• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 456
  • Last Modified:

Created a Secure FTP (SFTP via SSH) server - but user (local user) gets FULL ACCESS to the server!!???!?!?

Created a Secure FTP (SFTP via SSH) server - but user (local user) gets FULL ACCESS to the server!!???!?!? THE ENTIRE SERVER!!!

SFTP basically uses SSH to encrypt user login info and files being transferred. To do this, you need to create a Windows Local user and group that will be allowed into a particular folder.

I did that, but when I connect through SFTP (filezilla), I get access to the entire server. How is this more secure than regular FTP???

What did I do wrong?? How do I restrict a local user to one folder only?

0
vanauden
Asked:
vanauden
  • 3
1 Solution
 
Jeff BeckhamEngineerCommented:
You probably have setup issues.  You need to set the root of your FTP server to something other than C:\.  Exactly what SFTP package did you use?
0
 
vanaudenAuthor Commented:
openSSH from http://sshwindows.sourceforge.net/

the FTP server is Filezilla and the remote client is also filezilla.

I just found out that with SFTP you have to restrict the Windows Local User account.

I did that, but now the SFTP only opens the OpenSSH folder - I have no idea how it gets there, but it is restricted to that folder and subfolders.

I am going to try uninstalling OpenSSH then reinstalling it from scratch and see if that works.

The root of my SFTP server is D:\somefolder\somesubfolder and I put user restrictions on the subfolder

Is there another package that works better?
0
 
vanaudenAuthor Commented:
Ok, figured the whole thing out: Had to unistall/re-install OpenSSH

Here is how to do the entire thing:  (Window 2003)

Note: I am taking some stuff from http://www.digitalmediaminute.com/article/1487/setting-up-a-sftp-server-on-windows, but not all. I like this tutorial, but it is very incomplete in terms of instructions relating to Windows permissions.

1.      Download OpenSSH for Windows here à http://sshwindows.sourceforge.net/download/

2.      Run the installer and be sure to install both the client and server components.

3.      Create a new windows user and group that will be used for SFTP only.

4.      Now make sure that this new user is a member of the group you just created.

5.      Create your SFTP folder/directory and name it with the exact same name as your new user.

      a.      Do NOT create this folder directly under a hard drive letter because Windows permissions will give the SFTP user access to other drives, and YOU DO NOT WANT THAT!
      b.      I suggest you create a folder for SFTP, then create a SUBFOLDER with the new user’s name. That way, you restrict the user’s group permissions on the subfolder. To be even safer, you then completely deny permissions for this user on the main SFTP folder. More on this later on.

6.      Using WINDOWS Explorer, go to this directory: C:\Program Files\OpenSSH\etc

      a.      Make sure that the file “group” exists. If not, create it with NO extention. (it should be empty)
      b.      Make sure that the file “passwd” exists. If not, create it with NO extention. (it should be empty)

7.      Open the Windows Command Prompt and go to this directory à C:\Program Files\OpenSSH\bin

8.      SIDE NOTE: Local group or user is one that allows permissions for a user logged into the local machine only. (As opposed to being logged in from a domain). By default, users and groups are LOCAL.

9.      If the group you created is a LOCAL group, type: mkgroup -l >> ..\etc\group

10.      If the user you created is a LOCAL group, type: mkpasswd -l -u sftpuser >> ..\etc\passwd

11.      This is one IMPORTANT point where I diverge from the setup notes in the article. You need to edit the registry BEFORE starting your SFTP service. Sometimes Windows just will not let go of settings, and if you start the service now, it will probably be started with incorrect settings (if you followed my instructions). If you started it before reading this, stop the service, follow my instructions bolow, then start the service again. (Back up your registry first.)

      a.      In your passwd file, you now have a listing of the default SFTP directory for your Windows user. You need to change the main folder (/home) location. The README file in OpenSSH provides the best method for doing this (clipped as follows).
      b.       To change the Windows directory /home corresponds to, you will need to edit a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/home.
      c.      The value of the key named "native" is the directory that /home is. If you want all your users to enter in a directory on your machine called F:\Users, change "native" to read F:\Users.
      d.      By default, each user will then be placed in the directory F:\Users\username, where username is the name of the user account.

12.      Start the OpenSSH server (service) by typing: net start opensshd

      a.      You can stop it by typing: net stop opensshd

13.      On your firewall, open port 22. This is the default SFTP port.

14.      Now you can test your SFTP server using a client from another computer. I use Filezilla. In Filezilla, create a new (S)FTP site as follows:

      a.      Host (the IP or domain name of your server)
      b.      Port 22
      c.      Server Type: SFTP (using SSH2) (It’s backwards compatible to SSH)
      d.      Logon Type: Normal
      e.      User: Windows username for the user you created
      f.      Password: Windows password for the user you created
      g.      Connect and it should work.
      h.      Note that the user has access to the entire server at this point… that’s not good.

15.      SFTP does not provide a method for locking a user to his/her home directory
 
      a.      Now you MUST set your Windows permissions on the folder you created with the new user’s name to LIMIT this user to this folder.
      b.      My example folder: D\sftp\sftpuser.
      c.      Right-click on the sftpuser folder and select Properties.
      d.      Click the Security tab.
      e.      Click the “Add” button and add your USER to the folder
      f.      Here are the permissions I gave the user:
            i.      List folder contents
            ii.      Read
            iii.      Write

      g.      Now right-click on the “sftp” folder and select properties

      h.      Click the Security tab.

      i.      Click the “Add” button and add your GROUP to the folder

      j.      DENY ALL PERMISSIONS for the Group (checkmark in Deny Full control).

      k.      Now your SFTP user will be able to get into the SFTP folder and subfolders only.

16.      Now test your SFTP again. It should work.













0
 
vanaudenAuthor Commented:
That's it for this question.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now