Jason Lehman's picture

I'm new to turnkey linux & love it so far. Though I haven't found much documentation on the file server appliance, that I just setup. Maybe I'm not looking in the right places. Anywho; our main purpose (for now) is to use the sftp service in & outside our organization. I have users setup & they can upload/download files.

1. How do I limit the users to upload/download & even browse their home directory only? (now they can browse / )

2. How could I keep track of what/when certain users uploaded/downloaded what? (Any way of a log being piped or filter a log for a certain user?) We would need this as a "receipt" to show users came in & got their data.

Thanks so much, & great idea for Turnkey Linux.

We are a Window's based shop, but slowy I am moving more & more applications into Linux (at least on the server side.)

Forum: 
Jeremy Davis's picture

But you are right they do have read everywhere rights. I have heard of setting up chroot jails to have users SFTP into which limits this but I have never setup or used one. Also you may be able to acheive this somehow with permissions (ie a limited user group which has no read permissions anywhere except their home).

As for your second request, I have no real idea but a quick google turned up this suggestion. It will require some tweaking to do what you want and it is probably not the best way to go but it may suit your needs? Perhaps some more exhaustive googling will provide you with better results?

 

Also remember that TKL is based on Ubuntu so you may get someone to help you write a script to specifically do what you want over on the Ubuntu forums (they are pretty friendly and are much much busier than TKL forums).

Jason Lehman's picture

but they are restricted, where they can upload (using SFTP.) This is by default, so not sure what's going on. Is there any way of setting file permisions on folders through Webmin? I can go to "File Manager" but it seems to be quirky. I am using the latest release canidate & latest updates. Should I be using a different release?

Thanks for your time, I will also check w/ the Ubuntu forums.

I may let our internal users sftp in to upload/download. I'm not too worried about what they can access. Where I do get worried is when we open this up to the outside world. I am now leaning towards just opening up port http (to the outside world) & letting outside clients come in via the extplorer site. Seems like I have it where they are restricted to upload/download in their home directory only, but still need permissions changed so our in house guys can delete what the outside clients upload in those home directories. Thanks again.

Jason

Jeremy Davis's picture

File permissions can be changed in Webmin File Manager (select the file in the right pane and click the Info button). But I just had a search of the Ubuntu documentation and I think that I found exactly what you want, let me know how you go with it. If it works as expected I'll add it to the community docs. From the Ubuntu 10.04 Server Guide - FTP section:

Securing FTP

There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting:

chroot_local_user=YES

You can also limit a specific list of users to just their home directories:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd:

sudo /etc/init.d/vsftpd restart

[edit] Also your other query re logging can also be handled by altering the vsftpd.conf file to enable logging. I'm not sure of the exact changes you'll need to make, try having a fiddle and/or have a google. From what I gather there are 2 levels of logging file transfers, or complete logging (ie all dialogue).

Jason Lehman's picture

I've tried to secure the sftp per your instructions, but users can still browse anywhere & download anything they want. I haven't even gotten to the logging part. This should not be this hard. I've spent a lot of time on this, sorry; I have to move onto a different solution. I will keep Turnkey Linux in mind for future projects/ideas. Thank you again for your help & speedy response.

Jason

Jason

Jeremy Davis's picture

I too tried the steps I suggested to you and I couldn't get it to work either. Strange thing it that vsftpd doesn't seem to be installed on TKL Core and yet I can connect that fine with SFTP!?! I can only assume that some other app (other than vsftpd) is supplying SFTP connections. So to acheive what you want I'm guessing that we'll need to either disable or configure this other app. I've had a bit of a fiddle but I'm at a loss and can't get it to do what you want. I think this would be a very useful feature in TKL appliances, especially in this one, but probably in most (if not all) of them.

So, some questions for Alon & Liraz (TKL devs): [note - I think I may have answered some of my own questions (see [update] below)]

  • If vsftpd isn't installed on Core then what app is being used for SFTP connections? Is it OpenSSH?
  • If another app is being used to handle SFTP then why is vsftp installed on the fileserver appliance at all? Is it for this particular useage scenario? Is it for eXtplorer?
  • If so, how do we configure this default FTP server (whatever it is) to create the desired effect? Or disable it so we can setup vsftp to act how we want it to?

