OpenSSH and FTP access

Hi there,

I am running Gentoo linux on a Sun Ultra 60.  I have OpenSSH installed and I generally either FTP in using SFTP or use a SSH shell to log in over the local network.

I am considering setting up FTP access from outside.  I guess I need to set up port forwarding on my ADSL modem/router for port 22 for SSH.

Now what should I do next to do it properly?  Ideally I want a new 'FTP' user, but really I only want 'that' user to be able to FTP in from the outside, if you know what I mean.  Also I would want anyone uploading not to be able to see the contents of the directory etc, though I guess that can be taken care of by permissions on the directory.

Basically I just want some direction on how to do this correctly!

Cheers,

Mark
marky9074Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
some tips:

a) check your ftp software configuration. disable anonymous access.
b) if the software allows you, jail it! this means to create a subdirectory that mimics the / filesystem (only needed files) and then run the ftp software with that directory.
c) enable only that user to access the ftp system.

one big problem is ftp protocol needs two ports working: tcp/21 and tcp/20 (tcp/20 can change to any port. it is used for data transmission while tcp/21 is for control only)

so if you can, better go with sftp. this has many things that make it better than ftp, and only one drawback: since it is encrypted traffic, sftp is slower than regular ftp. If you can live with it, then you only need a restricted shell to jail the user to he/she home directory, and you're all set.

hope this help
0
marky9074Author Commented:
Hi, thanks for the post.  As I only have OpenSSH installed (no ftpd or proftpd), I would only be using SFTP.  Are you saying that using sftp I would still need ports 20 & 21 open?

What I want to do is stop for example someone sftp in as root, how do I restrict this?  I can pretty much work out how to set up a restrictive account for a sftp access, but how do I force all connections from 'outside' to be dropped apart from the dedicated sftp user?
0
Gabriel OrozcoSolution ArchitectCommented:
with sftp, you are using ssh under the cover. so you only need port tcp/22 to be redirected.

to restrict access from outside, check /etc/hosts.deny. there is a mechanism called "tcp wrappers" ssh obeys. if you read

http://www.section6.net/wiki/index.php/Basics_Of_Securing_Linux#TCP_Wrappers

so read these URLs to better understand how tcpwrappers work:

http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-10/1221.html
http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html
 man 5 hosts_access
 man 8 tcpd  

or, You can give someone file copy access over the “ssh” version 2 protocol by means of the Open Source tool “rssh”:
 
    http://sourceforge.net/projects/rssh/ 
 
The “rssh” tool allows you to restrict on a per-user basis, access to any of “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp”.  You can control the file creation on a per-user basis.  You can also force a given non-privileged user to be confined inside a chroot jail.  If properly setup, the chroot jail will prevent the user from accessing any files outside of the chroot jail.  
 
The “rssh” tool needs to be installed on any remote host into which you want to give selected users “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp” access.  The shells for those users must be “/usr/bin/rssh”.  Also the “/etc/rssh.conf” needs to be configured on that remote host.  This will allow users to use any of the standard “rsync”, “rdist”, “cvs”, “sftp”, and/or “scp” tools to access the remote host via the “ssh” protocol 2.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

marky9074Author Commented:
Thanks for that, it is a lot clearer now, so basically there is no quick and easy (platform independant) way for user based control?
0
Gabriel OrozcoSolution ArchitectCommented:
I think only tcp wrappers can do the job, but I tried and tested some of the solutions and myself still cannot do the filtering of only one user.

host based is much more easy, however. So if you can use host based authentication, just go for it.

regards
0
marky9074Author Commented:
Hi Redimido,

I just forwarded the port and checked that it worked and it is all OK.  I thought that I had a handle on creating an anonymous user that was restricted to its home directory, but I am not sure if even this is going to work using ssh and sftp.  Have you got any ideas how I go about this?

Mark
0
marky9074Author Commented:
That probably doesnt make much sense!  I want a secure ftp hence sftp, but I dont want the user trawling through my system I only want them to have access to their home directory....

Mark
0
Gabriel OrozcoSolution ArchitectCommented:
use a restricted shell that can do that job for you.

as I told you before, this program can make your life easier:

    http://sourceforge.net/projects/rssh/ 

when the user connects, this shell will be the underlying program and will not allow him to go out of his home directory. (his or her)
0
marky9074Author Commented:
Dooh, the penny has dropped now!  I misinterpreted what you said earlier, as I thought that if I used rssh I would need something on each client to use rssh, but I guess what you meant is that 'any' client will need an app to access through an ssh.  Personally I use ws_ftp...

Thanks for the help I will see if their is a gentoo package for it on my arch..
0
Gabriel OrozcoSolution ArchitectCommented:
sorry I was not very clear =)

you will need to edit /etc/passwd in order to modify the user you want to restric, to have rssh as his shell.

then on the rssh configuration (need to follow their readme) you will be able to restrict the user in many aspects, like jail him on his home directory.

client is not important as long as it understands sftp

hope this help
Gabriel
0
marky9074Author Commented:
Hi Gabriel,

Thanks for all you help!  At the moment I am updating my Gentoo system and I have left it far too long.  At the moment I am at 11 of 276, so I think it will be a few hours until I can get to installing rssh...

I will let you know as soon as I am up again...

Thanks,

Mark
0
marky9074Author Commented:
OK, my update barfed at a lib for openssl so I took the opertunity to emerge rssh...

Got it up and edited the config for sftp...worked OK.  Added my user and set home as /data/ftp with rssh shell.

Now I though all I had to do was edit the line for:

chrootpath = /data/ftp

To jail any user using rssh to this directory.  But it fails to log in.  If I remove this I can ftp in, but have free run of the system.

Nearly there, but need your help again!

Thanks,

Mark
0
Gabriel OrozcoSolution ArchitectCommented:
hwat happends here is this software jails the user in it's home directory, and I suppose you tried to jail him on a directory outside his home directory, right?

edit /etc/passwd and make /data/ftp the user's home directory. also chown that directory to the username, and try again =)
0
marky9074Author Commented:
Oh, after downloading the source and looking at the chroot docs its not as simple as I thought....
0
Gabriel OrozcoSolution ArchitectCommented:
that's right...

security is not simple... this is what is driving us I.T. people to a much harder work to do more or less same things but in a more secure manner...

that tool can help you, but you need to understand how to use it
0
marky9074Author Commented:
It seems a lot or work recreating file structures within the chroot jail, when all I want to do is stop the logged in user going up any higher than his home directory......

Just upgrading mysql at the moment, and my gentoo system is in a terrible mess, hopefully will get time to play with rssh soon...
0
verborghsCommented:
You could also just use PAM (plugable authentication modules)
there is one: pam_listfile which allows you to specify  a list of users. in gentoo look in /etc/pam/ssh-something

or you could use the AllowUsers Directive of ssh which allows you to specify users in the form of user@host and *@...


0
marky9074Author Commented:
At the moment I am just using scponly to make sure the logged in user does not have a shell.  Also I was going to change the mapping on the router so that the public port was not 22, which should help, but I am awaiting a firmware change....

Hopefully will get a solution soon!

Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.