OpenSSH user access lockdown
Hi, we have a windows 2003 R2 web server in a workgroup with openssh server installed for a couple of clients to connect via Putty (ssh port22), its a standard servr install and the client can connect and use the port redirection, however I added a couple of windows users and when they connect via Putty they have full command line access to the server, how can I lock this down so they only have access to their home folder in C:\openssh\users\username\
I want to restrict a couple of users via openssh servers config files? I have looked and can not see what parameters to change?
help please?? thanks
I want to restrict a couple of users via openssh servers config files? I have looked and can not see what parameters to change?
help please?? thanks
ASKER
openssh server version 3.8.1
clients use PuTTY 0.60
clients use PuTTY 0.60
What do you mean by only having access to their folder? I thought that the whole point of ssh is to give a secure telnet-style command line login. Are you wanting to give them scp access but not ssh?
Hi,
In a Windows environment, I don't believe it's possible to "chroot" an OS defined user. As Windows handles the OS access, so will allow the users to change to any directory or drive their Windows user-id has access to.
You could achieve a partial solution by making every directory / drive, other than their on home directory inaccessible to them, but may take a while to sort out the permissions.
Alternatively you could set up a Unix/Linux [Virtual]server to offer chrooted SSH access, through a mount / smb share they could access just their Windows home directories.
In a Windows environment, I don't believe it's possible to "chroot" an OS defined user. As Windows handles the OS access, so will allow the users to change to any directory or drive their Windows user-id has access to.
You could achieve a partial solution by making every directory / drive, other than their on home directory inaccessible to them, but may take a while to sort out the permissions.
Alternatively you could set up a Unix/Linux [Virtual]server to offer chrooted SSH access, through a mount / smb share they could access just their Windows home directories.
ASKER
Hi
thanks for the update, I thought about disableing folder access in windows for the ssh users, but that still did not stop them using a putty cmd line to access the entire folder, I dont have the hardware avaiable to setup a linux server for this (maybe in the furure I will).
so there is no real way to do it? is there not a "disable user command interface function" at all?
the user only requires to:
run Putty to login
redirect a port via Putty
connect to ODBC database on the server
it all works fine, its just the access that remote SSH user has after connecting via Putyy is too much for my liking....
thanks for the update, I thought about disableing folder access in windows for the ssh users, but that still did not stop them using a putty cmd line to access the entire folder, I dont have the hardware avaiable to setup a linux server for this (maybe in the furure I will).
so there is no real way to do it? is there not a "disable user command interface function" at all?
the user only requires to:
run Putty to login
redirect a port via Putty
connect to ODBC database on the server
it all works fine, its just the access that remote SSH user has after connecting via Putyy is too much for my liking....
ASKER
they dont transfer files or really even need a home folder, I just set that up following the OpenSSH instructions.
its just the ODBC access via SSH, which as I say works fine.
its just the ODBC access via SSH, which as I say works fine.
ASKER
"In a Windows environment, I don't believe it's possible to "chroot" an OS defined user."
can I create just a SSH user for these clients? and disable access that way, so it does not look at a windows users account at all? would that work? can that work on OpenSSH server for Windows?
can I create just a SSH user for these clients? and disable access that way, so it does not look at a windows users account at all? would that work? can that work on OpenSSH server for Windows?
Hi exact1,
i think i know what you want to do but in my opinion its not working. I suggest to build up a linux server with ubuntu and here you can chroot them if they are not in root group. the question for me still left is why you give your users ssh rights? But i think my suggested solution should work.
i think i know what you want to do but in my opinion its not working. I suggest to build up a linux server with ubuntu and here you can chroot them if they are not in root group. the question for me still left is why you give your users ssh rights? But i think my suggested solution should work.
ASKER
I will get round to building a Linux server (one day), bu thats not the question here.
The clients are connecting via SSH for one reason, to allow their local ODBC port settings to get redirected (via Putty) through a SSH tunnel to our remote web server, and it works fine.
Its when a user initiates that login via Putty, they are left in their home folder and at a command prompt allowing full access to the remote server.
I think the solution I want is not possible when running OpenSSH Server via a Windows server platform.
The clients are connecting via SSH for one reason, to allow their local ODBC port settings to get redirected (via Putty) through a SSH tunnel to our remote web server, and it works fine.
Its when a user initiates that login via Putty, they are left in their home folder and at a command prompt allowing full access to the remote server.
I think the solution I want is not possible when running OpenSSH Server via a Windows server platform.
Well you could put up a copy of Linux on the server under Virtualbox and get them to go via that instead - or even a Windows server for that matter dedicated to that one job, where it wouldn't really matter if they got command line access.
Would the my-sql ssh privateshell program help?
http://mysql-ssh.privateshell.com/
http://mysql-ssh.privateshell.com/
ASKER
Hi
did look at Powershell, but it still provides that "command shell" so you can connect and browse directories.
really suprised OpenSSH server does not have a part of the config file that simply restricts users access to things like a command prompt, home folder etc. I would have thought that was basic stuff?
did look at Powershell, but it still provides that "command shell" so you can connect and browse directories.
really suprised OpenSSH server does not have a part of the config file that simply restricts users access to things like a command prompt, home folder etc. I would have thought that was basic stuff?
