LinuxQuestions.org
Review your favorite Linux distribution.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page Securing SFTP server accessed by users coming via LDAP for HIPAA data
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 12-29-2015, 09:00 AM   #1
madcitybt
LQ Newbie
 
Registered: Dec 2015
Posts: 6

Rep: Reputation: Disabled
Question Securing SFTP server accessed by users coming via LDAP for HIPAA data

First though I have administered unix/linux servers, I have mostly been a "user" and developer on them. I am working on an exciting project to produce a secure environment for doing research with HIPAA data. I would like to chroot incoming data to /sftp. I have read tons of posts about jailing users but they all assume one has current entries in password and group files. I have gotten it to almost work using "Match Group *". I am loosing a lot of time with the jail not quite right and can't figure out how to get more details when a shell is generated at the end og the login process. I get "/bin/bash: Permission denied" followed by "lost connection". Since I will have a script looking for newly uploaded directories and simple hospital security needs, I'd like it other then /home/newuser/data. Loosing hours on this and at wits end. Turning on sshd -d showed me scp was not in chroot jail not /usr/lib64 libraries for crypto. Moving on to see why LDAP authentication via sssd is now failing.
Last edited by madcitybt; 12-29-2015 at 09:20 AM. Reason: author
 
Old 12-29-2015, 01:14 PM   #2
fjennings
LQ Newbie
 
Registered: Oct 2015
Location: Phoenix, AZ
Distribution: CentOS, Ubuntu, Debian, Oracle, Red Hat
Posts: 17

Rep: Reputation: 1
This is actually a simple process.

Here is my default (before editing specifics) sshd_config file for SFTP servers:
Code:
#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

### Networking and Protocol Version ###

## Ports and Protocols
Protocol 2
Port 22
## Not necessary to change the below
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

## Disable TCPKeepAlive (Easily Exploited)
TCPKeepAlive no
## Use ClientAliveInterval and restrict to prevent spoofing.  Every 60 seconds,
## Server will contact client expecting a response if one client has been inactive.
## If no response is received after the 3rd attempt, server will terminate connection
ClientAliveInterval 60
ClientAliveCountMax 3

### Networking and Protocol Version ###

### Key Configuration ###

## Host Keys; These keys are used to identify the server to the connecting
## clients.  Do not change.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

## Ciphers and keying
#RekeyLimit default none

### Key Configuration ###

### Logging ###

SyslogFacility AUTHPRIV
LogLevel INFO

### Logging ###

### Authentication ###

## You have 2 minutes to enter a correct key or password
LoginGraceTime 2m
## PermitRootLogin yes should only be used when ALL SSH connections
## are restricted using AllowUsers
PermitRootLogin no
## Require keys to be writeable only by the owner (user) of that key
StrictModes yes
## Maximum tries a user can to login per connection.  Failures are logged after half
## the authentication attempts are reached per connection
MaxAuthTries 6
MaxSessions 25

## Users are allowed to use Keys for access so long as the user has uploaded their
## key to the path below.
## <users home directory>/.ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

## This can be easily exploited.  Leave disabled.
HostbasedAuthentication no

## Deny all empty passwords.
PermitEmptyPasswords no

## Acceptable Authentication Types
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes

## Unnecessary if you are going to allow the use of keys
ChallengeResponseAuthentication no

## Kerberos options; unless the system is tied to Kerberos, do not use
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

## GSSAPI options; do not change unless this has been implemented
## network wide
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

## Use PAM for Password Authentication.  If you are strictly using keys, set this
## to no.
UsePAM yes

## We are using privilege separation, do not use login service
UseLogin no
## Maximum number of unauthenticated connections allowed.
## I.e. this is the number of those still trying to connect
MaxStartups 25

### Authentication ###

### Miscellaneous ### 

## Use "sandbox" or "yes"
UsePrivilegeSeparation sandbox 
## Show last login information of user
PrintLastLog yes
## Allow graphical user interface
X11Forwarding yes
## Display a message of the day and it's location (banner). 
## Uncomment if one has been placed on the system.
#PrintMotd yes
#Banner /etc/motd

## Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

## Use the internal-sftp subsytem built in to SSH; this allows better management of restricted
## accounts.
## BE AWARE THAT SCP WILL NO LONGER WORK ON THE SERVER WITH THIS SUBSYSTEM!
Subsystem       sftp    internal-sftp

### CHROOT Accounts ###

## This only works with openSSH v4.8+ (Recommended 5.0+)
## Root must own /home/nfs; chown root.root /home/nfs
## Dont forget the permissions: chmod 755 /home/nfs
## All chroot users must be placed in the sftponly group
Match group sftponly
	ChrootDirectory /home/nfs/
	X11Forwarding no
	AllowTCPForwarding no
	ForceCommand internal-sftp
Now I for the most part setup my SFTP servers with CentOS, so when I install my LDAP (usually a Turnkey Linux openLDAP solution), I will perform the following on the LDAP client:
yum -y install openldap openldap-clients nss-pam-ldapd authconfig-tui
authconfig-tui
Select use LDAP, Use MD5, Use Shadow, Use LDAP Authentication, and Local is sufficient. On the next screen, enter your LDAP server and base dn informaiton.
I also add my LDAP server to my hosts file.

In the LDAP, I create a posixAccount, with /sbin/nologin (no shell essentially), and set their home directory to /home/nfs/<username>. All my chroot sftp users belong to the same group: sftponly

Next, I need to make sure that the system will create home directories if it doesn't already exist:
authconfig --enablemkhomedir --update

I also setup Fail2Ban on my sftp server as well, but dealers choice.

I don't use that chroot script stuff, I've ran in to too many problems with that process. It was great back in the day I'm sure, but this accomplishes what I need, and I create a template in openLDAP and run with it for all my user creation in these events.
Last edited by fjennings; 12-29-2015 at 01:15 PM.
 
Old 12-29-2015, 02:01 PM   #3
madcitybt
LQ Newbie
 
Registered: Dec 2015
Posts: 6

Original Poster
Rep: Reputation: Disabled
Exclamation Its not the same when all user information comes
out of LDAP. We are talking at a hospital and medical school so setting up a special group
and giving users accounts is impractical. Match Group *, nabs root to.
 
Old 12-29-2015, 03:30 PM   #4
fjennings
LQ Newbie
 
Registered: Oct 2015
Location: Phoenix, AZ
Distribution: CentOS, Ubuntu, Debian, Oracle, Red Hat
Posts: 17

Rep: Reputation: 1
That's why you don't use the "catch-all" wildcard. You create a group, and assign it to the user accounts that it pertains too. If it's all the users, then it's all the users. The point of things like LDAP is to use groups to control access, and assigning those groups to users who require common access.

You can set the jailing to just /home

Match group sftponly
ChrootDirectory /home/
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

Your user accounts home directories will be located at /home/<username>
Your FTP server also needs to be configured to receive credentials from the LDAP server (as explained above)
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sending data to linux server using sftp is too much slow gajananh999 Linux - Networking 3 10-16-2012 04:48 AM
Virtual LDAP server and virtual mediawiki host; can't login with users from LDAP Ypebe Linux - Server 5 06-07-2011 08:01 PM
Securing Data for Transmission: HIPAA and FERPA compliance SteveInTallyFL Linux - Software 3 05-07-2009 12:30 PM
Problem in securing LDAP users varunkant Red Hat 1 12-22-2008 02:43 PM
[SOLVED] Find out number of users connected to my sftp server procfs Linux - Newbie 5 01-10-2008 10:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:24 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration