SFTP - Cygwin OpenSSH Restricting Users to Home Directory using ChrootDirectory

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I saw my other video I did an end-to-end installation of SFTP OpenSSH cygwin on Windows Server 2016 and I also demonstrated how to restrict the user to their home directory and I wanted to spend a little bit more time on that in case just the specific video on that aspect restricting the user to their home directory and SFTP and the best way to do that is first to demonstrate from the client end so I am gonna remote desktop to another machine the client machine and I will log in the 3-4 different users the first one is just an SFTP user and in this user folder you'll notice I restrict them to the home directory they can't navigate out of this and to indicate that it is the users home directory I put a text file in there indicating this is the first user SFTP user zero one and I put a text file called zero one in there and I'm gonna log in now as app SFTP user zero two and you'll see that I also have a file name called zero two in there and again this user is locked in same with user SFTP user zero three they're also locked in here and SFTP user zero for is a little bit different that this user can actually be an SSH user meaning this user can also log in through the terminal via SSH while the first three users can only use SFTP and they're locked into their home directory so you'll see this fourth user can actually navigate just like they would if if they SSH into the terminal as this as this person has here so you'll notice I could do change directory logging in as SFTP 0 4 and I do LS you'll notice I I could access all the directories now you'll notice you'll notice however that the cygwin drive is not available so I was able to hide that from the user logging in so if you have that issue I'll show you how also how to do that so so this is what you'll get this is what I'm gonna go through in this video how to restrict the user to their home directory and also if you want the user to be both ssh and SFTP how to further restrict permissions there so these three users that are only SFTP they cannot login through the terminal so what normally would happen is if they try to login they would just be the connection would just close immediately whereas this SFTP user 0 4 can log in and use the terminal just like any normal ssh session so now going back to the server now that you've seen what the user will see and some of the restrictions on the user I'm gonna go back to the server and show you how I achieve this so the first thing is in my other video I changed some of my some of my installation instructions to use when I am running ssh host config i am actually using a privilege user so you'll see here in my SSH service here i am running as the user's sig underscore server and you'll see that can that setup or installation of ssh actually created this privilege user so that's important that's the first step you need to do is actually create the service with a privilege user and the reason why you have to do that is if i will have this in the description area so if you concentrate on step seven here where i lay out how to restrict the user to their home directory what you do is you have to edit the SSH config so let me show you what I've done to the SSH config sshd config excuse me so at the bottom here I've commented out this command by default and I've copied and pasted this here so you'll see that I've done this here and as instructed in this first step and you'll notice I have the change route command to reach to change the route to the users home directory so that's what this does I also have for this group so for this windows group for users in this windows group this is the rule that applies so they'll be restricted to their home directory and they'll be restricted to SFTP only now if I go back to my computer management where I created the users and I am doing this on my local machine but this also applies on the domain servers if you are using a domain so there's really no difference between that and between using a domain and a local so you'll see here I have two groups here I have the SFTP group and this SFTP group is referred to here in this SSH D underscore config file so if you look at this group here you'll notice these are the three users that I've restricted access to and if I go back to my client machine notice these are the three users that are restricted to their home directory and back onto the server if I show you the SSH group so in the SSH group I have a separate user and this user I am allowing ssh and SFTP so i have this user in this group and the other thing I did was also to change the password file and the reason why that's necessary is if I go to the password file what I've changed was indicate this zero here which means this is the root ID for this user that is running as the service the sshd service so this is a requirement so anytime you regenerate the password file make sure to replace the user ID here with a zero which indicates the root ID for the ssh D service and the next step I did was to change the filesystem table so if you look at the file system table here I added these two commands and this command actually hides the sake drive so if I didn't do this the cig drive would actually appear and this hides the dev directory device directory so these two commands is also necessary now if you change any of these two files here the sshd and the config NBS file system table you know you'll have to restart the service and lastly I put in the permissions so that is the steps to actually restrict the user to the home directory additionally for the ssh user notice I did create another group here called SSH group and the reason why I did that was if I go to where I mapped the home directory so you'll notice in my filesystem table I mapped the home directory to this SMTP route and here you'll notice if I go to each of these individual ACLs NTFS permissions on each folder you'll notice here I have individually allowing the user access but restricting meaning the other users do not have access and I had to do that individually for each one of these now this is only if I allow the users to log in the SSH if all of my users were not allowed to log in via SSH then this wouldn't be a problem but because I've allowed the fourth user to log in via SSH the SSH terminal I have to hide these home folders of the other users from this user so once again you'll see for example with this permissions I allow only 0 to user 0 to and for this user I allow only user 0 3 and so on for this one but also for the root directory here the route home directory you'll notice I also deny permissions so so if you look at the permissions for these two groups I deny the I deny the listing permission so you'll see up here there's Adonai and actually it's easier to see here you'll see I have denied listing of the folders of the folders within the home directory so what the effect that it has is if I go to the fourth user so so these first three users can't navigate out of their home directory so that's not even an issue but this fourth user can navigate out of their home directory however if I try to list what's in the home directory you'll see me log back in again so it's connecting there so you'll see by default it goes into the users home directory but if I wanted to navigate to the home you'll see the permissions denied so I can't view what other users are available in that directory so that that is the effect that deny has and that's why I separate it into two groups the SFTP underscore group and the SSH underscore group but that's really it that that completes what I wanted to show you about restricting users into the home directory and also users that have both the SFTP and SSH access now you might want to further use the same type of methodology to restrict the user from some of these other directories that you don't want to expose them to though in my experience with eunuchs the these are directories that every user has access to to begin with so but definitely double check those and you know make sure it is the right ACLs that you want and restrictions that you want per user also I did want to mention again that notice that the cygwin drive or the sync drive is not available in any of these views so that also is solved with this method alright that's really it and you know I know there's been a lot of questions on the internet regarding this specific issue and I hope that helps you out and thank you for watching

Info

Channel: CodeCowboyOrg

Views: 17,555

Rating: undefined out of 5

Keywords: Win2012, Win2008 FTP IIS, Home Directory, Restrict, Isolate, Win2003, Windows, NT, FTP Site, Configuration, FTP, Tutorial, Demo, Lesson, How To, How-To, HowTo, Windows Server, OpenSSH (Software), SSH File Transfer Protocol (Protocol), SFTP, Secure FTP, FTP SSL, Install, Setup, SSH, SSH Communications Security (Organization), Win7, Cygwin, Security, Secure, Access, User Access, Permissions, User Permissions, Users, User, fstab, home, home directory, sshd_config, ssh_host_config, passwd, lock, chroot

Id: dL-9k4riBps

Channel Id: undefined

Length: 13min 29sec (809 seconds)

Published: Tue Sep 08 2015