Did you mean powershell or the privateshell that I posted? They are different.
ASKER
http://www.privateshell.com/download/
thats the one I tried, it gives you the same "cmd" line access as Putty after login though, so the same issue.
Thanks
thats the one I tried, it gives you the same "cmd" line access as Putty after login though, so the same issue.
Thanks
It looks like the Windows ssh command from the Windows version of openssh has a -N flag which means "don't executa a command on the remote system". That seems to work here.
You might still get a command prompt box, but it doesn't seem to allow anything to be typed in.
That's openssh 3.8.1p1 - openssh from here: http://sshwindows.sourceforge.net/download/
You might still get a command prompt box, but it doesn't seem to allow anything to be typed in.
That's openssh 3.8.1p1 - openssh from here: http://sshwindows.sourceforge.net/download/
ASKER
Ahh...ok thats the version of OpenSSH server I am running and thats where I downloaded it, so where does the -N flag go?
its OpenSSH server and Putty client to connect, they need to put their username and password in at the prompt bu thats it.
its OpenSSH server and Putty client to connect, they need to put their username and password in at the prompt bu thats it.
The -N goes at the end of the command line.
If I type "ssh servername -l fred" I get a command prompt.
If I type "ssh servername -l fred -N" then I don't.
I don't know if -N will work if password entry is required.
The system here is set up so that users don't need to enter their password by using the authorized_keys file. It's a Linux server so I don't know if you can do exactly the same thing on Windoze.
If I type "ssh servername -l fred" I get a command prompt.
If I type "ssh servername -l fred -N" then I don't.
I don't know if -N will work if password entry is required.
The system here is set up so that users don't need to enter their password by using the authorized_keys file. It's a Linux server so I don't know if you can do exactly the same thing on Windoze.
ASKER
"ssh servername -l fred -N"
works but still gives you a dos prompt and full access........suppose its Windoze as you say ;-)
I would also still need to get round the ODBC port redirection, maybe Putty supply some sort of flag on their login, if a Putty connection profile is set?
so say Win desktop shortcut for the user: "putty.exe profilename password - N" sort of thing ?
works but still gives you a dos prompt and full access........suppose its Windoze as you say ;-)
I would also still need to get round the ODBC port redirection, maybe Putty supply some sort of flag on their login, if a Putty connection profile is set?
so say Win desktop shortcut for the user: "putty.exe profilename password - N" sort of thing ?
ASKER
you can run Putty from the cmd prompt, and there are some flags you can set, but that would rely on the user setting that shortcut up, so not the best way I guess. Needs to be server side setting.
the best option here would be, if OpenSSH had the ability to manually add a "ssh user" to the OpenSSH server password file, when that user does not have any Windows access account, so just "like" (or similar) to adding a FTP user for example, if the windows server had some ftp server software, they could login but dont get full server access.
can you do that maybe?
the best option here would be, if OpenSSH had the ability to manually add a "ssh user" to the OpenSSH server password file, when that user does not have any Windows access account, so just "like" (or similar) to adding a FTP user for example, if the windows server had some ftp server software, they could login but dont get full server access.
can you do that maybe?
you are trying to find a apple tree in a sahara desert.
Unlike Unix, there is no file level permission attributes settings available under windows. There is no way, In windows, an user can be restricted based on his credentials on file level permissions.
Unlike Unix, there is no file level permission attributes settings available under windows. There is no way, In windows, an user can be restricted based on his credentials on file level permissions.
ASKER
balasundaram_s:
thanks, thats the conclusion I have come to, although I have just tried VShell, which is a windows server GUI for SSH, allowing lockdown of the "shell" for users, but if I disable it the port redirection does not work in Putty.
oh well.
thanks, thats the conclusion I have come to, although I have just tried VShell, which is a windows server GUI for SSH, allowing lockdown of the "shell" for users, but if I disable it the port redirection does not work in Putty.
oh well.
Running a Linux server in Virtualbox is probably the best bet then.
That will give you an extra level of security as well.
If that gets hacked your Windows server won't suffer!
That will give you an extra level of security as well.
If that gets hacked your Windows server won't suffer!
Hi, if they just require ODBC access, no shell access, have you considered setting up an SSL VPN, instead of you current ssh solution, and adding a few firewall rules to allow nothing else?
See:
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part3.html
http://www.openvpn.net/index.php/open-source/documentation/howto.html
http://openvpn.se/index.html
See:
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part3.html
http://www.openvpn.net/index.php/open-source/documentation/howto.html
http://openvpn.se/index.html
ASKER
Hi arober11
I did think of that as out firewalls support SSL/VPN, but that gives the client too much access, the ODBC is the only access they require and the ssh client redirects the odbc port down ssh.
thanks
I did think of that as out firewalls support SSL/VPN, but that gives the client too much access, the ODBC is the only access they require and the ssh client redirects the odbc port down ssh.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER