LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 12-21-2007, 10:00 PM   #1
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Rep: Reputation: 17
vsftp and sftp


OK, I have been running an ftp server for some time now. I finally was looking for an easier secure solution and have setup a Fedora 8 box with vsftp installed.

I have the FTP server setup correctly. I have some test user account and my own. I successfully setup chroot to a certain folder which jails users into it (not their home dir). I have also setup some other features.

I tried for the hell of it to connect via sftp to the box. It worked without issues for my username (local account with shell access) but did not work out with any test accounts (local accounts WITHOUT shell access).

When I try to login as an account without shell access I get:

Status: Connecting to bighat:22...
Response: fzSftp started
Command: open "tmpusr@bighat" 22
Command: Pass: ********
Status: Connected to bighat
Error: Fatal: unable to initialise SFTP on server: could not connect
Error: Could not connect to server
Status: Waiting to retry...
Status: Delaying connection due to previously failed connection attempt...


Is this because the user has NO shell access?

Also I never installed a cert so is it using some default cert?

Is all the data over this connection going to be encrypted?
 
Old 12-21-2007, 10:43 PM   #2
wit_273
Member
 
Registered: Mar 2007
Location: Nebraska
Distribution: CentOS
Posts: 82

Rep: Reputation: 15
sftp has nothing really to do with ftp. It is just a way to have an FTP like interface through ssh access. So, yes the reason sftp does not work is because the users do not have shell access.
 
Old 12-21-2007, 11:45 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Try logging in with "sftp --v <user>@<host>". Besides the verbose messages on the remote client, log into the server with your regular account and see what the /var/log/secure log says.

I tried using the ssh-sftp server with a new dummy user whose shell was '/usr/bin/passwd'. It didn't work. Then I change the shell to /bin/bash --restricted. That didn't work either and the secure log said:
Quote:
Dec 21 22:24:51 delllap sshd[20561]: User anftpuser not allowed because shell /bin/bash --restricted does not exist
Dec 21 22:24:51 delllap sshd[20562]: input_userauth_request: invalid user anftpuser
Dec 21 22:24:56 delllap sshd[20561]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=hpamd64.jesne
t user=anftpuser
Dec 21 22:24:58 delllap sshd[20561]: Failed password for invalid user anftpuser from 192.168.1.104 port 23052 ssh2
Dec 21 22:25:21 delllap last message repeated 2 times
Dec 21 22:25:21 delllap sshd[20562]: Connection closed by 192.168.1.104
Dec 21 22:25:21 delllap sshd[20561]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=hpamd64.jesnet user=a
nftpuser
I next tried rbash, but latter found out that /usr/bin/bash didn't exist on my Fedora Core laptop.
I created a link /usr/bin/rbash -> /bin/bash and tried again. It still failed.
Code:
Dec 21 22:59:09 delllap sshd[20836]: pam_unix(sshd:session): session opened for user anftpuser by (uid=0)
Dec 21 22:59:09 delllap sshd[20838]: subsystem request for sftp
Dec 21 22:59:09 delllap sshd[20836]: pam_unix(sshd:session): session closed for user anftpuser
Unless I missed something, the ssh-sftp server subsystem is supposed to be used by regular users.
Maybe using vsftp with certificates would be a better idea. Or you could wrap ftp in an ssh tunnel.

I thought this was going to be easy! Sorry I couldn't come up with an answer for you.

Last edited by jschiwal; 12-22-2007 at 01:56 AM.
 
Old 12-22-2007, 01:06 AM   #4
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
To be honest with you jschiwal, just about everything you stated above is over my head. I have only been on the linux system for a month or so, and even then its very little. I do REALLY appreciate your time.

Questions:

1) Do you think there is any drawback/security risk in allowing my users to have shell access?

2) Are all my usernames and passwords encrypted? (or is all data encrypted?)
 
Old 12-22-2007, 01:37 AM   #5
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
OK, so I tried this..

I created another user (tmpusr2) and made them part of the ftpusers group. I also changed their home directory to /var/ftp

usermod -G ftpusers -d /var/ftp tmpusr2

ok... Now when I log in via sftp it brings me to the root of the filesystem. I was confused by this so I tried to log in via ssh and get this:


Could not chdir to home directory /var/ftp: Permission denied
-bash-3.2$


So I checked to make sure I could access the directory /var/ftp

-bash-3.2$ cd /var/ftp
-bash-3.2$ ls -l
total 56
drwxr-xr-x 10 savone ftpusers 4096 2007-12-21 03:48 Applications
drwxr-xr-x 82 savone savone 4096 2007-12-21 03:44 Books
drwxr-xr-x 2 savone savone 4096 2007-12-21 03:47 Games
drwxr-xr-x 3 savone ftpusers 4096 2007-12-21 03:46 Misc
drwxr-xr-x 13 savone ftpusers 4096 2007-12-21 19:45 Music
drwxr-x--- 2 savone ftptrusted 4096 2007-12-21 18:43 Private
drwxrwx--- 2 savone ftpusers 4096 2007-12-20 23:26 Uploads

Then checked the permissions on /var/ftp

-bash-3.2$ ls -l ..
drwxr-x--- 9 savone ftpusers 4096 2007-12-21 18:39 ftp

Also checked to confirm tmpusr2 was a member for the ftpusers group:

-bash-3.2$ id tmpusr2
uid=504(tmpusr2) gid=506(tmpusr2) groups=506(tmpusr2),501(ftpusers) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
-bash-3.2$



Any ideas why I can not access /var/ftp when loggin in ssh/sftp??
 
Old 12-22-2007, 01:40 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I found this gentoo sftp rootjail howto:
http://gentoo-wiki.com/HOWTO_SFTP_Se..._without_shell)

They use the rssh shell. Which I don't have installed and didn't think of. Maybe you remember when I was trying different shells, such as rbash without success. The instructions also set up a root jail to contain the users.

Be sure to read the security info about rssh. It sounds like you want to need to use "PermitUserEnvironment No" in /etc/ssh/sshd_config" to prevent a user from getting regular shell access by changing their environment variables.
http://www.pizzashack.org/rssh/security.shtml
 
Old 12-22-2007, 01:53 AM   #7
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by jschiwal View Post
I found this gentoo sftp rootjail howto:
http://gentoo-wiki.com/HOWTO_SFTP_Se..._without_shell)

They use the rssh shell. Which I don't have installed and didn't think of. Maybe you remember when I was trying different shells, such as rbash without success. The instructions also set up a root jail to contain the users.

Be sure to read the security info about rssh. It sounds like you want to need to use "PermitUserEnvironment No" in /etc/ssh/sshd_config" to prevent a user from getting regular shell access by changing their environment variables.
http://www.pizzashack.org/rssh/security.shtml
OK, I am not comfortable with this since I dont understand most of it. I have a feeling I can get this done.

Right now I have users and folders with correct permissions.

I have a new user with a home directory which is the ftp root directory (/var/ftp)

Now all I need is to fix SELinux to allow this. This is what I am getting in my /var/log/messages

Dec 22 01:51:04 bighat setroubleshoot: #012 SELinux is preventing sshd (sshd_t) "search" to <Unknown> (public_content_t).#012 For complete SELinux messages. run sealert -l 0205d4a0-1ba1-4fa6-aa7c-625e635674ce


I have a feeling if I disable SELinux it would work. I would rather find a way around disabling SELinux though.
 
Old 12-22-2007, 02:02 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I don't know if this would include sftp, but it probably does for vsftp.

Use the system-config-security program. Select the SELinux tab. There is an ftp section. Since you have users with their own home directoriess ( in /src/ftp/ ), you will want to check the "Allow ftp to read/write files in the user home directories" box.

Last edited by jschiwal; 12-22-2007 at 02:15 AM.
 
Old 12-22-2007, 02:04 AM   #9
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Well SELinux is disabled and this is working fine now. I would rather figure out how to make this work with SELinux enabled if possible.

