OpenSSH user access lockdown

Hi, we have a windows 2003 R2 web server in  a workgroup with openssh server installed for a couple of clients to connect via Putty (ssh port22), its a standard servr install and the client can connect and use the port redirection, however I added a couple of windows users and when they connect via Putty they have full command line access to the server, how can I lock this down so they only have access to their home folder in C:\openssh\users\username\

I want to restrict a couple of users via openssh servers config files? I have looked and can not see what parameters to change?

help please?? thanks  
exact1Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
exact1Connect With a Mentor Author Commented:
All,

after a bit of "googling" I have now tested Vandyke's SSH windows server and client, one of the options is "disable shell" so I tried that and with their client you can still redirect ODBC ports via 127.0.0.1:port down SSH, this seems to work fine.

the downside is, I have to buy it! rather than use all the great free stuff out there!!

Thanks for all the help and suggestions on this....not sure who to award the points to!
0
 
exact1Author Commented:
the clients connect via the internet and our firewall has only their companies IP allowed in, but I want to lock the users access down
0
 
exact1Author Commented:
openssh server version 3.8.1
clients use PuTTY 0.60
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Martin_J_ParkerCommented:
What do you mean by only having access to their folder?  I thought that the whole point of ssh is to give a secure telnet-style command line login.  Are you wanting to give them scp access but not ssh?
0
 
arober11Commented:
Hi,

In a Windows environment, I don't believe it's possible to "chroot" an OS defined user. As Windows handles the OS access, so will allow the users to change to any directory or drive their Windows user-id has access to.

You could achieve a partial solution by making every directory / drive, other than their on home directory inaccessible to them, but may take a while to sort out the permissions.

Alternatively you could set up a Unix/Linux [Virtual]server to offer chrooted SSH access, through a mount / smb share they could access just their Windows home directories.
0
 
exact1Author Commented:
Hi

thanks for the update, I thought about disableing folder access in windows for the ssh users, but that still did not stop them using a putty cmd line to access the entire folder, I dont have the hardware avaiable to setup a linux server for this (maybe in the furure I will).

so there is no real way to do it? is there not a "disable user command interface function" at all?
the user only requires to:
run Putty to login
redirect a port via Putty
connect to ODBC database on the server

it all works fine, its just the access that remote SSH user has after connecting via Putyy is too much for my liking....
0
 
exact1Author Commented:
they dont transfer files or really even need a home folder, I just set that up following the OpenSSH instructions.

its just the ODBC access via SSH, which as I say works fine.
0
 
exact1Author Commented:
"In a Windows environment, I don't believe it's possible to "chroot" an OS defined user."

can I create just a SSH user for these clients? and disable access that way, so it does not look at a windows users account at all? would that work? can that work on OpenSSH server for Windows?
0
 
Wilder_AdminCommented:
Hi exact1,

i think i know what you want to do but in my opinion its not working. I suggest to build up a linux server with ubuntu and here you can chroot them if they are not in root group. the question for me still left is why you give your users ssh rights? But i think my suggested solution should work.
0
 
exact1Author Commented:
I will get round to building a Linux server (one day), bu thats not the question here.

The clients are connecting via SSH for one reason, to allow their local ODBC port settings to get redirected (via Putty) through a SSH tunnel to our remote web server, and it works fine.
 
Its when a user initiates that login via Putty, they are left in their home folder and at a command prompt allowing full access to the remote server.

I think the solution I want is not possible when running OpenSSH Server via a Windows server platform.





0
 
Martin_J_ParkerCommented:
Well you could put up a copy of Linux on the server under Virtualbox and get them to go via that instead - or even a Windows server for that matter dedicated to that one job, where it wouldn't really matter if they got command line access.
0
 
Martin_J_ParkerCommented:
Would the my-sql  ssh privateshell program help?
http://mysql-ssh.privateshell.com/
0
 
exact1Author Commented:
Hi

did look at Powershell, but it still provides that "command shell" so you can connect and browse directories.

really suprised OpenSSH server does not have a part of the config file that simply restricts users access to things like a command prompt, home folder etc. I would have thought that was basic stuff?
 
0
 
Martin_J_ParkerCommented:
Did you mean powershell or the privateshell that I posted?  They are different.
0
 
exact1Author Commented:
http://www.privateshell.com/download/

thats the one I tried, it gives you the same "cmd" line access as Putty after login though, so the same issue.

Thanks
0
 
Martin_J_ParkerCommented:
It looks like the Windows ssh command from the Windows version of openssh has a -N flag which means "don't executa a command on the remote system".  That seems to work here.  

You might still get a command prompt box, but it doesn't seem to allow anything to be typed in.  

That's openssh 3.8.1p1 - openssh from here: http://sshwindows.sourceforge.net/download/
0
 
exact1Author Commented:
Ahh...ok thats the version of OpenSSH server I am running and thats where I downloaded it, so where does the -N flag go?

its OpenSSH server and Putty client to connect, they need to put their username and password in at the prompt bu thats it.
0
 
Martin_J_ParkerCommented:
The -N goes at the end of the command line.
If I type "ssh servername -l fred" I get a command prompt.  
If I type "ssh servername -l fred -N" then I don't.

I don't know if -N will work if password entry is required.
The system here is set up so that users don't need to enter their password by using the authorized_keys file. It's a Linux server so I don't know if you can do exactly the same thing on Windoze.
0
 
exact1Author Commented:
"ssh servername -l fred -N"
works but still gives you a dos prompt and full access........suppose its Windoze as you say ;-)

I would also still need to get round the ODBC port redirection, maybe Putty supply some sort of flag on their login, if a Putty connection profile is set?

so say Win desktop shortcut for the user: "putty.exe profilename password - N" sort of thing ?

0
 
exact1Author Commented:
you can run Putty from the cmd prompt, and there are some flags you can set, but that would rely on the user setting that shortcut up, so not the best way I guess. Needs to be server side setting.

the best option here would be, if OpenSSH had the ability to manually add a "ssh user" to the OpenSSH server password file, when that user does not have any Windows access account, so just "like" (or similar) to adding a FTP user for example, if the windows server had some ftp server software, they could login but dont get full server access.

can you do that maybe?
0
 
balasundaram_sCommented:
you are trying to find a apple tree in a sahara desert.  
Unlike Unix, there is no file level permission attributes settings available under windows.  There is no way, In windows, an user can be restricted based on his credentials on file level permissions.
0
 
exact1Author Commented:
balasundaram_s:

thanks, thats the conclusion I have come to, although I have just tried VShell, which is a windows server GUI for SSH, allowing lockdown of the "shell" for users, but if I disable it the port redirection does not work in Putty.

oh well.
0
 
Martin_J_ParkerCommented:
Running a Linux server in Virtualbox is probably the best bet then.  
That will give you an extra level of security as well.  
If that gets hacked your Windows server won't suffer!
0
 
arober11Commented:
Hi, if they just require ODBC access, no shell access, have you considered setting up an SSL VPN, instead of you current ssh solution, and adding a few firewall rules to allow nothing else?

See:
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part3.html
http://www.openvpn.net/index.php/open-source/documentation/howto.html
http://openvpn.se/index.html
0
 
exact1Author Commented:
Hi arober11

I did think of that as out firewalls support SSL/VPN, but that gives the client too much access, the ODBC is the only access they require and the ssh client redirects the odbc port down ssh.

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.