I'm happy to do a bt of reasearch and testing and write my results up, but I need to know what app is supplying the SFTP connections to the TKL appliances.

[edit] I think vsftp is there for eXtplorer - FTP mode!? That would explain why the changes aren't having any effect, vsftpd is currently configured to only listen to 127.0.0.1 (ie localhost). Also from the reading I have just done, SFTP is supplied by OpenSSH-server (the same app that supplies SSH connections) so will require adjustments to the relevant conf file for that app.

I can appreciate that you need to look elsewhere for now as TKL is not suiting your needs, but I think this is quite an important thing to be able to do so I will continue to investigate and hopefully get it working. Out of interest, it'd be good to hear what you end up with (ie what does work for you).

Jeremy Davis's picture

And I've found that the package I think you want to install is scponly. It is basically a shell wrapper which disables users from executing commands (as when SFTP is provided by OpenSSH that user can also access the shell via SSH) and can also provide a chroot file environment.

I've had a play and found that the package is a little buggy but I have been able to get it to work. I'm having a play around now with an improved user creation script (scponly seems to be made for use with any version of nix like OS so contains a generic script to create the special chrooted user accounts). I will hopefully be back soon with a little more imformative post with some more details. Ideally I think I could create a TKLPatch for this so anyone can patch an ISO so it has this functionality out of the box.

Jason Lehman's picture

I will try to play around some more & see if I can find out where to config OpenSSH. Another part of my research is been trying to find out how to change the download/upload limits of eXtplorer. I would like to test if eXtplorer would be better (easier) for the external users to download/upload. But then again, I would need logs of who downloaded/uploaded what, when. Ultimately, if I get the OpenSSH working securley & provide the logs I need; I think we have a winner.

Other alternatives where...

1. Ubuntu Server 10.04 w/ proftpd & clamav scanning the (s)ftp directory.

I actually tried this before I found LTK, there was some pretty good documentation on how to set it up. I ended up running into trouble compiling my own modified proftpd package w/ clamav. I guess proftpd, doesn't nativley support clamav. Not sure I really need the clamav, but sounded like a good option to have.

2. Fedora w/ proftpd & clamav scanning the (s)ftp directory.

Didn't try this option yet.

3. Windows Server 2008 R2 w/ native iis / ftp role added.

Got about 15 minutes into setting up the ftp site, then stopped & said what the hell am I doing.

This whole project is mainly for a semi - technical department to use.

If I can show them how to use webmin & enable/disable accounts, change pw's, have an easy way for them to download/upload data, show their clients how to easily download data (mapping data for a price) & have some type of proof/reciept (logs) that the user did indeed download the data; then I will be extremely happy & satisfied.

Thanks again for all the great help.

Jason

Jason Lehman's picture


Jason

See the logs http://wiki.basil-kurian.co.cc/index.php/Chrooting_SFTP

This will be easy :)

Let me know if it works for you

Jason Lehman's picture

Is that page safe? I get...

This Page Has Been Blocked

Based on your organization's security policies, this web site ( http://wiki.basil-kurian.co.cc/index.php/Chrooting_SFTP ) has been blocked because it has been determined to be a security threat to your computer or the organization's network based on the Web Reputation scoring. This web site has been associated with malware/spyware.

I will have to goto my laptop w/ a wireless aircard to get around it, to read up.

Thanks.

Jason

I 'm pasting it here

* Aim : The user '''ftpuser''' should not be able to browse folders outside '''/srv/ftp''' * Backup existing configuration file

root@Penguin:~# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

* Modify the "Subsystem sftp" line to

Subsystem sftp internal-sftp

* add this at the end of the file

Match user ftpuser
         ChrootDirectory /srv/ftp
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

* Restart ssh server

root@Penguin:~# /etc/init.d/ssh restart
 * Restarting OpenBSD Secure Shell server sshd                                                                                                                                                [ OK ] 

* Create chrooted user

root@Penguin:~$ ls -l /srv/
total 4
drwxr-xr-x 2 root ftp 4096 2010-11-05 19:08 ftp
root@Penguin:~# useradd ftpuser -g ftp -s /bin/nologin
root@Penguin:~# passwd ftpuser
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@Penguin:~# cd /srv/ftp/
root@Penguin:/srv/ftp# touch You_are_chrooted

