Contributed by merdely on from the go-to-your-room dept.
Pete asks Undeadly:
I'm pretty sure this must be a fairly common requirement: migration from ftp to a secured access file repository. But Google is not too forthcoming.
Has anyone successfully gotten an OpenBSD server running with (a subset of all) user accounts that can only scp/sftp in their /home/directory and no shell access? I'm trying to avoid re-inventing the wheel, so a suitable systrace policy method would be ideal. I've looked at 'scponly', but it's a bit messy and hack-like.
(Comments are closed)
By Venture37 (venture37) venture37<A>hotmail.com on www.geeklan.co.uk
http://dragontoe.org/rssh/
By Venture37 (venture37) venture37<A>hotmail.com on www.geeklan.co.uk
Currently, it does not work on (at least most of) the *BSDs, nor on OS X. They lack the wordexp() function, which rssh uses for command line argument expansion. Until they have such a function (which is defined by POSIX.2), or until I get bored enough to write a replacement, rssh will not work with the BSDs out of the box.
Comments
By Francisco de Borja Lopez Rio (wu) wu@e-shell.org on http://www.e-shell.org
http://wiki.e-shell.org/SSHChrootInFreeBSD
perhaps with some effort, it will work in OpenBSD too.
By grey (208.80.185.17) on
http://sublimation.org/scponly/wiki/index.php/Main_Page
By Luiz Gustavo (189.24.40.81) on
By Anonymous Coward (85.178.124.242) on
If it's allowed to ask another question (I don't know whom to send my question):
Long ago there where some guys talking about svnd. Other algorithms (then blowfish) and also HW acceleration comes up to my mind.
I began to re-think about this again as I read about a mail at misc@ from somebody who mentioned HW encryption.
Also I read about a Bug wich affects svnd-Devices if create fastly many small files (like it's done by a cvs checkout..).
Is somebody working on improvements for svnd-Devices (HW acceleration, other algorithms)?
Or does somebody knows a good HW devices to encrypt HDDs (SATA, AES 256Bit prefered (seams nobody supports Twofish so far :/ ) and pls. no EBC mode.
Thanks for any comment/suggestion! :)
Comments
By Timo Myyrä (131.177.204.78) on
>
> If it's allowed to ask another question (I don't know whom to send my question):
>
> Long ago there where some guys talking about svnd. Other algorithms (then blowfish) and also HW acceleration comes up to my mind.
> I began to re-think about this again as I read about a mail at misc@ from somebody who mentioned HW encryption.
>
> Also I read about a Bug wich affects svnd-Devices if create fastly many small files (like it's done by a cvs checkout..).
>
> Is somebody working on improvements for svnd-Devices (HW acceleration, other algorithms)?
>
> Or does somebody knows a good HW devices to encrypt HDDs (SATA, AES 256Bit prefered (seams nobody supports Twofish so far :/ ) and pls. no EBC mode.
>
> Thanks for any comment/suggestion! :)
Not sure if this is relevant but there was a presentation about Soft RAID by Ted Unangst at OpenCON. He talked about the coming improvements to the Soft RAID which at later stages would allow disks to be encrypted easily. Svnd was also mentioned but I don't remember the details that well. I doubt Ted is working on the algorithms but he might know if there's work going on in the disk encryption arena.
By Someone else (129.128.29.241) on
echo "nogo:*:9919:someuser" >> /etc/group
cd /
chmod g-a *
chgrp nogo *
mkdir /restricted_dir
chmod g+rx / /restricted_dir
mkdir /restricted_dir/someuser_home
Add someuser with appropriate home.
Done.
Comments
By Someone (203.129.238.212) on
Let us rely on the underlying fundamental mechanisms first
and move on further if something more sophisticated is needed.
By Aurel26 (82.224.117.175) aurelien26@free.fr on
2. Restrict sftp for this account. Add in file /etc/ssh/sshd_config:
Match User marc
ForceCommand /usr/libexec/sftp-server
3. Create a systrace policy for this user (I posted an example http://aurelien26.free.fr/usr_libexec_sftp_server)
4. Place this policy in the default location with corrects rights
-r--r--r-- 1 root wheel /home/marc/.systrace/usr_libexec_sftp_server
(users must not be able to change this file)
5. Use systrace for sftp with this user (change ForceCommand in etc/ssh/sshd_config):
Match User marc
ForceCommand /bin/systrace -i -a /usr/libexec/sftp-server
6. It's can be be usefull to create a log file to see all policy violations:
ForceCommand /bin/systrace -i -E /home/systrace_logs -a /usr/libexec/sftp-server
Comments
By Peter (88.162.130.192) on
http://mysecureshell.sourceforge.net
Good luck :-)
By Paul Irofti (bulibuta) bulibuta@gmail.com on
>
> 2. Restrict sftp for this account. Add in file /etc/ssh/sshd_config:
> Match User marc
> ForceCommand /usr/libexec/sftp-server
>
> 3. Create a systrace policy for this user (I posted an example http://aurelien26.free.fr/usr_libexec_sftp_server)
You're missing mquery and fsread for /usr/lib. ^^
By Peter (88.162.130.192) on
http://mysecureshell.sourceforge.net
Good luck :-)
Comments
By Anonymous Coward (24.37.242.64) on
>
> http://mysecureshell.sourceforge.net
>
> Good luck :-)
Nice artwork for the logo, but why squish the blowfish when it's related to OpenSSH?
