1

Trying to set up a highly restricted SFTP server with OpenSSH_7.4p1 for remote scripts to upload data. The goal is a black hole where the scripts can do a "put" with user level keys and no other server commands are possible. Everything worked fine until the final step where I tried to the limit the sftp command set using -P and -p options in this sshd_config Match clause:

Match user globalstat
    ChrootDirectory /inbound
    ForceCommand internal-sftp -d data -p put -P df,pwd,rm,mkdir,rmdir,get,rename,symlink

Tried a variety of combinations, but -P for denied_requests never blocks any of the specified remote commands. Applying allowed_requests with -p put or put,cd breaks the transfer and returns "Couldn't canonicalise: Permission denied Need cwd". Without -P or -p, there is no problem with the writes, and based on other postings for this error, I'm pretty sure my directory permissions are correct. I've been using this man page for a reference:
https://www.man7.org/linux/man-pages/man8/sftp-server.8.html

It implies that Subsystem rather than ForceCommand is the place for these options, but they don't work in the main body of sshd_config and restarting sshd throws an error if Subsystem is used in a Match clause instead of ForceCommand.

I really hope it's possible to get this working and any suggestions would be greatly appreciated.

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
netdxr
  • 13
  • 3

2 Answers2

1

The arguments to -p/-P are names of low-level SFTP protocol requests. Not the high-level OpenSSH sftp client commands.

These are the names: open, close, read, write, lstat, fstat, setstat, fsetstat, opendir, readdir, remove, mkdir, rmdir, realpath, stat, rename, readlink, symlink, posix-rename, statvfs, fstatvfs, hardlink, fsync, lsetstat.

You can get the up to date list by running sftp-server -Q requests, as sftp-server man page says.

Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
  • Many thanks for the clarification. Somehow I interpreted "requests" as a parameter instead of a literal... my bad. So far, these denies have achieved most of the hardening I was looking for: `ForceCommand internal-sftp -d data -P lstat,fstat,setstat,fsetstat,remove,mkdir,rmdir,stat,rename,readlink,symlink,posix-rename,hardlink,fsync`. I'll continue to work with it to see if any other denies can be added before breaking the upload. Again, thanks for your reply and getting me into the right galaxy with these options. – netdxr May 31 '21 at 21:59
1

Given that the question has already been answered, I'll just mention an issue which originally led me here:

Even though the internal-sftp ... expression looks like a normal command, double quotes do not appear to be handled as usual. This won't work for mkdir and symlink:

ForceCommand internal-sftp -l INFO -P "mkdir,rmdir,ln,symlink"

This will:

ForceCommand internal-sftp -l INFO -P mkdir,rmdir,ln,symlink
Newerth
  • 111
  • 3