* ''' Testing '''

basil@Penguin:~$ lftp sftp://ftpuser@localhost
Password: 
lftp ftpuser@localhost:~> ls
drwxr-xr-x    2 0        124          4096 Nov  5 13:38 .
drwxr-xr-x    2 0        124          4096 Nov  5 13:38 ..
-rw-r--r--    1 0        0               0 Nov  5 13:38 You_are_chrooted
lftp ftpuser@localhost:/> cd ..
lftp ftpuser@localhost:/> ls
drwxr-xr-x    2 0        124          4096 Nov  5 13:38 .
drwxr-xr-x    2 0        124          4096 Nov  5 13:38 ..
-rw-r--r--    1 0        0               0 Nov  5 13:38 You_are_chrooted
lftp ftpuser@localhost:/> 

* References : http://undeadly.org/cgi?action=article&sid=20080220110039

Jason Lehman's picture

I tried to chroot the users, but when I did; the users couldn't connect to the server via sftp. So I commented that out of the sshd_config file. I ended up changing folder permissions around in my ftp directory. Seems like it is working the way I need it to. The next thing I need is to be able to restrict remote console for external users (like someone using putty.) Since it is on the same port 22, how could I do this?

Any idea how to get sshd traffic to log to its own log file? I came accross several suggestions, but nothing worked yet.

Also, I still haven't come up w/ a way to config eXtplorer to lift the default upload/download limits.

Thanks.

Jason

Inorder to restrict a user from entering a remote console and allowing only SFTP , do this

usermod              -s /dev/null       _user_name_

Jason Lehman's picture

The remote console is now giving access denied messages for the users, GREAT!

But, now the users can't access the sftp site.

Jason

Note : The owner of the Chrooted directory must be "root" and group/other users should not have write permissions.

  • Creating a sample chrooted folder
root@Penguin:~# mkdir /shared
root@Penguin:~# chgrp ftpuser /shared/ -R
root@Penguin:~# ls -l / |grep shared
drwxr-xr-x   2 root    ftpuser  4096 2010-11-06 12:40 shared

Jason Lehman's picture

Certain users need the ability/permission to go into other users directories to upload/download data.

So some user are going to need to write to other users' directories.

Since I cannot do this, I will probably have to undo the...

usermod              -s /dev/null       _user_name_

Which takes me back to remote console being left open.

Jason

Jeremy Davis's picture

Seems like the package I was playing with was from a time before OpenSSH was capable of handling its own chroots and I wasn't aware that the functionality had been added (although to be honest I didn't double check - my bad!) Now I know that, it surprises me that the scponly package is still available in Lucid when OpenSSH can do this on its own (and now I look scponly seems quite outdated).

Following on from Basil's links and suggestions I've had a bit of a read and come across this link as well which looks useful. From my reading around the subject I'd suspect that by chrooting the user with OpenSSH their access to a working shell also seems to be stopped. In Basil's first link setting up an SFTP chroot is the first part, then additional steps need to be taken to get a chrooted SSH working for that user. I read that as being that SSH won't work, is that what you found?

[edit] I had this tab open for ages and missed that Basil had posted another response which should solve the SSH issues.

Jason Lehman's picture

I basically want something simple for internal employees & external clients to be able to share large amounts of data back & forth w/ different permission levels & logging to prove the client did come in & retrieve the mapping data they payed for. Do you reccomend I give your torrent TurnKey a try?

Thanks again for all the time you are putting in to help me.

Jason

Jeremy Davis's picture

Control staff at a user/group permission level, and put clients in an SSH chroot?

Assuming that you can trust your employees, you could give them non-chrooted user accounts but only give them delete/write access to the relevant users files/folders (using Linux file permissions). If they are a generic group then just add this group as the group owner to all of the clients' files/folders. If it is handled in a case by case basis, then give each client a unique group and add this group to the relevant employees. If staff users are not included in the 'sudo-users' group (and better still don't have sudo installed either) they will still have shell access via SSH but won't be able to do much at the terminal (as secure as a Win user account - if not more so!).

Then you could just use the individually chrooted jails for clients. I actually wrote this as a repoonse to your question above, but decided to move it donw here. I will answer your question re best TKL base for your plan at the bottom...