Comments
By Johan M:son Lindman (jl) on
> >
> > http://mysecureshell.sourceforge.net
> >
> > Good luck :-)
>
> Nice artwork for the logo, but why squish the blowfish when it's related to OpenSSH?
>
Because that is what linux zealot numb nuts do.
Just disregard it.
By Cat (62.56.93.198) on
> Nice artwork for the logo, but why squish the blowfish when
> it's related to OpenSSH?
Looks like the blowfish are being held as if they were guns or weapons of some type - in http://mysecureshell.sourceforge.net/logos/mss_03.png they appear to be strapped to the penguin's back.
I think the squishing's unintentional ...
By Kristaps Dzonsons (2001:6b0:1:1dd0:21a:a0ff:fe40:dd92) kristaps@kth.se on http://mult.bsd.lv
Comments
By Matt (82.146.97.67) on
I am not quite sure I understand the security implications of using systrace in the described (by Aurel) setup. Wouldn't SCP / SFTP forbid you to actually RUN code on the host? And wouldn't you REQUIRE running code in order to exploit systrace the way your link describes?
I am very interested in setting this up so I appreciate if someone with more knowledge on systrace could clarify this a bit for me (and probably others)
Thanks!
Comments
By swilly (156.143.52.11) on
>
> I am not quite sure I understand the security implications of using systrace in the described (by Aurel) setup. Wouldn't SCP / SFTP forbid you to actually RUN code on the host? And wouldn't you REQUIRE running code in order to exploit systrace the way your link describes?
>
> I am very interested in setting this up so I appreciate if someone with more knowledge on systrace could clarify this a bit for me (and probably others)
>
> Thanks!
from the sftp man page:
! command
Execute command in local shell.
! Escape to local shell.
from my experience, this still works even if Forcecommand is set to sftp-server (it has been a while, so could be wrong)
Comments
By tedu (204.14.154.18) on
> >
> > I am not quite sure I understand the security implications of using systrace in the described (by Aurel) setup. Wouldn't SCP / SFTP forbid you to actually RUN code on the host? And wouldn't you REQUIRE running code in order to exploit systrace the way your link describes?
> >
> > I am very interested in setting this up so I appreciate if someone with more knowledge on systrace could clarify this a bit for me (and probably others)
> >
> > Thanks!
>
> from the sftp man page:
>
> ! command
> Execute command in local shell.
>
> ! Escape to local shell.
>
> from my experience, this still works even if Forcecommand is set to sftp-server (it has been a while, so could be wrong)
if only there were a way to use systrace to prevent executing other commands.
By Anonymous Coward (134.58.253.57) on
> from the sftp man page:
>
> ! command
> Execute command in local shell.
>
> ! Escape to local shell.
>
> from my experience, this still works even if Forcecommand is set to sftp-server (it has been a while, so could be wrong)
Yes, a _local_ shell, i.e., on the client machine, not the server.
Comments
By swilly (156.143.52.238) on
Thanks for catching that -
>
> > from the sftp man page:
> >
> > ! command
> > Execute command in local shell.
> >
> > ! Escape to local shell.
> >
> > from my experience, this still works even if Forcecommand is set to sftp-server (it has been a while, so could be wrong)
>
> Yes, a _local_ shell, i.e., on the client machine, not the server.
>
By tedu (204.14.154.18) on
>
> I am not quite sure I understand the security implications of using systrace in the described (by Aurel) setup. Wouldn't SCP / SFTP forbid you to actually RUN code on the host? And wouldn't you REQUIRE running code in order to exploit systrace the way your link describes?
exactly. actually understanding how systrace works and how you can circumvent it (or not) is harder than just posting a link ot watson's paper over and over. you can use systrace to prevent users from circumventing systrace.
By Devin Ceartas (dceartas) devin@nacredata.com on http://www.nacredata.com/
I think these items might be relevant:
http://sysjail.bsd.lv/ (systrace based jails on OpenBSD)
http://www.watson.org/~robert/2007woot/ (why the above or any other systrace-based security measures are theoretically ineffective)
Comments
By Damien Miller (djm) on http://www.mindrot.org/~djm/
> systrace-based security measures are theoretically ineffective)
They are only ineffective IF your policy and environment allow threads and/or multiple processes that share memory. Don't allow it and everything is fine.
By Bryan Irvine (71.35.137.152) root@allyourbasearebelongto.us on
http://www.minstrel.org.uk/papers/sftp/
By sthen (85.158.45.32) on
CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2008/02/08 16:24:08 Modified files: usr.bin/ssh : sshd_config.5 sshd_config sftp.h sftp-server.c sftp-server-main.c session.c servconf.h servconf.c Log message: add sshd_config ChrootDirectory option to chroot(2) users to a directory and tweak internal sftp server to work with it (no special files in chroot required). ok markus@(note, this is for shells too). nice...