8

I am trying to setup OpenSSH on Windows to provide SFTP sites. I am running into some problems with user security settings.

Here are the basic steps I've gone through to create a user:

  1. Create a new user on the host machine
  2. Add user to openssh passwd file with adjusted filepath for cygwin that points to the client's home folder (example: /cygdrive/e/homefolders/username)
  3. Allow user read/write access to their folder

The problem I am running into is that the user needs to have execute permission to the OpenSSH program folder for them to be able to login. I found I can disable access to specific folders such as "etc" but I'm concerned I have to provide permissions in here at all. When using FileZilla I am shown a folder hierarchy "/cygdrive/e/homefolders/username" and can browser the "/" to folders with read access.

Is there a specific strategy I should be using for proper security in this setup? A specific file or folder I might need to provide execute permissions on but nothing more? I would like to completely lock down everything except read/write access to their own folder but that doesn't appear to be possible.

Alex Bolotov
  • 857
  • 3
  • 10
  • 17
dmr83457
  • 707
  • 3
  • 9
  • 20

3 Answers3

1

After further research I have found that my original suggestion below to use the built-in chroot functionality is not supported under cygwin.

You might be better off looking at other alternatives. Perhaps webdav, perhaps a ftps server (filezilla), or maybe one of the other proprietary sftp servers.

A option that is available if you must do this with the cygwin OpenSSH would be to use the scponly shell. Here is an pdf describing the procedure.


Not sure which version of openssh you have on windows. But it sounds like you want to setup a sftp chroot.

You might want to check out these related questions.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
1

How bad do you want SFTP? Cygwin is somewhat hacky, and OpenSSH for Windows is way, way outdated. My approach has been to use WebDAV which solves most of the problems you have:

  • Read and write files
  • Encrypted protects authentication tokens and files
  • supported on damn near every OS
  • overzealous firewall configuration resistant

IIS supports it, even on the version that comes with server 2000.

jldugger
  • 14,122
  • 19
  • 73
  • 129
  • Your first 3 sentences summarize my thoughts lately about this problem. We went the route of SFTP because it seemed like a pretty standard approach that our users would be able to find clients and support for, and we didn't have to purchase software to provide. However it is looking more and more like we need to purchase a commercial server that supports SFTP for Windows or move on to another option. – dmr83457 Oct 23 '09 at 14:22
0

The problem I am running into is that the user needs to have execute permission to the OpenSSH program folder for them to be able to login. I found I can disable access to specific folders such as "etc" but I'm concerned I have to provide permissions in here at all. When using FileZilla I am shown a folder hierarchy "/cygdrive/e/homefolders/username" and can browser the "/" to folders with read access.

This is part of the OpenSSH priv-sep setting.

This (PDF) is a good paper on it and other OpenSSH security features

In short the main daemon switches to an unprivileged process in an attempt to prevent any exploits in the rest of the program from allowing "root" access.

You might also want to use a chroot like setup to totally prevent access outside of the users homedir.

I'd also second the suggestion of webdav, even if I've given up on it working on anything but OS X clients.

LapTop006
  • 6,466
  • 19
  • 26
  • The ChrootDirectory SSH option isn't supported under cygwin. See this thread http://www.cygwin.com/ml/cygwin/2008-11/msg00256.html – Zoredache Oct 11 '09 at 08:59