I found this command to get SELinux to allow home directories for local users:
setsebool -P ftp_home_dir 1
service vsftpd restart

I need to figure out how to adapt it so SELinux will allow /var/ftp as a home directory for all users
 
Old 12-22-2007, 02:24 AM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Quote:
Originally Posted by vonedaddy View Post
I need to figure out how to adapt it so SELinux will allow /var/ftp as a home directory for all users
Will each user have their own directory in /var/ftp/ or will they all use /var/ftp/. In either case, use /var/ftp as their home page. I think that should do it. If not create /var/ftp/users/ and give it a shot.

I think that your command does the same thing as using the GUI interface I mentioned.

---

I don't use the laptop that has Fedora Core on it that much. It has only a Pentium III chip. I use it to test out certain ideas, and as a reference when answering FC questions. So for things like SELinux, I'll use the GUI interface.

Last edited by jschiwal; 12-22-2007 at 02:26 AM.
 
Old 12-22-2007, 06:31 AM   #11
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
chroot SFTP (Only)

Quote:
Originally Posted by vonedaddy View Post
1) Do you think there is any drawback/security risk in allowing my users to have shell access?
Yes, absolutely - there are all sorts of things a clever and/or malicious user could do with shell access. If you have the time to play with an alternative solution and you only want to give your users SFTP access (no shell at all), you could try my method:

http://www.minstrel.org.uk/papers/sftp/

It's been tested on a variety of flavours of Linux BSD and Solaris, and isn't too complicated to set up.

--
Minstrel
 
Old 12-22-2007, 06:33 AM   #12
Minstrel
LQ Newbie
 
Registered: Nov 2007
Posts: 16

Rep: Reputation: 0
Quote:
Originally Posted by vonedaddy View Post
2) Are all my usernames and passwords encrypted? (or is all data encrypted?)
If the connection runs over SSH (and it looks like it does), all data will be encrypted.

--
Minstrel
 
Old 12-22-2007, 10:16 AM   #13
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by Minstrel View Post
Yes, absolutely - there are all sorts of things a clever and/or malicious user could do with shell access.
I am sorry, I should have stated that I totally trust my users. I was worried about someone else using their accounts to do something malicious. Do you think there is any security risks as far as someone else using their accounts? I am not worried about my users in general.

Thanks a million.
 
Old 12-22-2007, 11:47 AM   #14
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
If you are using sftp (ssh) then PKI is used during the authentication process. There is a possibility of a man-in-the-middle attack the first time a user authenticates (before you have their public key). Also, be sure to use "AllowUsers" or "AllowGroups" to control who can login.
You could run into problems if you use password authentication with ssh and a user has a week password. Another poster to this site had that problem. He used his girlfriend's name as the password, and someone who knew him got in and hacked his computer.
If you configure sshd_config to only use key-exchange, that would be more secure. Especially if the keys use a passphrase. This will prevent someone getting access from one of their computers from gaining access to your server.
 
Old 12-22-2007, 11:53 AM   #15
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 179

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by jschiwal View Post
If you are using sftp (ssh) then PKI is used during the authentication process. There is a possibility of a man-in-the-middle attack the first time a user authenticates (before you have their public key). Also, be sure to use "AllowUsers" or "AllowGroups" to control who can login.
You could run into problems if you use password authentication with ssh and a user has a week password. Another poster to this site had that problem. He used his girlfriend's name as the password, and someone who knew him got in and hacked his computer.
If you configure sshd_config to only use key-exchange, that would be more secure. Especially if the keys use a passphrase. This will prevent someone getting access from one of their computers from gaining access to your server.
Thank you again for your time, I will have to look into these options. BUT you would agree that my way is def more secure than regular ftp access correct?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot login into SFTP server using Net::SFTP cccc Programming 1 10-31-2007 07:23 AM
Sftp abhi2778 Linux - Networking 1 05-04-2007 06:59 AM
How do I use sftp to upload my web site? (no sftp tar command) johnMG Linux - Networking 6 06-21-2005 10:14 PM
VSFTP - SFTP error: Couldn't get remote handle. m0untaind0g Linux - Networking 3 01-20-2004 01:24 PM
Files truncated by sftp/sftp-server at 65kb gato Linux - Networking 1 12-18-2003 11:29 AM


All times are GMT -5. The time now is 09:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration