Locking down SFTP user in cygwin

I set up a user to ssh to Windows Server 2008 R2.

I was able to change de default directory.

The only piece I could not figure out is how to restrict user to just that directory.

In other word I don't want the user to be able to change directory.

Please advise.

EDIT:

This is where I stand:

Cygwin Installed
User (James) created in windows
Group (SftpUser) created in windows
SftpUser is not showing in /etc/passwd
instead there is some None group which James is a member of
I can login with my user
cygdrive and dev directory are listed ( I do not want this)
cygdrive is empty

Here is the scenario

I want James of sftpUser group to be restricted to its upload folder. The path is on an external drive:

D:\uploads\james_folder\

in cygwin

/cygdrive/d/uploads/james_folder/

I dont mind having the restriction on

/home/james/upload

And then mount the directory in the home path but it seems cygwin is not bundled with samba.

sshd_config

Match user james
    ChrootDirectory /home/james/upload/
    ForceCommand internal-sftp

meda

Posted 2014-08-29T16:29:59.527

Reputation: 431

I think the right way to do this is by setting the appropriate ACLs to deny James access to almost everything. – Gilles 'SO- stop being evil' – 2014-09-03T16:41:49.203

@Gilles thanks for your suggestion, how do I go about doing that – meda – 2014-09-03T16:46:15.177

If I knew, I'd have written an answer. I'm not a Windows expert. – Gilles 'SO- stop being evil' – 2014-09-03T17:06:23.953

Answers

I setup the SFTP over cygwin recently and I realised that we cannot hide the following directories:

/cygdrive
/dev

As you may be aware that the /path/to/sftp has to be root-owned that are not writeable by any other user or group, you need to update the user id in /etc/passwd to 0 because there is no root concept in Windows.

If you jail the user to non-cygdrive (e.g. /sftp), you will only see /cygdrive (nothing will be appeared under /cygdrive).

If you jail the user to cygdrive (e.g. /cygdrive/d/.../sftp), you will see /cygdrive/d. However, you cannot change to any parent directory if you set it up correctly.

Hope the above information helps!

Please check the following things:

Make sure the user id of the the current user logging in (james in your example) in /etc/passwd is zero. It is because cygwin will change the user of all the directories under root as the current user logging in. Please run the ls -l / command to verify.
Make sure /home, /home/james, /home/james/upload is the current user owned (i.e. equivalent to root-owned with user id 0).

Make sure /etc/sshd_config contains:

Match user james
ChrootDirectory /home/james/upload/
ForceCommand internal-sftp

chesschi

Posted 2014-08-29T16:29:59.527

Reputation: 136

if you set it up correctly. can you please elborate ? – meda – 2014-09-16T14:42:44.177

please see the additional information I added and see if it helps – chesschi – 2014-09-23T14:13:43.827

You'd need to setup a ChrootDirectory directory in sshd_config

Detailed instructions for ArchLinux are available at SFTP chroot.

The basic outline is as follows:

1) Add chroot configuration to sshd_confg such as:

Match User username
ChrootDirectory /home/%u
ForceCommand internal-sftp

2) Change chroot directory rights with something like:

chown root.root /home/<user>
usermod -d / <user>

3) Fixing path for authorized_keys with something like:

AuthorizedKeysFile      %h/.ssh/authorized_keys

A post over at the cygwin mailing list reports success using this method to restrict access with a similar configuration as above.

ssnobody

Posted 2014-08-29T16:29:59.527

Reputation: 2 510

I have read that chroot does not work with cygwin but i give it a try now thanks – meda – 2014-08-29T17:29:04.187

-bash: usermod: command not found and chown: invalid user: âroot.rootâ is what i get – meda – 2014-08-29T18:44:50.723

It is unlikely you need these commands, but root.root would be something like administrator.administrators since there is generally not a root user and group in Windows. As for the usermod not existing in cygwin, I'd suggest just manually editing /etc/passwd and changing the home directory of the restricted user to / – ssnobody – 2014-08-29T19:49:17.687

but see the directory I want to give access is /cygdrive/d/UPLOAD/user_folder/ can you please adjust your answer to to this path? and you right there is no root user. +1 – meda – 2014-08-29T19:55:51.297

the commands now works , but when I test i get sshd: PID 4332: fatal: bad ownership or modes for chroot directory component "/" in the server log, im not sure why it points to root directory – meda – 2014-08-29T20:01:12.543

This error indicates the directory permissions are not secure enough. From the post I linked to: All directories from root to the chroot directory must be owned by UID 0 and GID 0. For example, if you want to jail users in /jail then / and /jail must belong to (0, 0). In my setup, I set Administrator user to be (0, 0) in /etc/passwd. Have you changed the uid/gid of administrator in /etc/passwd to 0? – ssnobody – 2014-08-29T20:05:05.110

I cant change all theses folders because its in the D drive, and thats owned by the SYSTEM account. – meda – 2014-08-29T20:08:30.470

I opened the passwd file in vi and I changed the pid and gid to 0 – meda – 2014-08-29T20:12:23.937

Great, now make sure / is owned by administrator.administrator and do the same for each directory in the path up to /path/to/jaildir. Then restart sshd and attempt to connect again to see if you still get the fatal error. – ssnobody – 2014-08-29T21:01:26.893

Let us continue this discussion in chat.

– meda – 2014-08-29T21:03:29.563

I still struggle with this question, anyhelp is appreciated, I added a bounty – meda – 2014-09-03T17:01:30.193

I commented in chat. What is the current error you're getting? Also, you ask for a secure solution, but chroot on cygwin is NOT secure... – ssnobody – 2014-09-03T17:02:33.320