Solved

OpenSSH user access lockdown

Posted on 2010-09-23
25
860 Views
Last Modified: 2012-05-10
Hi, we have a windows 2003 R2 web server in  a workgroup with openssh server installed for a couple of clients to connect via Putty (ssh port22), its a standard servr install and the client can connect and use the port redirection, however I added a couple of windows users and when they connect via Putty they have full command line access to the server, how can I lock this down so they only have access to their home folder in C:\openssh\users\username\

I want to restrict a couple of users via openssh servers config files? I have looked and can not see what parameters to change?

help please?? thanks  
0
Comment
Question by:exact1
  • 14
  • 7
  • 2
  • +2
25 Comments
 

Author Comment

by:exact1
ID: 33742277
the clients connect via the internet and our firewall has only their companies IP allowed in, but I want to lock the users access down
0
 

Author Comment

by:exact1
ID: 33742319
openssh server version 3.8.1
clients use PuTTY 0.60
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33742774
What do you mean by only having access to their folder?  I thought that the whole point of ssh is to give a secure telnet-style command line login.  Are you wanting to give them scp access but not ssh?
0
 
LVL 26

Expert Comment

by:arober11
ID: 33742813
Hi,

In a Windows environment, I don't believe it's possible to "chroot" an OS defined user. As Windows handles the OS access, so will allow the users to change to any directory or drive their Windows user-id has access to.

You could achieve a partial solution by making every directory / drive, other than their on home directory inaccessible to them, but may take a while to sort out the permissions.

Alternatively you could set up a Unix/Linux [Virtual]server to offer chrooted SSH access, through a mount / smb share they could access just their Windows home directories.
0
 

Author Comment

by:exact1
ID: 33742849
Hi

thanks for the update, I thought about disableing folder access in windows for the ssh users, but that still did not stop them using a putty cmd line to access the entire folder, I dont have the hardware avaiable to setup a linux server for this (maybe in the furure I will).

so there is no real way to do it? is there not a "disable user command interface function" at all?
the user only requires to:
run Putty to login
redirect a port via Putty
connect to ODBC database on the server

it all works fine, its just the access that remote SSH user has after connecting via Putyy is too much for my liking....
0
 

Author Comment

by:exact1
ID: 33742859
they dont transfer files or really even need a home folder, I just set that up following the OpenSSH instructions.

its just the ODBC access via SSH, which as I say works fine.
0
 

Author Comment

by:exact1
ID: 33742870
"In a Windows environment, I don't believe it's possible to "chroot" an OS defined user."

can I create just a SSH user for these clients? and disable access that way, so it does not look at a windows users account at all? would that work? can that work on OpenSSH server for Windows?
0
 
LVL 8

Expert Comment

by:Wilder_Admin
ID: 33743081
Hi exact1,

i think i know what you want to do but in my opinion its not working. I suggest to build up a linux server with ubuntu and here you can chroot them if they are not in root group. the question for me still left is why you give your users ssh rights? But i think my suggested solution should work.
0
 

Author Comment

by:exact1
ID: 33743220
I will get round to building a Linux server (one day), bu thats not the question here.

The clients are connecting via SSH for one reason, to allow their local ODBC port settings to get redirected (via Putty) through a SSH tunnel to our remote web server, and it works fine.
 
Its when a user initiates that login via Putty, they are left in their home folder and at a command prompt allowing full access to the remote server.

I think the solution I want is not possible when running OpenSSH Server via a Windows server platform.





0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33743404
Well you could put up a copy of Linux on the server under Virtualbox and get them to go via that instead - or even a Windows server for that matter dedicated to that one job, where it wouldn't really matter if they got command line access.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33743419
Would the my-sql  ssh privateshell program help?
http://mysql-ssh.privateshell.com/
0
 

Author Comment

by:exact1
ID: 33743615
Hi

did look at Powershell, but it still provides that "command shell" so you can connect and browse directories.

really suprised OpenSSH server does not have a part of the config file that simply restricts users access to things like a command prompt, home folder etc. I would have thought that was basic stuff?
 
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33743737
Did you mean powershell or the privateshell that I posted?  They are different.
0
 

Author Comment

by:exact1
ID: 33743770
http://www.privateshell.com/download/

thats the one I tried, it gives you the same "cmd" line access as Putty after login though, so the same issue.

Thanks
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33744093
It looks like the Windows ssh command from the Windows version of openssh has a -N flag which means "don't executa a command on the remote system".  That seems to work here.  

You might still get a command prompt box, but it doesn't seem to allow anything to be typed in.  

That's openssh 3.8.1p1 - openssh from here: http://sshwindows.sourceforge.net/download/
0
 

Author Comment

by:exact1
ID: 33744154
Ahh...ok thats the version of OpenSSH server I am running and thats where I downloaded it, so where does the -N flag go?

its OpenSSH server and Putty client to connect, they need to put their username and password in at the prompt bu thats it.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33744372
The -N goes at the end of the command line.
If I type "ssh servername -l fred" I get a command prompt.  
If I type "ssh servername -l fred -N" then I don't.

I don't know if -N will work if password entry is required.
The system here is set up so that users don't need to enter their password by using the authorized_keys file. It's a Linux server so I don't know if you can do exactly the same thing on Windoze.
0
 

Author Comment

by:exact1
ID: 33744472
"ssh servername -l fred -N"
works but still gives you a dos prompt and full access........suppose its Windoze as you say ;-)

I would also still need to get round the ODBC port redirection, maybe Putty supply some sort of flag on their login, if a Putty connection profile is set?

so say Win desktop shortcut for the user: "putty.exe profilename password - N" sort of thing ?

0
 

Author Comment

by:exact1
ID: 33744632
you can run Putty from the cmd prompt, and there are some flags you can set, but that would rely on the user setting that shortcut up, so not the best way I guess. Needs to be server side setting.

the best option here would be, if OpenSSH had the ability to manually add a "ssh user" to the OpenSSH server password file, when that user does not have any Windows access account, so just "like" (or similar) to adding a FTP user for example, if the windows server had some ftp server software, they could login but dont get full server access.

can you do that maybe?
0
 
LVL 5

Expert Comment

by:balasundaram_s
ID: 33745403
you are trying to find a apple tree in a sahara desert.  
Unlike Unix, there is no file level permission attributes settings available under windows.  There is no way, In windows, an user can be restricted based on his credentials on file level permissions.
0
 

Author Comment

by:exact1
ID: 33745705
balasundaram_s:

thanks, thats the conclusion I have come to, although I have just tried VShell, which is a windows server GUI for SSH, allowing lockdown of the "shell" for users, but if I disable it the port redirection does not work in Putty.

oh well.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 33745949
Running a Linux server in Virtualbox is probably the best bet then.  
That will give you an extra level of security as well.  
If that gets hacked your Windows server won't suffer!
0
 
LVL 26

Expert Comment

by:arober11
ID: 33765597
Hi, if they just require ODBC access, no shell access, have you considered setting up an SSL VPN, instead of you current ssh solution, and adding a few firewall rules to allow nothing else?

See:
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part3.html
http://www.openvpn.net/index.php/open-source/documentation/howto.html
http://openvpn.se/index.html
0
 

Author Comment

by:exact1
ID: 33768457
Hi arober11

I did think of that as out firewalls support SSL/VPN, but that gives the client too much access, the ODBC is the only access they require and the ssh client redirects the odbc port down ssh.

thanks
0
 

Accepted Solution

by:
exact1 earned 0 total points
ID: 33768462
All,

after a bit of "googling" I have now tested Vandyke's SSH windows server and client, one of the options is "disable shell" so I tried that and with their client you can still redirect ODBC ports via 127.0.0.1:port down SSH, this seems to work fine.

the downside is, I have to buy it! rather than use all the great free stuff out there!!

Thanks for all the help and suggestions on this....not sure who to award the points to!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Reduce vmdk file & unallocated windows partion 12 67
Backing Up Ipset 9 65
idle mapped drive 10 44
Trasfering FSMO roles 8 76
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now