86_64 from CentALT has depsolving problems
--> Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)
Error: Missing Dependency: libedit.so.0()(64bit) is needed by package openssh-clients-5.8p2-16.el5.1.x86_64 (CentALT)
You could try using --skip-broken to work around the problem
You could try running: package-cleanup --problems
package-cleanup --dupes
rpm -Va --nofiles --nodigest
The program package-cleanup is found in the yum-utils package.
@Typo:
@Avinash.Rao:You are right, I finished the update and the version is the same!
Ok, the following is from a random website but I updated the instructions for the latest version of openssh available (6.0).
> How to install openssh 5 on Centos 5Execute this in shell
rpm -qa | grep ssh && yum -y install gcc automake autoconf libtool make openssl-devel pam-devel rpm-build && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz && wget http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/openssh-6.0p1.tar.gz.asc && wget -O- http://ftp.halifax.rwth-aachen.de/openbsd/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import && gpg openssh-6.0p1.tar.gz.asc && tar zxvf openssh-6.0p1.tar.gz && cp openssh-6.0p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/ && cp openssh-6.0p1.tar.gz /usr/src/redhat/SOURCES/ && cd /usr/src/redhat/SPECS/ && perl -i.bak -pe 's/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/' openssh.spec && rpmbuild -bb openssh.spec && cd /usr/src/redhat/RPMS/`uname -i` && uname -i && ls -l && rpm -Uvh openssh*rpmConfirm the installation
rpm -qa | grep ssh
I take no responsibility for how well the above works, I did not make it but found it fromand did minor editing (5.6 to 6.0) for you. this siteLet me know how it goes.
p.s. There are other sites with info on building openssh for centos so if this fails, dont give up.
@Avinash.Rao:
Here's what is happening when I execute the code:
Ok, trybut again, you may want to replace the 5.8(s) with 6.0 to get the latest version… this tutorial
Good luck!
I did everything that was listed the tutorial website.
The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!
Last few lines of rpm build.
Processing files: openssh-6.0p1-1
Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.9920
umask 022
cd /usr/src/redhat/BUILD
cd openssh-6.0p1
DOCDIR=/var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
export DOCDIR
rm -rf /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
/bin/mkdir -p /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
cp -pr CREDITS ChangeLog INSTALL LICENCE OVERVIEW README README.dns README.platform README.privsep README.tun PROTOCOL PROTOCOL.agent PROTOCOL.certkeys PROTOCOL.mux TODO /var/tmp/openssh-6.0p1-buildroot/usr/share/doc/openssh-6.0p1
exit 0
@Typo:
@Avinash.Rao:Here's what is happening when I execute the code:
Ok, trybut again, you may want to replace the 5.8(s) with 6.0 to get the latest version… this tutorialGood luck!
@Avinash.Rao:
Thanks a lot..
I did everything that was listed the tutorial website.
The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!
So the ssh -v shows same version? Did you remember to install the rpm's?
> Now if you go back into /usr/src/redhat/RPMS/, you should see three RPMs. Go ahead and install them: rpm -Uvh *.rpm
ssh restart successfully.
Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?
@Typo:
@Avinash.Rao:Thanks a lot..
I did everything that was listed the tutorial website.
The rpm build completed without any errors. Unfortunately, the version doesn't seem to change!
So the ssh -v shows same version? Did you remember to install the rpm's?
> Now if you go back into /usr/src/redhat/RPMS/, you should see three RPMs. Go ahead and install them: rpm -Uvh *.rpm
@Avinash.Rao:
Yup!! Resolved!! Thank You so much for the support.
ssh restart successfully.
Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?
Glad you have it working:)
To be honest, I don't really understand your new question.
So its either only SFTP or SSH access, I want to be able to enable the same for a single user!
@Typo:
@Avinash.Rao:Yup!! Resolved!! Thank You so much for the support.
ssh restart successfully.
Can i configure this in such a way that the user should be able to ssh from a remote computer but also apply restriction in WinSCP?
Glad you have it working:) To be honest, I don't really understand your new question.
@Avinash.Rao:
Adding users to 'filetransfer' group will prevent these users from being able to log into a remote shell session.
So its either only SFTP or SSH access, I want to be able to enable the same for a single user!
Not sure off the top of my head but I can probably do some looking for you in a little bit but first thing you should re post your current sshd_config so we can make sure where you are config wise so whether its me or someone else who helps, we have all the proper info.
$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options change a
default value.
Port 22
Protocol 2,1
Protocol 2
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
HostKey for protocol version 1
HostKey /etc/ssh/sshhostkey
HostKeys for protocol version 2
HostKey /etc/ssh/sshhostrsa_key
HostKey /etc/ssh/sshhostdsa_key
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768
Logging
obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
For this to work you will also need host keys in /etc/ssh/sshknownhosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken no
GSSAPI options
GSSAPIAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication mechanism.
Depending on your PAM configuration, this may bypass the setting of
PasswordAuthentication, PermitEmptyPasswords, and
"PermitRootLogin without-password". If you just want the PAM account and
session checks to run without PAM authentication, then enable this but set
ChallengeResponseAuthentication=no
UsePAM no
UsePAM yes
Accept locale-related environment variables
AcceptEnv LANG LCCTYPE LCNUMERIC LCTIME LCCOLLATE LCMONETARY LCMESSAGES
AcceptEnv LCPAPER LCNAME LCADDRESS LCTELEPHONE LC_MEASUREMENT
AcceptEnv LCIDENTIFICATION LCALL
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 3
ShowPatchLevel no
UseDNS yes
PidFile /var/run/sshd.pid
MaxStartups 10
PermitTunnel no
ChrootDirectory none
no default banner path
Banner /some/path
override default of no subsystems
Subsystem sftp internal-sftp
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
The reason I am asking is I have a user who needs to use both ssh and SFTP.
@Typo:
@Avinash.Rao:Adding users to 'filetransfer' group will prevent these users from being able to log into a remote shell session.
So its either only SFTP or SSH access, I want to be able to enable the same for a single user!
Not sure off the top of my head but I can probably do some looking for you in a little bit but first thing you should re post your current sshd_config so we can make sure where you are config wise so whether its me or someone else who helps, we have all the proper info.
There is one user account used to configure SQL Databases and preform regular backups. These files need to be copied to an external machine using WinSCP. Both are required to be performed.
@hoopycat:
Well, if they have shell access, they're going to be able to get at stuff outside of their home directory, so it's kinda pointless to restrict scp/sftp.
2) I have upgraded sshd manually? Why isn't this possible through normal OS updates?
@Avinash.Rao:
1) We are forcing users to use sftp through a normal user group settings. Making a user part of 'filetransfer' group and then using internal sftp. Is it possible that this group can be given permissions to SSHD?
You can either force them to use sftp, or not force them to use sftp.
> 2) I have upgraded sshd manually? Why isn't this possible through normal OS updates?
It is, but once you choose a particular OS release, you normally get security updates and major bug fixes only. You've chosen CentOS, which is strongly based on RHEL, a distribution known for choosing long-term stability over all else. CentOS 5 gets you OpenSSH 4.3p2-82.el5, CentOS 6 gets you 5.3p1-70.el6, and that's what you're going to get.