To keep an eye on things I think it'd be a good idea for all file transfers to be logged and inform all employees that this will be happening (not because you don't trust them, but to provide transparency and accountability top the clients). I'd recommend that you remote back-up all these logs for preservation so you can rotate the local ones and your machine won't get jammed up with log files.

Another idea off the top of my head (if you're not going to use eXtplorer) would be to leverage vsftpd for your client users FTP access, but instead of using SFTP (FTP over SSH), use FTPS (FTP over SSL). The advantage of that is that the users can be denied login at all.

A final idea off the top of my head is to get staff users to access files locally via Samba (rather than FTP) and chroot clients (and have them use SFTP). That way staff could have accounts with no-login allowed, and clients could be chrooted.

Finally getting back to your question re best appliance for your purpose. Really it depends on your exact needs. You may even find that if you don't need a lot of the stuff such as eXtplorer and Samba, then starting with Core may be best and then just add what you want (such as vsftpd). Perhaps food for thought. Without knowing more about your scenario, I can't say for sure, but I doubt the torrent appliance would really be what you want.

Jason Lehman's picture

I appreciate all your help. I like the idea of Samba for my internal users & FTPS for the external clients. I may try this with a TKL Core virtual machine. I fear I got my current TKL box messed up by trying too many things. I will probably delete it from VMWare. We are also trying out another Linux solution called Accellion Secure File Transfer. It seems to work pretty good & is meeting our list of "must have" features right "out of the box." The free version I downloaded from VMWare's virtual appliance portal is a little watered down & limited compared to their pay version, but for what I need; the free will work. The only thing I had to do was a little trick to change the default size of the 50 GB vmdk file, so I would have a 600 GB virtual hard disk to use (instead of the 50 GB virtual hard drive, that comes configured.) I see great potential in TurnKey Linux, though it may not have been what I needed for the project; I will always keep it in mind for others.

Jason

Ryan's picture

Hello,

 

I've read and re-read all the posts, suggestion and HowTo's on this, and am still unable to make this work.  When I apply everything exactly as noted in all the various HowTo's and discussions here, I can login as root (when I do NOT chroot the root acct in sshd_config), but I can NOT login at all as any user whom I specify in sshd_config.

 

I am trying to sftp using FileZilla, but I also used WinSCP as a control to make sure it wasn't client-software related.

 

My goal is to provide internal users the ability to recieve files from customers and for internal users to also to be able to see all folders (or whatever folders I grant them.)  For external customers, I need them to have visability ONLY to thier root folder and to be jailed in that folder.

 

When I SFTP in as a user that chroot'd, I am unable to connect.  Both WinSCP and FileZilla report authentication failre.  I am also given an access denied when ssh'ing in via putty (using a chroot'd acct.)

 

I'm extremely grateful for the amazing and wonderful project (TKL), but i'm also frustrated as, as the other poster put it "this shouldn't be this hard."

 

Can anyone please, kindly advise me what I need to do to make this work?  It's an urgent need to provide this to my customer and I've invested a LOT of time thus far w/o any progress. 

Thank you so much in advance for any help you can provide and also for the work you've accomplished with this great project!

Jeremy Davis's picture

FWIW I created a doc page for that a while ago, I probably should have done a search through the forums and posted the link on this thread. Sorry about that.

The only thing is that I'm not sure if it's up to date and still 100% relevant? IIRC I tested that on the previous version of TurnKey so it may need a tweak.

Jeremy Davis's picture

Although /bin/false works fine.

The only difference is that /sbin/nologin returns "This account is currently not available." if the user tries to log in via SSH (before it exits; /bin/false will just exit).

I have read that you can change the message by creating /etc/nologin.txt as a plain text file with the text you want displayed. However, I haven't tried that so can't vouch for that.

Jeremy Davis's picture

No worries at all Leo. That's how it goes sometimes...

Anyway, if you have anything to add to that, our docs are actually a wiki (you do need to be logged in to the website though to edit), so please feel free to tidy up any docs which are lacking or out of date.

Also I'd be really interested to hear whether /etc/nologin.txt works as it's meant to with /bin/nologin. So please let us know how it goes.

Add new comment